[OpenSIPS-Users] Default install got hacked

Fri Jan 21 08:07:26 UTC 2022

Hi Vincent,

Welcome with the first post.

Just a wild guess about your issue - the detection of what SIP domains 
are to be locally handled. For example, in your pastebin, like 249 you 
have the block for doing user authentication and authorization. And the 
logic there is : if the caller belongs to a local SIP domain, do auth - 
fine; but if the caller is not local, the call is allowed if the callee 
SIP domain is local. So if some foo caller is calling 
sip:DID at your_sip_domain, your configuration will allow the call to go 
further in the script (as it is targeting a local domain of yours).
And later, like 354 you do diversion to PSTN, but without checking who 
the caller is (a local or foreign domain, which was auth'ed or not). Do 
you see the issue?

Fixes are:

a) on the 267 `else` branch (if the caller is not local), do all the 
time the 403 reply, disregarding what the called number is. So you will 
accept only calls from your users.

or

b) when doing the PSTN diversion at 354 line, check if the caller is a 
local user, to be sure PSTN calls are available only for your own users. 
Add `is_from_local()` to the condition there.

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS eBootcamp
   https://www.opensips.org/Training/Bootcamp

On 1/18/22 3:23 PM, Vincent Swart wrote:
> First post!
>
> So yesterday I installed the latest from Debian 10 repo and the latest 
> cp web app using a method similar to powerpbxdotorg howto.
> I had 5060 open in my firewall, two user phones configured with strong 
> passwords, and a gateway with IP auth for termination.
> Within 10 minutes calls were being placed via unauthenticated invites 
> I think.
>
> I used the residential config script with a minor beginner destination 
> number pattern match difference:
> https://pastebin.com/GPrMcWYK <https://pastebin.com/GPrMcWYK>
>
> if ($rU=~"^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+$") {
> #if (dp_translate(10,"$rU/$rU") ) {
> #strip(1);
>
> The opensips log has a lot of this in it all the time:
> Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]: 
> CRITICAL:db_mysql:wrapper_single_mysql_stmt_execute: driver error 
> (1048): Column 'to_tag' cannot be null
> Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]: 
> ERROR:acc:acc_db_request: failed to insert into acc table
>
> The illicit calls start in the log like this:
> https://pastebin.com/mCNXqK7T <https://pastebin.com/mCNXqK7T>
> I can post the full log but it will take some time to sanitize.
>
> Sip call ID links in CDR viewer show this: "Sorry , sip trace for this 
> call is unavailable."
> There are also only 0 durations on all legs however they incurred 
> duration and billing on termination.
> I'm fairly certain the calls were not placed via the user phone 
> accounts because of strong passwords.
> My next steps are to disable the gateway and packet capture on the 
> interface to investigate illicit invites.
>
> Where do I even start investigating how unauthenticated invites were 
> placed and prevent it in the opensips config?
> Any suggestions would be greatly appreciated.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220121/cc1aa157/attachment.html>