Did your Vicidial System get hacked?!
Jun 1. 2012: For a number of days we now monitor an increasing amount of attacks on vicidial server we service. Not that we did not see internet attacks against Servers on a regular basis, multiple times a day to be exact, but this time there is something new: We see automatd searches for exploits on current vicidial Servers! Not trying to exploit generic exploits like we see daily by the dozend, these are actually meant for US, out Customer, so potentially YOU!
If your system is not connected to the internet in any way you dont have to worry. However if it is connected, especially if the webinterface is accessible from the public internet in any way, you are at risk!
The typical access vector we see is through a number of vulnerabilities in the webinterface, which I am not going to discus in detail here before they are all fixed, for as to not tip of more people!
The attackers usually use a bot to harvest information of shell login, admin, user and sip-accounts all of which can be read thru a number of different exploits based on the flavor, age and setup of your system. Even fresh installed Systems as of today are vulnerable!
One bot also tries to automatically install a backdoor on the system connecting via IRC to a controll server!
After a few hours or days we have seen the attackers coming back, this time to exploit your system, placing phonecalls to premium destinations if possible for several hundred dollars per hour; They use your system to redirect or bounde their traffic of it and deliver who knows what to the public!!!
Just to make it clear this is not one of the trying to brute force your passwords deal, this will read all your information clear and fast in seconds!
The first holes were already fixed by the Vicidial Group, who was the first to get this information, but that does not guarantee that the hackers will not find the one or other hole that still has to be plugged. I don't think this is the last we have heard about this!
If your system is accesibel from the internet we suggest you check the following steps:
- If possible avoid internet access TO any Vicidial System.
- Restrict acces to trusted IPs or IP Ranges
- Update ViciDial to lastest trunk version via SVN!
- Delete .txt files in webserver directories and deny access to these files via apache config.
- If Vtiger is not used delete it or at least move it out of the webserver tree, if it is used limit acces to localnetwork, maybe use a VPN, apply security patches!
- If PhpMyadmin is not used delete it or at least move it out of the webserver tree, if it is used limit acces to localnetwork, maybe use a VPN, apply security patches!
- Install Fail2ban including asterisk patches and config
- RIGHT AFTER THAT: set new Passwords for alll users with shell access, Databases, SIP Accounts, etc! Even if they did not get in yet, they could have skimmed your Login Data!
If you need help updating, restoring or thightening down your System we can help you at our regular rates.
Quote from a automated hacker tool:
The file agc/manager_send.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru() function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with default passwords and the manager_send.php file has a SQL injection vulnerability that can be used to bypass the session check as long as at least one session has been created at some point in time. In case there isn't any valid session, the user can provide astGUIcient credentials in order to create one. The results of the injected command are returned as part of the response from the web server. Affected versions include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.