Hacked SipXecs 4.4

Discussion:

Hacked SipXecs 4.4

Noah Mehl

2012-10-12 03:48:18 UTC

All,

I just realized that my emails from my SipXecs 4.4 server were not being delivered. Upon further investigation, I found that my SipXecs VM had a sendmail queue with over 13000 messages in it. I'm trying to figure out how my machine was sending mail, and it doesn't look like the relay is open, but I found something curious:

[***@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session opened"
Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)

Those are what I think to be successful ssh logins with the user PlcmSplp. Is this user part of the SipXecs install?

~Noah

Scanned for viruses and content by the Tranet Spam Sentinel service.

Davide Poletto

2012-10-12 05:55:42 UTC

Permalink

Hi, could be something related to Polycom's phones FTP provisioning ? I've
read that the default FTP user name for that is 'PlcmSpIp' and the default
password is the same (so well-known credentials).

Over ther internet there are some references about that (AFAIK see
this one<http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04452.html>,
just as example, that has a good explanation about logged messages).

Regards, Davide.

On Fri, Oct 12, 2012 at 5:48 AM, Noah Mehl <***@tritonlimited.com> wrote:

> All,
>
> I just realized that my emails from my SipXecs 4.4 server were not being
> delivered. Upon further investigation, I found that my SipXecs VM had a
> sendmail queue with over 13000 messages in it. I'm trying to figure out
> how my machine was sending mail, and it doesn't look like the relay is
> open, but I found something curious:
>
> [***@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session
> opened"
> Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened
> for user PlcmSpIp by (uid=0)
> Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened
> for user PlcmSpIp by (uid=0)
> Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened
> for user PlcmSpIp by (uid=0)
> Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened
> for user PlcmSpIp by (uid=0)
> Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened
> for user PlcmSpIp by (uid=0)
>
> Those are what I think to be successful ssh logins with the user PlcmSplp.
> Is this user part of the SipXecs install?
>
> ~Noah
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

Michael Picher

2012-10-12 10:39:35 UTC

Permalink

sipXecs 4.4.0 has no firewall enabled, so if you have your system raw on
the internet or you have port 25 open inbound to it you could have some
sort of DoS related thing going on.

clean out your mail directory, disallow external connections to the server
and see what happens.

doesn't sound like you're 'hacked', just broken.

mike

On Fri, Oct 12, 2012 at 1:55 AM, Davide Poletto <***@gmail.com>wrote:

> Hi, could be something related to Polycom's phones FTP provisioning ? I've
> read that the default FTP user name for that is 'PlcmSpIp' and the default
> password is the same (so well-known credentials).
>
> Over ther internet there are some references about that (AFAIK see this
> one<http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04452.html>,
> just as example, that has a good explanation about logged messages).
>
> Regards, Davide.
>
>
>
> On Fri, Oct 12, 2012 at 5:48 AM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> All,
>>
>> I just realized that my emails from my SipXecs 4.4 server were not being
>> delivered. Upon further investigation, I found that my SipXecs VM had a
>> sendmail queue with over 13000 messages in it. I'm trying to figure out
>> how my machine was sending mail, and it doesn't look like the relay is
>> open, but I found something curious:
>>
>> [***@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session
>> opened"
>> Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened
>> for user PlcmSpIp by (uid=0)
>> Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened
>> for user PlcmSpIp by (uid=0)
>> Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened
>> for user PlcmSpIp by (uid=0)
>> Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened
>> for user PlcmSpIp by (uid=0)
>> Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened
>> for user PlcmSpIp by (uid=0)
>>
>> Those are what I think to be successful ssh logins with the user
>> PlcmSplp. Is this user part of the SipXecs install?
>>
>> ~Noah
>>
>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square****

Suite 201****

Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and
those who don't.

Noah Mehl

2012-10-13 14:15:00 UTC

Permalink

I have iptables installed on this server, and 25 was NOT open inbound. I did clean out my mail directory, but I'm concerned about how this happened in the first place. Not only that, sendmail only accepts connections from localhost. So, this has to be something other than smtp relay.

[***@sipx1 mail]# cat access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

~Noah

On Oct 12, 2012, at 6:40 AM, Michael Picher <***@ezuce.com<mailto:***@ezuce.com>> wrote:

sipXecs 4.4.0 has no firewall enabled, so if you have your system raw on the internet or you have port 25 open inbound to it you could have some sort of DoS related thing going on.

clean out your mail directory, disallow external connections to the server and see what happens.

doesn't sound like you're 'hacked', just broken.

mike

On Fri, Oct 12, 2012 at 1:55 AM, Davide Poletto <***@gmail.com<mailto:***@gmail.com>> wrote:
Hi, could be something related to Polycom's phones FTP provisioning ? I've read that the default FTP user name for that is 'PlcmSpIp' and the default password is the same (so well-known credentials).

Over ther internet there are some references about that (AFAIK see this one<http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04452.html>, just as example, that has a good explanation about logged messages).

Regards, Davide.

On Fri, Oct 12, 2012 at 5:48 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
All,

I just realized that my emails from my SipXecs 4.4 server were not being delivered. Upon further investigation, I found that my SipXecs VM had a sendmail queue with over 13000 messages in it. I'm trying to figure out how my machine was sending mail, and it doesn't look like the relay is open, but I found something curious:

[***@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session opened"
Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)

Those are what I think to be successful ssh logins with the user PlcmSplp. Is this user part of the SipXecs install?

~Noah

Scanned for viruses and content by the Tranet Spam Sentinel service.
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

Tony Graziano

2012-10-12 11:26:21 UTC

Permalink

this is not a valid system user unless you have manually added it to the
system. I do think the logs would show more if access was granted. Why are
you exposing sshd to the outside world with an acl or by protecting it at
your firewall?

On Thu, Oct 11, 2012 at 11:48 PM, Noah Mehl <***@tritonlimited.com> wrote:
> All,
>
> I just realized that my emails from my SipXecs 4.4 server were not being
delivered. Upon further investigation, I found that my SipXecs VM had a
sendmail queue with over 13000 messages in it. I'm trying to figure out how
my machine was sending mail, and it doesn't look like the relay is open,
but I found something curious:
>
> [***@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session
opened"
> Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened
for user PlcmSpIp by (uid=0)
> Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened
for user PlcmSpIp by (uid=0)
> Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened
for user PlcmSpIp by (uid=0)
> Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened
for user PlcmSpIp by (uid=0)
> Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened
for user PlcmSpIp by (uid=0)
>
> Those are what I think to be successful ssh logins with the user
PlcmSplp. Is this user part of the SipXecs install?
>
> ~Noah
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

George Niculae

2012-10-12 11:30:40 UTC

Permalink

On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
<***@myitdepartment.net> wrote:
> this is not a valid system user unless you have manually added it to the
> system. I do think the logs would show more if access was granted. Why are
> you exposing sshd to the outside world with an acl or by protecting it at
> your firewall?
>

PlcmSpIp is the user used by polycom phones for fetching config from server

George

Tony Graziano

2012-10-12 13:05:31 UTC

Permalink

... more -- its a user that does not have login to the OS itself, just
vsftpd, which is restricted to certain commands and must present a
request for its mac address in order to get a configuration file. It
is not logging into linux unless someone changed the rights of the
user.

On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com> wrote:
> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
> <***@myitdepartment.net> wrote:
>> this is not a valid system user unless you have manually added it to the
>> system. I do think the logs would show more if access was granted. Why are
>> you exposing sshd to the outside world with an acl or by protecting it at
>> your firewall?
>>
>
> PlcmSpIp is the user used by polycom phones for fetching config from server
>
> George
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-10-13 14:17:02 UTC

Permalink

I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.

>From /etc/passwd:

PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin

So, that user cannot ssh to a shell. So I don't think it was that.

~Noah

On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net> wrote:

> ... more -- its a user that does not have login to the OS itself, just
> vsftpd, which is restricted to certain commands and must present a
> request for its mac address in order to get a configuration file. It
> is not logging into linux unless someone changed the rights of the
> user.
>
> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com> wrote:
>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>> <***@myitdepartment.net> wrote:
>>> this is not a valid system user unless you have manually added it to the
>>> system. I do think the logs would show more if access was granted. Why are
>>> you exposing sshd to the outside world with an acl or by protecting it at
>>> your firewall?
>>>
>>
>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>
>> George
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>
> --
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.net
>
> Helpdesk Customers: http://myhelp.myitdepartment.net
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Noah Mehl

2012-11-15 14:29:04 UTC

Permalink

I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.net
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Tony Graziano

2012-11-15 14:32:00 UTC

Permalink

you really need to look at the mail log to see where the mail is coming
from regardless of your firewall settings. It can actually come from inside
you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com> wrote:

> I am seeing more spam in my mail queue. I have iptables installed, and
> here are my rules:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:pcsync-https
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:xmpp-client
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:5223
> ACCEPT all -- 192.168.0.0/16 anywhere
> ACCEPT udp -- anywhere anywhere state NEW udp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip-tls
> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
> udp dpts:sip:5080
> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
> udp dpts:sip:5080
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> As far as I can tell, no one should be able to use port 25 from the world.
> Also, sendmail is only configured to allow relay from localhost:
>
> [***@sipx1 ~]# cat /etc/mail/access
> # Check the /usr/share/doc/sendmail/README.cf file for a description
> # of the format of this file. (search for access_db in that file)
> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
> # package.
> #
> # by default we allow relaying from localhost...
> Connect:localhost.localdomain RELAY
> Connect:localhost RELAY
> Connect:127.0.0.1 RELAY
>
> Can someone please help me figure out where this spam is coming from?
> Thanks.
>
> ~Noah
>
> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>
> > I did not change the configuration of anything related to the PlcmSpIp
> user. It does however make me feel better that it is related to the vsftpd
> service and the polycom phones.
> >
> >> From /etc/passwd:
> >
> >
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
> >
> > So, that user cannot ssh to a shell. So I don't think it was that.
> >
> > ~Noah
> >
> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net>
> wrote:
> >
> >> ... more -- its a user that does not have login to the OS itself, just
> >> vsftpd, which is restricted to certain commands and must present a
> >> request for its mac address in order to get a configuration file. It
> >> is not logging into linux unless someone changed the rights of the
> >> user.
> >>
> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
> wrote:
> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
> >>> <***@myitdepartment.net> wrote:
> >>>> this is not a valid system user unless you have manually added it to
> the
> >>>> system. I do think the logs would show more if access was granted.
> Why are
> >>>> you exposing sshd to the outside world with an acl or by protecting
> it at
> >>>> your firewall?
> >>>>
> >>>
> >>> PlcmSpIp is the user used by polycom phones for fetching config from
> server
> >>>
> >>> George
> >>> _______________________________________________
> >>> sipx-users mailing list
> >>> sipx-***@list.sipfoundry.org
> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >>
> >>
> >>
> >> --
> >> ~~~~~~~~~~~~~~~~~~
> >> Tony Graziano, Manager
> >> Telephone: 434.984.8430
> >> sip: ***@voice.myitdepartment.net
> >> Fax: 434.465.6833
> >> ~~~~~~~~~~~~~~~~~~
> >> Linked-In Profile:
> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> >> Ask about our Internet Fax services!
> >> ~~~~~~~~~~~~~~~~~~
> >>
> >> Using or developing for sipXecs from SIPFoundry? Ask me about
> sipX-CoLab 2013!
> >>
> >> --
> >> LAN/Telephony/Security and Control Systems Helpdesk:
> >> Telephone: 434.984.8426
> >> sip: ***@voice.myitdepartment.net
> >>
> >> Helpdesk Customers: http://myhelp.myitdepartment.net
> >> Blog: http://blog.myitdepartment.net
> >> _______________________________________________
> >> sipx-users mailing list
> >> sipx-***@list.sipfoundry.org
> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >
> >
> > Scanned for viruses and content by the Tranet Spam Sentinel service.
> > _______________________________________________
> > sipx-users mailing list
> > sipx-***@list.sipfoundry.org
> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Michael Picher

2012-11-15 15:48:30 UTC

Permalink

yes, and using the word hacked as your subject is not particularly...
helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net
> wrote:

> you really need to look at the mail log to see where the mail is coming
> from regardless of your firewall settings. It can actually come from inside
> you see.
>
>
> On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> I am seeing more spam in my mail queue. I have iptables installed, and
>> here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:5223
>> ACCEPT all -- 192.168.0.0/16 anywhere
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
>> udp dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
>> udp dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the
>> world. Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description
>> # of the format of this file. (search for access_db in that file)
>> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
>> # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>> > I did not change the configuration of anything related to the PlcmSpIp
>> user. It does however make me feel better that it is related to the vsftpd
>> service and the polycom phones.
>> >
>> >> From /etc/passwd:
>> >
>> >
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>> >
>> > So, that user cannot ssh to a shell. So I don't think it was that.
>> >
>> > ~Noah
>> >
>> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <
>> ***@myitdepartment.net> wrote:
>> >
>> >> ... more -- its a user that does not have login to the OS itself, just
>> >> vsftpd, which is restricted to certain commands and must present a
>> >> request for its mac address in order to get a configuration file. It
>> >> is not logging into linux unless someone changed the rights of the
>> >> user.
>> >>
>> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>> wrote:
>> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>> >>> <***@myitdepartment.net> wrote:
>> >>>> this is not a valid system user unless you have manually added it to
>> the
>> >>>> system. I do think the logs would show more if access was granted.
>> Why are
>> >>>> you exposing sshd to the outside world with an acl or by protecting
>> it at
>> >>>> your firewall?
>> >>>>
>> >>>
>> >>> PlcmSpIp is the user used by polycom phones for fetching config from
>> server
>> >>>
>> >>> George
>> >>> _______________________________________________
>> >>> sipx-users mailing list
>> >>> sipx-***@list.sipfoundry.org
>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>
>> >>
>> >>
>> >> --
>> >> ~~~~~~~~~~~~~~~~~~
>> >> Tony Graziano, Manager
>> >> Telephone: 434.984.8430
>> >> sip: ***@voice.myitdepartment.net
>> >> Fax: 434.465.6833
>> >> ~~~~~~~~~~~~~~~~~~
>> >> Linked-In Profile:
>> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> >> Ask about our Internet Fax services!
>> >> ~~~~~~~~~~~~~~~~~~
>> >>
>> >> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> >>
>> >> --
>> >> LAN/Telephony/Security and Control Systems Helpdesk:
>> >> Telephone: 434.984.8426
>> >> sip: ***@voice.myitdepartment.net
>> >>
>> >> Helpdesk Customers: http://myhelp.myitdepartment.net
>> >> Blog: http://blog.myitdepartment.net
>> >> _______________________________________________
>> >> sipx-users mailing list
>> >> sipx-***@list.sipfoundry.org
>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >
>> >
>> > Scanned for viruses and content by the Tranet Spam Sentinel service.
>> > _______________________________________________
>> > sipx-users mailing list
>> > sipx-***@list.sipfoundry.org
>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net>
> Blog: http://blog.myitdepartment.net
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square****

Suite 201****

Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and
those who don't.

Todd Hodgen

2012-11-15 17:41:05 UTC

Permalink

+1

From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly...
helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano
<***@myitdepartment.net> wrote:

you really need to look at the mail log to see where the mail is coming from
regardless of your firewall settings. It can actually come from inside you
see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com> wrote:

I am seeing more spam in my mail queue. I have iptables installed, and here
are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:5223
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp
dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp
dpts:sip:5080
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world.
Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access

# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

Can someone please help me figure out where this spam is coming from?
Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:

> I did not change the configuration of anything related to the PlcmSpIp
user. It does however make me feel better that it is related to the vsftpd
service and the polycom phones.
>
>> From /etc/passwd:
>
>
PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/
nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net>
wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net> wrote:
>>>> this is not a valid system user unless you have manually added it to
the
>>>> system. I do think the logs would show more if access was granted. Why
are
>>>> you exposing sshd to the outside world with an acl or by protecting it
at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from
server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.net
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013>

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net

Blog: http://blog.myitdepartment.net

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square

Suite 201

Andover, MA. 01810

O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>

linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com

----------------------------------------------------------------------------
--------------------------------

There are 10 kinds of people in the world, those who understand binary and
those who don't.

Noah Mehl

2012-11-15 17:56:32 UTC

Permalink

I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

Tony Graziano

2012-11-15 18:15:34 UTC

Permalink

If you do not have sendmail-cf installed I would do that. I would then look
through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate
that user login with these occurrences. I have never seen this happen, but
in your case it might be a first.

You will also need to change all of your phones in order to update them if
they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from
my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account?
If it is authenticating via SSH it has been modified. The user shell is
"/sbin/nologin" by default. I still doubt something has been hacked and
rather think that someone has altered the user to make it less secure. If
this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com> wrote:

> I'm using "hacked" because as far as I can tell, this is not an smtp
> relay issue. Therefore something on the system is open, and therefore been
> "hacked".
>
> Here is some spam log entries in the maillog:
>
> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org>,
> size=349, class=0, nrcpts=1, msgid=<201211150138.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<
> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30349,
> dsn=4.4.3, stat=queued
> Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<
> ***@yahoo.co.uk>, delay=00:00:06, xdelay=00:00:01, mailer=relay,
> pri=120349, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 0F7351C0B53)
> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<
> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150139.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<
> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
> dsn=4.4.3, stat=queued
> Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<
> ***@yahoo.co.uk>, delay=00:00:02, xdelay=00:00:00, mailer=relay,
> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 644861C0B57)
> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<
> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150140.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<
> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
> dsn=4.4.3, stat=queued
> Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<
> ***@yahoo.co.uk>, delay=00:00:11, xdelay=00:00:01, mailer=relay,
> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as ABC431C0B5B)
> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<
> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150142.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<
> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
> dsn=4.4.3, stat=queued
> Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<
> ***@yahoo.co.uk>, delay=00:00:03, xdelay=00:00:01, mailer=relay,
> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 488DE1C0B67)
> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<
> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=60361,
> dsn=4.4.3, stat=queued
> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=60361,
> dsn=4.4.3, stat=queued
> Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<
> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:06,
> xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<
> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
> dsn=4.4.3, stat=queued
> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
> dsn=4.4.3, stat=queued
> Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<
> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:12,
> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<
> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
> dsn=4.4.3, stat=queued
> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
> dsn=4.4.3, stat=queued
> Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<
> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:03,
> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<
> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150334.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<
> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
> dsn=4.4.3, stat=queued
> Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<
> ***@hotmail.com>, delay=00:00:03, xdelay=00:00:02, mailer=relay,
> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 479D81C0BDE)
> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<
> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150650.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<
> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
> dsn=4.4.3, stat=queued
> Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<
> ***@hotmail.com>, delay=00:00:06, xdelay=00:00:03, mailer=relay,
> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 309221C0F12)
> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<
> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150819.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<
> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=35874,
> dsn=4.4.3, stat=queued
> Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<
> ***@hotmail.com>, delay=00:00:04, xdelay=00:00:01, mailer=relay,
> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 6B4E11C0F51)
> Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<
> ***@rkw-lotus.com>, size=5925, class=0, nrcpts=50, msgid=<201211150826.
> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
>
> As opposed to a normal entry:
>
> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
> from=<***@localhost>, size=335352, class=0, nrcpts=1,
> msgid=<1578812003.338.1352991743551.
> ***@sipx1.sip.tranet.net>, proto=ESMTP, daemon=MTA,
> relay=localhost.localdomain [127.0.0.1]
> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<
> ***@signmuseum.org>, delay=00:00:00, mailer=relay, pri=365352,
> dsn=4.4.3, stat=queued
> Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<
> ***@signmuseum.org>, delay=00:00:17, xdelay=00:00:14, mailer=relay,
> pri=455352, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
> stat=Sent (Ok: queued as 501B41C1CBE)
>
> So, they are being generated locally, as far as I can tell.
>
> ~Noah
>
> On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com>
> wrote:
>
> +1****
>
> *From:* sipx-users-***@list.sipfoundry.org [mailto:sipx-
> users-***@list.sipfoundry.org]*On Behalf Of *Michael Picher
> *Sent:* Thursday, November 15, 2012 7:49 AM
> *To:* Discussion list for users of sipXecs software
> *Subject:* Re: [sipx-users] Hacked SipXecs 4.4****
> ** **
> yes, and using the word hacked as your subject is not particularly...
> helpful...****
>
> ** **
> On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <
> ***@myitdepartment.net> wrote:****
> you really need to look at the mail log to see where the mail is coming
> from regardless of your firewall settings. It can actually come from inside
> you see.****
>
> ** **
> On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com>
> wrote:****
> I am seeing more spam in my mail queue. I have iptables installed, and
> here are my rules:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:pcsync-https
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:xmpp-client
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:5223
> ACCEPT all -- 192.168.0.0/16 anywhere
> ACCEPT udp -- anywhere anywhere state NEW udp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip-tls
> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
> udp dpts:sip:5080
> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
> udp dpts:sip:5080
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> As far as I can tell, no one should be able to use port 25 from the world.
> Also, sendmail is only configured to allow relay from localhost:
>
> [***@sipx1 ~]# cat /etc/mail/access****
>
> # Check the /usr/share/doc/sendmail/README.cf file for a description
> # of the format of this file. (search for access_db in that file)
> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
> # package.
> #
> # by default we allow relaying from localhost...
> Connect:localhost.localdomain RELAY
> Connect:localhost RELAY
> Connect:127.0.0.1 RELAY****
> Can someone please help me figure out where this spam is coming from?
> Thanks.
>
> ~Noah****
>
> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>
> > I did not change the configuration of anything related to the PlcmSpIp
> user. It does however make me feel better that it is related to the vsftpd
> service and the polycom phones.
> >
> >> From /etc/passwd:
> >
> >
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
> >
> > So, that user cannot ssh to a shell. So I don't think it was that.
> >
> > ~Noah
> >
> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net>
> wrote:
> >
> >> ... more -- its a user that does not have login to the OS itself, just
> >> vsftpd, which is restricted to certain commands and must present a
> >> request for its mac address in order to get a configuration file. It
> >> is not logging into linux unless someone changed the rights of the
> >> user.
> >>
> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
> wrote:
> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
> >>> <***@myitdepartment.net> wrote:
> >>>> this is not a valid system user unless you have manually added it to
> the
> >>>> system. I do think the logs would show more if access was granted.
> Why are
> >>>> you exposing sshd to the outside world with an acl or by protecting
> it at
> >>>> your firewall?
> >>>>
> >>>
> >>> PlcmSpIp is the user used by polycom phones for fetching config from
> server
> >>>
> >>> George
> >>> _______________________________________________
> >>> sipx-users mailing list
> >>> sipx-***@list.sipfoundry.org
> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >>
> >>
> >>
> >> --
> >> ~~~~~~~~~~~~~~~~~~
> >> Tony Graziano, Manager
> >> Telephone: 434.984.8430
> >> sip: ***@voice.myitdepartment.net
> >> Fax: 434.465.6833
> >> ~~~~~~~~~~~~~~~~~~
> >> Linked-In Profile:
> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> >> Ask about our Internet Fax services!
> >> ~~~~~~~~~~~~~~~~~~
> >>
> >> Using or developing for sipXecs from SIPFoundry? Ask me about
> sipX-CoLab 2013!
> >>
> >> --
> >> LAN/Telephony/Security and Control Systems Helpdesk:
> >> Telephone: 434.984.8426
> >> sip: ***@voice.myitdepartment.net
> >>
> >> Helpdesk Customers: http://myhelp.myitdepartment.net
> >> Blog: http://blog.myitdepartment.net
> >> _______________________________________________
> >> sipx-users mailing list
> >> sipx-***@list.sipfoundry.org
> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >
> >
> > Scanned for viruses and content by the Tranet Spam Sentinel service.
> > _______________________________________________
> > sipx-users mailing list
> > sipx-***@list.sipfoundry.org
> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>
>
> ****
> ** **
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~****
> ** **
> **** <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
> *Using or developing for sipXecs from SIPFoundry? Ask me about
> sipX-CoLab 2013!
>
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>*
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>****
>
> ** **
> LAN/Telephony/Security and Control Systems Helpdesk:****
> Telephone: 434.984.8426****
> sip: ***@voice.myitdepartment.net****
> ** **
> Helpdesk Customers: http://myhelp.myitdepartment.net****
> Blog: http://blog.myitdepartment.net****
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>
>
> ****
> ** **
> --
> Michael Picher, Director of Technical Services
> eZuce, Inc.****
> 300 Brickstone Square****
> Suite 201****
> Andover, MA. 01810****
> O.978-296-1005 X2015
> M.207-956-0262
> @mpicher <http://twitter.com/mpicher> ****
> linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
> www.ezuce.com****
> ** **
> ------------------------------------------------------------------------------------------------------------
> ****
> There are 10 kinds of people in the world, those who understand binary
> and those who don't.****
> ** **
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Tony Graziano

2012-11-15 18:26:02 UTC

Permalink

Oh, and since sipx does not need to RECEIVE mail (really), why is port 25
open to it from the outside world to begin with?

One can telnet to your sipx box from the outside, which means there is a
NAT pinhole at your firewall or it is plain sitting outside with no
properly configured firewall.

So:

1. Who tampered with the user account PlcmSpIp to allow it LOGIN privileges?
2. Why is port 25 NAT and/or open and allowed through whatever firewall you
have?

I kind of doubt changing the password for PlcmSpIp needs to happen. Address
the above two things. The sipx system is not necessarily relaying email,
its just receiving. I have NEVER EVER EVER had to open or nat port 25 for
sipx for it to SEND MAIL.

Sorry, I just really want to be clear here. It seems you've had this
problem for a while now and if you address those two things, stuff should
go to normal.

BTW - I still don't think your system is hacked. Don't take this the wrong
way, but the subject of the email gets people concerned. I am not concerned
except FOR YOUR sake. I think in general everyone else will be able to
ignore the "hacked" part of this safely.

On Thu, Nov 15, 2012 at 1:15 PM, Tony Graziano <***@myitdepartment.net
> wrote:

> If you do not have sendmail-cf installed I would do that. I would then
> look through the sendmail.m4 file.
>
> The default settings say ONLY ACCEPT from this box (being sipx).
>
> passwd PlcmSpIp
>
> you shouldn't need to do that. Unless you are actually able to correllate
> that user login with these occurrences. I have never seen this happen, but
> in your case it might be a first.
>
> You will also need to change all of your phones in order to update them if
> they use FTP.
>
> Have you considered tightening down your SSH config?
>
> The PlcmSpIp user has no SSH login by default. I tried (as an example)
> from my LAN wit IPTABLES OFF and I could not shell.
>
> So everyone here wants to know... what have you done to that user account?
> If it is authenticating via SSH it has been modified. The user shell is
> "/sbin/nologin" by default. I still doubt something has been hacked and
> rather think that someone has altered the user to make it less secure. If
> this is the case, its a result of that action.
>
> Explain who did what to the user PlcmSpIp.
>
> On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com>wrote:
>
>> I'm using "hacked" because as far as I can tell, this is not an smtp
>> relay issue. Therefore something on the system is open, and therefore been
>> "hacked".
>>
>> Here is some spam log entries in the maillog:
>>
>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org>,
>> size=349, class=0, nrcpts=1, msgid=<201211150138.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30349,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<
>> ***@yahoo.co.uk>, delay=00:00:06, xdelay=00:00:01, mailer=relay,
>> pri=120349, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 0F7351C0B53)
>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<
>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150139.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<
>> ***@yahoo.co.uk>, delay=00:00:02, xdelay=00:00:00, mailer=relay,
>> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 644861C0B57)
>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<
>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150140.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<
>> ***@yahoo.co.uk>, delay=00:00:11, xdelay=00:00:01, mailer=relay,
>> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as ABC431C0B5B)
>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<
>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150142.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<
>> ***@yahoo.co.uk>, delay=00:00:03, xdelay=00:00:01, mailer=relay,
>> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 488DE1C0B67)
>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<
>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<
>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:06,
>> xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<
>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<
>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:12,
>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<
>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<
>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:03,
>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<
>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150334.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>> dsn=4.4.3, stat=queued
>> Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<
>> ***@hotmail.com>, delay=00:00:03, xdelay=00:00:02, mailer=relay,
>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 479D81C0BDE)
>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<
>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150650.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>> dsn=4.4.3, stat=queued
>> Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<
>> ***@hotmail.com>, delay=00:00:06, xdelay=00:00:03, mailer=relay,
>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 309221C0F12)
>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<
>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150819.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<
>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=35874,
>> dsn=4.4.3, stat=queued
>> Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<
>> ***@hotmail.com>, delay=00:00:04, xdelay=00:00:01, mailer=relay,
>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 6B4E11C0F51)
>> Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<
>> ***@rkw-lotus.com>, size=5925, class=0, nrcpts=50, msgid=<201211150826.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>>
>> As opposed to a normal entry:
>>
>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
>> from=<***@localhost>, size=335352, class=0, nrcpts=1,
>> msgid=<1578812003.338.1352991743551.
>> ***@sipx1.sip.tranet.net>, proto=ESMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<
>> ***@signmuseum.org>, delay=00:00:00, mailer=relay, pri=365352,
>> dsn=4.4.3, stat=queued
>> Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<
>> ***@signmuseum.org>, delay=00:00:17, xdelay=00:00:14, mailer=relay,
>> pri=455352, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 501B41C1CBE)
>>
>> So, they are being generated locally, as far as I can tell.
>>
>> ~Noah
>>
>> On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com>
>> wrote:
>>
>> +1****
>>
>> *From:* sipx-users-***@list.sipfoundry.org [mailto:sipx-
>> users-***@list.sipfoundry.org]*On Behalf Of *Michael Picher
>> *Sent:* Thursday, November 15, 2012 7:49 AM
>> *To:* Discussion list for users of sipXecs software
>> *Subject:* Re: [sipx-users] Hacked SipXecs 4.4****
>> ** **
>> yes, and using the word hacked as your subject is not particularly...
>> helpful...****
>>
>> ** **
>> On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <
>> ***@myitdepartment.net> wrote:****
>> you really need to look at the mail log to see where the mail is coming
>> from regardless of your firewall settings. It can actually come from inside
>> you see.****
>>
>> ** **
>> On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com>
>> wrote:****
>> I am seeing more spam in my mail queue. I have iptables installed, and
>> here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:5223
>> ACCEPT all -- 192.168.0.0/16 anywhere
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
>> udp dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
>> udp dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the
>> world. Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access****
>>
>> # Check the /usr/share/doc/sendmail/README.cf file for a description
>> # of the format of this file. (search for access_db in that file)
>> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
>> # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY****
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah****
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>> > I did not change the configuration of anything related to the PlcmSpIp
>> user. It does however make me feel better that it is related to the vsftpd
>> service and the polycom phones.
>> >
>> >> From /etc/passwd:
>> >
>> >
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>> >
>> > So, that user cannot ssh to a shell. So I don't think it was that.
>> >
>> > ~Noah
>> >
>> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <
>> ***@myitdepartment.net> wrote:
>> >
>> >> ... more -- its a user that does not have login to the OS itself, just
>> >> vsftpd, which is restricted to certain commands and must present a
>> >> request for its mac address in order to get a configuration file. It
>> >> is not logging into linux unless someone changed the rights of the
>> >> user.
>> >>
>> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>> wrote:
>> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>> >>> <***@myitdepartment.net> wrote:
>> >>>> this is not a valid system user unless you have manually added it to
>> the
>> >>>> system. I do think the logs would show more if access was granted.
>> Why are
>> >>>> you exposing sshd to the outside world with an acl or by protecting
>> it at
>> >>>> your firewall?
>> >>>>
>> >>>
>> >>> PlcmSpIp is the user used by polycom phones for fetching config from
>> server
>> >>>
>> >>> George
>> >>> _______________________________________________
>> >>> sipx-users mailing list
>> >>> sipx-***@list.sipfoundry.org
>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>
>> >>
>> >>
>> >> --
>> >> ~~~~~~~~~~~~~~~~~~
>> >> Tony Graziano, Manager
>> >> Telephone: 434.984.8430
>> >> sip: ***@voice.myitdepartment.net
>> >> Fax: 434.465.6833
>> >> ~~~~~~~~~~~~~~~~~~
>> >> Linked-In Profile:
>> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> >> Ask about our Internet Fax services!
>> >> ~~~~~~~~~~~~~~~~~~
>> >>
>> >> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> >>
>> >> --
>> >> LAN/Telephony/Security and Control Systems Helpdesk:
>> >> Telephone: 434.984.8426
>> >> sip: ***@voice.myitdepartment.net
>> >>
>> >> Helpdesk Customers: http://myhelp.myitdepartment.net
>> >> Blog: http://blog.myitdepartment.net
>> >> _______________________________________________
>> >> sipx-users mailing list
>> >> sipx-***@list.sipfoundry.org
>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >
>> >
>> > Scanned for viruses and content by the Tranet Spam Sentinel service.
>> > _______________________________________________
>> > sipx-users mailing list
>> > sipx-***@list.sipfoundry.org
>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>
>>
>> ****
>> ** **
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~****
>> ** **
>> **** <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>> *Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>>
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>*
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>****
>>
>> ** **
>> LAN/Telephony/Security and Control Systems Helpdesk:****
>> Telephone: 434.984.8426****
>> sip: ***@voice.myitdepartment.net****
>> ** **
>> Helpdesk Customers: http://myhelp.myitdepartment.net****
>> Blog: http://blog.myitdepartment.net****
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>
>>
>> ****
>> ** **
>> --
>> Michael Picher, Director of Technical Services
>> eZuce, Inc.****
>> 300 Brickstone Square****
>> Suite 201****
>> Andover, MA. 01810****
>> O.978-296-1005 X2015
>> M.207-956-0262
>> @mpicher <http://twitter.com/mpicher> ****
>> linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
>> www.ezuce.com****
>> ** **
>> ------------------------------------------------------------------------------------------------------------
>> ****
>> There are 10 kinds of people in the world, those who understand binary
>> and those who don't.****
>> ** **
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-15 18:31:28 UTC

Permalink

Tony,

Again,

1. No one tampered with the user on my end (since I'm the only admin and the only one who *should* have access to the box)
2. PORT 25 IS NOT OPEN TO THE BOX, nor has it ever been. The messages are being generated locally, so, it's NOT A RELAY issue.

The log entries show successful SSHD logins for that user, this is what concerns me.

~Noah

On Nov 15, 2012, at 1:28 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

Oh, and since sipx does not need to RECEIVE mail (really), why is port 25 open to it from the outside world to begin with?

One can telnet to your sipx box from the outside, which means there is a NAT pinhole at your firewall or it is plain sitting outside with no properly configured firewall.

So:

1. Who tampered with the user account PlcmSpIp to allow it LOGIN privileges?
2. Why is port 25 NAT and/or open and allowed through whatever firewall you have?

I kind of doubt changing the password for PlcmSpIp needs to happen. Address the above two things. The sipx system is not necessarily relaying email, its just receiving. I have NEVER EVER EVER had to open or nat port 25 for sipx for it to SEND MAIL.

Sorry, I just really want to be clear here. It seems you've had this problem for a while now and if you address those two things, stuff should go to normal.

BTW - I still don't think your system is hacked. Don't take this the wrong way, but the subject of the email gets people concerned. I am not concerned except FOR YOUR sake. I think in general everyone else will be able to ignore the "hacked" part of this safely.

On Thu, Nov 15, 2012 at 1:15 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
If you do not have sendmail-cf installed I would do that. I would then look through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate that user login with these occurrences. I have never seen this happen, but in your case it might be a first.

You will also need to change all of your phones in order to update them if they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account? If it is authenticating via SSH it has been modified. The user shell is "/sbin/nologin" by default. I still doubt something has been hacked and rather think that someone has altered the user to make it less secure. If this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-<mailto:sipx->users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Noah Mehl

2012-11-15 18:28:49 UTC

Permalink

I can tell you I am the only person who could have made a change, and I can promise you I would not have made any changes to that user. So, the bigger question is how is this happening...

From /etc/passwd:

PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin

However if I check /etc/shadow, there is indeed a password for that user. I certainly didn't set it.

~Noah

On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

If you do not have sendmail-cf installed I would do that. I would then look through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate that user login with these occurrences. I have never seen this happen, but in your case it might be a first.

You will also need to change all of your phones in order to update them if they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account? If it is authenticating via SSH it has been modified. The user shell is "/sbin/nologin" by default. I still doubt something has been hacked and rather think that someone has altered the user to make it less secure. If this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-<mailto:sipx->users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Tony Graziano

2012-11-15 18:34:51 UTC

Permalink

What is the output of:

groups PlcmSpIp

On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com> wrote:

> I can tell you I am the only person who could have made a change, and I
> can promise you I would not have made any changes to that user. So, the
> bigger question is how is this happening...
>
> From /etc/passwd:
>
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> However if I check /etc/shadow, there is indeed a password for that
> user. I certainly didn't set it.
>
> ~Noah
>
> On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> If you do not have sendmail-cf installed I would do that. I would then
> look through the sendmail.m4 file.
>
> The default settings say ONLY ACCEPT from this box (being sipx).
>
> passwd PlcmSpIp
>
> you shouldn't need to do that. Unless you are actually able to
> correllate that user login with these occurrences. I have never seen this
> happen, but in your case it might be a first.
>
> You will also need to change all of your phones in order to update them
> if they use FTP.
>
> Have you considered tightening down your SSH config?
>
> The PlcmSpIp user has no SSH login by default. I tried (as an example)
> from my LAN wit IPTABLES OFF and I could not shell.
>
> So everyone here wants to know... what have you done to that user
> account? If it is authenticating via SSH it has been modified. The user
> shell is "/sbin/nologin" by default. I still doubt something has been
> hacked and rather think that someone has altered the user to make it less
> secure. If this is the case, its a result of that action.
>
> Explain who did what to the user PlcmSpIp.
>
> On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com>wrote:
>
>> I'm using "hacked" because as far as I can tell, this is not an smtp
>> relay issue. Therefore something on the system is open, and therefore been
>> "hacked".
>>
>> Here is some spam log entries in the maillog:
>>
>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org>,
>> size=349, class=0, nrcpts=1, msgid=<201211150138.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30349,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<
>> ***@yahoo.co.uk>, delay=00:00:06, xdelay=00:00:01, mailer=relay,
>> pri=120349, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 0F7351C0B53)
>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<
>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150139.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<
>> ***@yahoo.co.uk>, delay=00:00:02, xdelay=00:00:00, mailer=relay,
>> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 644861C0B57)
>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<
>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150140.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<
>> ***@yahoo.co.uk>, delay=00:00:11, xdelay=00:00:01, mailer=relay,
>> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as ABC431C0B5B)
>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<
>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150142.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>> dsn=4.4.3, stat=queued
>> Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<
>> ***@yahoo.co.uk>, delay=00:00:03, xdelay=00:00:01, mailer=relay,
>> pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 488DE1C0B67)
>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<
>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<
>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:06,
>> xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<
>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<
>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:12,
>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<
>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>> dsn=4.4.3, stat=queued
>> Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<
>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:03,
>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<
>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150334.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>> dsn=4.4.3, stat=queued
>> Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<
>> ***@hotmail.com>, delay=00:00:03, xdelay=00:00:02, mailer=relay,
>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 479D81C0BDE)
>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<
>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150650.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<
>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>> dsn=4.4.3, stat=queued
>> Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<
>> ***@hotmail.com>, delay=00:00:06, xdelay=00:00:03, mailer=relay,
>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 309221C0F12)
>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<
>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150819.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<
>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=35874,
>> dsn=4.4.3, stat=queued
>> Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<
>> ***@hotmail.com>, delay=00:00:04, xdelay=00:00:01, mailer=relay,
>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 6B4E11C0F51)
>> Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<
>> ***@rkw-lotus.com>, size=5925, class=0, nrcpts=50, msgid=<201211150826.
>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>>
>> As opposed to a normal entry:
>>
>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
>> from=<***@localhost>, size=335352, class=0, nrcpts=1,
>> msgid=<1578812003.338.1352991743551.
>> ***@sipx1.sip.tranet.net>, proto=ESMTP, daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<
>> ***@signmuseum.org>, delay=00:00:00, mailer=relay, pri=365352,
>> dsn=4.4.3, stat=queued
>> Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<
>> ***@signmuseum.org>, delay=00:00:17, xdelay=00:00:14, mailer=relay,
>> pri=455352, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>> stat=Sent (Ok: queued as 501B41C1CBE)
>>
>> So, they are being generated locally, as far as I can tell.
>>
>> ~Noah
>>
>> On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com>
>> wrote:
>>
>> +1****
>>
>> *From:* sipx-users-***@list.sipfoundry.org [mailto:sipx-
>> users-***@list.sipfoundry.org]*On Behalf Of *Michael Picher
>> *Sent:* Thursday, November 15, 2012 7:49 AM
>> *To:* Discussion list for users of sipXecs software
>> *Subject:* Re: [sipx-users] Hacked SipXecs 4.4****
>> ** **
>> yes, and using the word hacked as your subject is not particularly...
>> helpful...****
>>
>> ** **
>> On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <
>> ***@myitdepartment.net> wrote:****
>> you really need to look at the mail log to see where the mail is coming
>> from regardless of your firewall settings. It can actually come from inside
>> you see.****
>>
>> ** **
>> On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com>
>> wrote:****
>> I am seeing more spam in my mail queue. I have iptables installed, and
>> here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:5223
>> ACCEPT all -- 192.168.0.0/16 anywhere
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
>> udp dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
>> udp dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the
>> world. Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access****
>>
>> # Check the /usr/share/doc/sendmail/README.cf file for a description
>> # of the format of this file. (search for access_db in that file)
>> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
>> # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY****
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah****
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>> > I did not change the configuration of anything related to the PlcmSpIp
>> user. It does however make me feel better that it is related to the vsftpd
>> service and the polycom phones.
>> >
>> >> From /etc/passwd:
>> >
>> >
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>> >
>> > So, that user cannot ssh to a shell. So I don't think it was that.
>> >
>> > ~Noah
>> >
>> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <
>> ***@myitdepartment.net> wrote:
>> >
>> >> ... more -- its a user that does not have login to the OS itself, just
>> >> vsftpd, which is restricted to certain commands and must present a
>> >> request for its mac address in order to get a configuration file. It
>> >> is not logging into linux unless someone changed the rights of the
>> >> user.
>> >>
>> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>> wrote:
>> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>> >>> <***@myitdepartment.net> wrote:
>> >>>> this is not a valid system user unless you have manually added it to
>> the
>> >>>> system. I do think the logs would show more if access was granted.
>> Why are
>> >>>> you exposing sshd to the outside world with an acl or by protecting
>> it at
>> >>>> your firewall?
>> >>>>
>> >>>
>> >>> PlcmSpIp is the user used by polycom phones for fetching config from
>> server
>> >>>
>> >>> George
>> >>> _______________________________________________
>> >>> sipx-users mailing list
>> >>> sipx-***@list.sipfoundry.org
>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>
>> >>
>> >>
>> >> --
>> >> ~~~~~~~~~~~~~~~~~~
>> >> Tony Graziano, Manager
>> >> Telephone: 434.984.8430
>> >> sip: ***@voice.myitdepartment.net
>> >> Fax: 434.465.6833
>> >> ~~~~~~~~~~~~~~~~~~
>> >> Linked-In Profile:
>> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> >> Ask about our Internet Fax services!
>> >> ~~~~~~~~~~~~~~~~~~
>> >>
>> >> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> >>
>> >> --
>> >> LAN/Telephony/Security and Control Systems Helpdesk:
>> >> Telephone: 434.984.8426
>> >> sip: ***@voice.myitdepartment.net
>> >>
>> >> Helpdesk Customers: http://myhelp.myitdepartment.net
>> >> Blog: http://blog.myitdepartment.net
>> >> _______________________________________________
>> >> sipx-users mailing list
>> >> sipx-***@list.sipfoundry.org
>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >
>> >
>> > Scanned for viruses and content by the Tranet Spam Sentinel service.
>> > _______________________________________________
>> > sipx-users mailing list
>> > sipx-***@list.sipfoundry.org
>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>
>>
>> ****
>> ** **
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~****
>> ** **
>> **** <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>> *Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>>
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>*
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>****
>>
>> ** **
>> LAN/Telephony/Security and Control Systems Helpdesk:****
>> Telephone: 434.984.8426****
>> sip: ***@voice.myitdepartment.net****
>> ** **
>> Helpdesk Customers: http://myhelp.myitdepartment.net****
>> Blog: http://blog.myitdepartment.net****
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>
>>
>> ****
>> ** **
>> --
>> Michael Picher, Director of Technical Services
>> eZuce, Inc.****
>> 300 Brickstone Square****
>> Suite 201****
>> Andover, MA. 01810****
>> O.978-296-1005 X2015
>> M.207-956-0262
>> @mpicher <http://twitter.com/mpicher> ****
>> linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
>> www.ezuce.com****
>> ** **
>> ------------------------------------------------------------------------------------------------------------
>> ****
>> There are 10 kinds of people in the world, those who understand binary
>> and those who don't.****
>> ** **
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-15 18:41:53 UTC

Permalink

[***@sipx1 etc]# groups PlcmSpIp
PlcmSpIp : PlcmSpIp

~Noah

On Nov 15, 2012, at 1:35 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

What is the output of:

groups PlcmSpIp

On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I can tell you I am the only person who could have made a change, and I can promise you I would not have made any changes to that user. So, the bigger question is how is this happening...

From /etc/passwd:

PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin

However if I check /etc/shadow, there is indeed a password for that user. I certainly didn't set it.

~Noah

On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

If you do not have sendmail-cf installed I would do that. I would then look through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate that user login with these occurrences. I have never seen this happen, but in your case it might be a first.

You will also need to change all of your phones in order to update them if they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account? If it is authenticating via SSH it has been modified. The user shell is "/sbin/nologin" by default. I still doubt something has been hacked and rather think that someone has altered the user to make it less secure. If this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-<mailto:sipx->users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Tony Graziano

2012-11-15 18:50:19 UTC

Permalink

This is correct. Do you have any remote users? If not, you can actually
delete the user because tftp does not user login. The group is correct.

If it were me, and its not, I would make sure whatever firewall I have sipx
behind is tightened down. There are a couple of ways to do that with ssh
open, and one was mentioned to you early on in this thread.

For me I don't make SSH available, and I VPN in should I have the need.
Then I login as a different user and su to root if I need that (dont allow
root login with ssh either).

On Thu, Nov 15, 2012 at 1:41 PM, Noah Mehl <***@tritonlimited.com> wrote:

> [***@sipx1 etc]# groups PlcmSpIp
> PlcmSpIp : PlcmSpIp
>
> ~Noah
>
> On Nov 15, 2012, at 1:35 PM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> What is the output of:
>
> groups PlcmSpIp
>
> On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> I can tell you I am the only person who could have made a change, and I
>> can promise you I would not have made any changes to that user. So, the
>> bigger question is how is this happening...
>>
>> From /etc/passwd:
>>
>>
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>>
>> However if I check /etc/shadow, there is indeed a password for that
>> user. I certainly didn't set it.
>>
>> ~Noah
>>
>> On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net>
>> wrote:
>>
>> If you do not have sendmail-cf installed I would do that. I would then
>> look through the sendmail.m4 file.
>>
>> The default settings say ONLY ACCEPT from this box (being sipx).
>>
>> passwd PlcmSpIp
>>
>> you shouldn't need to do that. Unless you are actually able to
>> correllate that user login with these occurrences. I have never seen this
>> happen, but in your case it might be a first.
>>
>> You will also need to change all of your phones in order to update them
>> if they use FTP.
>>
>> Have you considered tightening down your SSH config?
>>
>> The PlcmSpIp user has no SSH login by default. I tried (as an example)
>> from my LAN wit IPTABLES OFF and I could not shell.
>>
>> So everyone here wants to know... what have you done to that user
>> account? If it is authenticating via SSH it has been modified. The user
>> shell is "/sbin/nologin" by default. I still doubt something has been
>> hacked and rather think that someone has altered the user to make it less
>> secure. If this is the case, its a result of that action.
>>
>> Explain who did what to the user PlcmSpIp.
>>
>> On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>
>>> I'm using "hacked" because as far as I can tell, this is not an smtp
>>> relay issue. Therefore something on the system is open, and therefore been
>>> "hacked".
>>>
>>> Here is some spam log entries in the maillog:
>>>
>>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org>,
>>> size=349, class=0, nrcpts=1, msgid=<201211150138.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<
>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30349,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<
>>> ***@yahoo.co.uk>, delay=00:00:06, xdelay=00:00:01,
>>> mailer=relay, pri=120349, relay=sentinel1.tranet.net. [74.203.219.99],
>>> dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
>>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<
>>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150139.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<
>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<
>>> ***@yahoo.co.uk>, delay=00:00:02, xdelay=00:00:00,
>>> mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99],
>>> dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
>>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<
>>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150140.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<
>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<
>>> ***@yahoo.co.uk>, delay=00:00:11, xdelay=00:00:01,
>>> mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99],
>>> dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
>>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<
>>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150142.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<
>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<
>>> ***@yahoo.co.uk>, delay=00:00:03, xdelay=00:00:01,
>>> mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99],
>>> dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
>>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<
>>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=60361,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=60361,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<
>>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:06,
>>> xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
>>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<
>>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<
>>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:12,
>>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
>>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<
>>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<
>>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:03,
>>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
>>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<
>>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150334.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<
>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>>> dsn=4.4.3, stat=queued
>>> Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<
>>> ***@hotmail.com>, delay=00:00:03, xdelay=00:00:02, mailer=relay,
>>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>> stat=Sent (Ok: queued as 479D81C0BDE)
>>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<
>>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150650.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<
>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>>> dsn=4.4.3, stat=queued
>>> Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<
>>> ***@hotmail.com>, delay=00:00:06, xdelay=00:00:03, mailer=relay,
>>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>> stat=Sent (Ok: queued as 309221C0F12)
>>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<
>>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150819.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<
>>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=35874,
>>> dsn=4.4.3, stat=queued
>>> Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<
>>> ***@hotmail.com>, delay=00:00:04, xdelay=00:00:01, mailer=relay,
>>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>> stat=Sent (Ok: queued as 6B4E11C0F51)
>>> Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<
>>> ***@rkw-lotus.com>, size=5925, class=0, nrcpts=50, msgid=<201211150826.
>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>>
>>> As opposed to a normal entry:
>>>
>>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
>>> from=<***@localhost>, size=335352, class=0, nrcpts=1,
>>> msgid=<1578812003.338.1352991743551.
>>> ***@sipx1.sip.tranet.net>, proto=ESMTP, daemon=MTA,
>>> relay=localhost.localdomain [127.0.0.1]
>>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<
>>> ***@signmuseum.org>, delay=00:00:00, mailer=relay, pri=365352,
>>> dsn=4.4.3, stat=queued
>>> Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<
>>> ***@signmuseum.org>, delay=00:00:17, xdelay=00:00:14, mailer=relay,
>>> pri=455352, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>> stat=Sent (Ok: queued as 501B41C1CBE)
>>>
>>> So, they are being generated locally, as far as I can tell.
>>>
>>> ~Noah
>>>
>>> On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com>
>>> wrote:
>>>
>>> +1****
>>>
>>> *From:* sipx-users-***@list.sipfoundry.org [mailto:sipx-
>>> users-***@list.sipfoundry.org]*On Behalf Of *Michael Picher
>>> *Sent:* Thursday, November 15, 2012 7:49 AM
>>> *To:* Discussion list for users of sipXecs software
>>> *Subject:* Re: [sipx-users] Hacked SipXecs 4.4****
>>> ** **
>>> yes, and using the word hacked as your subject is not particularly...
>>> helpful...****
>>>
>>> ** **
>>> On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <
>>> ***@myitdepartment.net> wrote:****
>>> you really need to look at the mail log to see where the mail is coming
>>> from regardless of your firewall settings. It can actually come from inside
>>> you see.****
>>>
>>> ** **
>>> On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com>
>>> wrote:****
>>> I am seeing more spam in my mail queue. I have iptables installed, and
>>> here are my rules:
>>>
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain RH-Firewall-1-INPUT (2 references)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere
>>> ACCEPT icmp -- anywhere anywhere icmp any
>>> ACCEPT esp -- anywhere anywhere
>>> ACCEPT ah -- anywhere anywhere
>>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>>> ACCEPT all -- anywhere anywhere state
>>> RELATED,ESTABLISHED
>>> ACCEPT tcp -- anywhere anywhere state NEW
>>> tcp dpt:pcsync-https
>>> ACCEPT tcp -- anywhere anywhere state NEW
>>> tcp dpt:http
>>> ACCEPT tcp -- anywhere anywhere state NEW
>>> tcp dpt:xmpp-client
>>> ACCEPT tcp -- anywhere anywhere state NEW
>>> tcp dpt:5223
>>> ACCEPT all -- 192.168.0.0/16 anywhere
>>> ACCEPT udp -- anywhere anywhere state NEW
>>> udp dpt:sip
>>> ACCEPT tcp -- anywhere anywhere state NEW
>>> tcp dpt:sip
>>> ACCEPT tcp -- anywhere anywhere state NEW
>>> tcp dpt:sip-tls
>>> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
>>> udp dpts:sip:5080
>>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
>>> udp dpts:sip:5080
>>> REJECT all -- anywhere anywhere reject-with
>>> icmp-host-prohibited
>>>
>>> As far as I can tell, no one should be able to use port 25 from the
>>> world. Also, sendmail is only configured to allow relay from localhost:
>>>
>>> [***@sipx1 ~]# cat /etc/mail/access****
>>>
>>> # Check the /usr/share/doc/sendmail/README.cf file for a description
>>> # of the format of this file. (search for access_db in that file)
>>> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
>>> # package.
>>> #
>>> # by default we allow relaying from localhost...
>>> Connect:localhost.localdomain RELAY
>>> Connect:localhost RELAY
>>> Connect:127.0.0.1 RELAY****
>>> Can someone please help me figure out where this spam is coming from?
>>> Thanks.
>>>
>>> ~Noah****
>>>
>>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>>
>>> > I did not change the configuration of anything related to the PlcmSpIp
>>> user. It does however make me feel better that it is related to the vsftpd
>>> service and the polycom phones.
>>> >
>>> >> From /etc/passwd:
>>> >
>>> >
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>>> >
>>> > So, that user cannot ssh to a shell. So I don't think it was that.
>>> >
>>> > ~Noah
>>> >
>>> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <
>>> ***@myitdepartment.net> wrote:
>>> >
>>> >> ... more -- its a user that does not have login to the OS itself, just
>>> >> vsftpd, which is restricted to certain commands and must present a
>>> >> request for its mac address in order to get a configuration file. It
>>> >> is not logging into linux unless someone changed the rights of the
>>> >> user.
>>> >>
>>> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>>> wrote:
>>> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> >>> <***@myitdepartment.net> wrote:
>>> >>>> this is not a valid system user unless you have manually added it
>>> to the
>>> >>>> system. I do think the logs would show more if access was granted.
>>> Why are
>>> >>>> you exposing sshd to the outside world with an acl or by protecting
>>> it at
>>> >>>> your firewall?
>>> >>>>
>>> >>>
>>> >>> PlcmSpIp is the user used by polycom phones for fetching config from
>>> server
>>> >>>
>>> >>> George
>>> >>> _______________________________________________
>>> >>> sipx-users mailing list
>>> >>> sipx-***@list.sipfoundry.org
>>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> ~~~~~~~~~~~~~~~~~~
>>> >> Tony Graziano, Manager
>>> >> Telephone: 434.984.8430
>>> >> sip: ***@voice.myitdepartment.net
>>> >> Fax: 434.465.6833
>>> >> ~~~~~~~~~~~~~~~~~~
>>> >> Linked-In Profile:
>>> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> >> Ask about our Internet Fax services!
>>> >> ~~~~~~~~~~~~~~~~~~
>>> >>
>>> >> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> sipX-CoLab 2013!
>>> >>
>>> >> --
>>> >> LAN/Telephony/Security and Control Systems Helpdesk:
>>> >> Telephone: 434.984.8426
>>> >> sip: ***@voice.myitdepartment.net
>>> >>
>>> >> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> >> Blog: http://blog.myitdepartment.net
>>> >> _______________________________________________
>>> >> sipx-users mailing list
>>> >> sipx-***@list.sipfoundry.org
>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >
>>> >
>>> > Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> > _______________________________________________
>>> > sipx-users mailing list
>>> > sipx-***@list.sipfoundry.org
>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>>
>>>
>>> ****
>>> ** **
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~****
>>> ** **
>>> **** <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>> *Using or developing for sipXecs from SIPFoundry? Ask me about
>>> sipX-CoLab 2013!
>>>
>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>*
>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>****
>>>
>>> ** **
>>> LAN/Telephony/Security and Control Systems Helpdesk:****
>>> Telephone: 434.984.8426****
>>> sip: ***@voice.myitdepartment.net****
>>> ** **
>>> Helpdesk Customers: http://myhelp.myitdepartment.net****
>>> Blog: http://blog.myitdepartment.net****
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>>
>>>
>>> ****
>>> ** **
>>> --
>>> Michael Picher, Director of Technical Services
>>> eZuce, Inc.****
>>> 300 Brickstone Square****
>>> Suite 201****
>>> Andover, MA. 01810****
>>> O.978-296-1005 X2015
>>> M.207-956-0262
>>> @mpicher <http://twitter.com/mpicher> ****
>>> linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
>>> www.ezuce.com****
>>> ** **
>>> ------------------------------------------------------------------------------------------------------------
>>> ****
>>> There are 10 kinds of people in the world, those who understand
>>> binary and those who don't.****
>>> ** **
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-15 19:01:50 UTC

Permalink

I have no remote users at the moment, but that is definitely possible.

I understand the wisdom of locking down ssh to the world, however I have almost a hundred linux based servers running this way, and have never had an issue. The reason I have never had an issue is that I NEVER use the root user or any default users for that matter, and all of my actual users are usually directory based, and for high value targets, use two-factor auth.

Either way, I have an issue, as I have many entries where this user was able to login, and in my opinion is a security problem. As I can account for all of the other ssh logins in the logs. And I was indeed "hacked". This looks to me like a default user with a default password, and there is apparently an active exploit for it.

In the mean time, I have removed outside ssh access.

~Noah

On Nov 15, 2012, at 1:52 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

This is correct. Do you have any remote users? If not, you can actually delete the user because tftp does not user login. The group is correct.

If it were me, and its not, I would make sure whatever firewall I have sipx behind is tightened down. There are a couple of ways to do that with ssh open, and one was mentioned to you early on in this thread.

For me I don't make SSH available, and I VPN in should I have the need. Then I login as a different user and su to root if I need that (dont allow root login with ssh either).

On Thu, Nov 15, 2012 at 1:41 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
[***@sipx1 etc]# groups PlcmSpIp
PlcmSpIp : PlcmSpIp

~Noah

On Nov 15, 2012, at 1:35 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

What is the output of:

groups PlcmSpIp

On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I can tell you I am the only person who could have made a change, and I can promise you I would not have made any changes to that user. So, the bigger question is how is this happening...

From /etc/passwd:

PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin

However if I check /etc/shadow, there is indeed a password for that user. I certainly didn't set it.

~Noah

On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

If you do not have sendmail-cf installed I would do that. I would then look through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate that user login with these occurrences. I have never seen this happen, but in your case it might be a first.

You will also need to change all of your phones in order to update them if they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account? If it is authenticating via SSH it has been modified. The user shell is "/sbin/nologin" by default. I still doubt something has been hacked and rather think that someone has altered the user to make it less secure. If this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-<mailto:sipx->users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Noah Mehl

2012-11-15 19:23:44 UTC

Permalink

I just tried a fresh install of 4.4.0 and the PlcmSpIp user has a password in /etc/shadow, why does this user have a password?

~Noah

On Nov 15, 2012, at 2:02 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

I have no remote users at the moment, but that is definitely possible.

I understand the wisdom of locking down ssh to the world, however I have almost a hundred linux based servers running this way, and have never had an issue. The reason I have never had an issue is that I NEVER use the root user or any default users for that matter, and all of my actual users are usually directory based, and for high value targets, use two-factor auth.

Either way, I have an issue, as I have many entries where this user was able to login, and in my opinion is a security problem. As I can account for all of the other ssh logins in the logs. And I was indeed "hacked". This looks to me like a default user with a default password, and there is apparently an active exploit for it.

In the mean time, I have removed outside ssh access.

~Noah

On Nov 15, 2012, at 1:52 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

This is correct. Do you have any remote users? If not, you can actually delete the user because tftp does not user login. The group is correct.

If it were me, and its not, I would make sure whatever firewall I have sipx behind is tightened down. There are a couple of ways to do that with ssh open, and one was mentioned to you early on in this thread.

For me I don't make SSH available, and I VPN in should I have the need. Then I login as a different user and su to root if I need that (dont allow root login with ssh either).

On Thu, Nov 15, 2012 at 1:41 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
[***@sipx1 etc]# groups PlcmSpIp
PlcmSpIp : PlcmSpIp

~Noah

On Nov 15, 2012, at 1:35 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

What is the output of:

groups PlcmSpIp

On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I can tell you I am the only person who could have made a change, and I can promise you I would not have made any changes to that user. So, the bigger question is how is this happening...

From /etc/passwd:

PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin

However if I check /etc/shadow, there is indeed a password for that user. I certainly didn't set it.

~Noah

On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

If you do not have sendmail-cf installed I would do that. I would then look through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate that user login with these occurrences. I have never seen this happen, but in your case it might be a first.

You will also need to change all of your phones in order to update them if they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account? If it is authenticating via SSH it has been modified. The user shell is "/sbin/nologin" by default. I still doubt something has been hacked and rather think that someone has altered the user to make it less secure. If this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-<mailto:sipx->users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Tony Graziano

2012-11-15 19:27:36 UTC

Permalink

Because if the phone needs to FTP for its configuration it requires a
password. I think this was mentioned already. If you DO NOT use remote
users, you can SAFELY DELETE that user though. I think this was also
mentioned to you.

On Thu, Nov 15, 2012 at 2:23 PM, Noah Mehl <***@tritonlimited.com> wrote:

> I just tried a fresh install of 4.4.0 and the PlcmSpIp user has a
> password in /etc/shadow, why does this user have a password?
>
> ~Noah
>
> On Nov 15, 2012, at 2:02 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
> I have no remote users at the moment, but that is definitely possible.
>
> I understand the wisdom of locking down ssh to the world, however I have
> almost a hundred linux based servers running this way, and have never had
> an issue. The reason I have never had an issue is that I NEVER use the
> root user or any default users for that matter, and all of my actual users
> are usually directory based, and for high value targets, use two-factor
> auth.
>
> Either way, I have an issue, as I have many entries where this user was
> able to login, and in my opinion is a security problem. As I can account
> for all of the other ssh logins in the logs. And I was indeed "hacked".
> This looks to me like a default user with a default password, and there is
> apparently an active exploit for it.
>
> In the mean time, I have removed outside ssh access.
>
> ~Noah
>
> On Nov 15, 2012, at 1:52 PM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> This is correct. Do you have any remote users? If not, you can actually
> delete the user because tftp does not user login. The group is correct.
>
> If it were me, and its not, I would make sure whatever firewall I have
> sipx behind is tightened down. There are a couple of ways to do that with
> ssh open, and one was mentioned to you early on in this thread.
>
> For me I don't make SSH available, and I VPN in should I have the need.
> Then I login as a different user and su to root if I need that (dont allow
> root login with ssh either).
>
> On Thu, Nov 15, 2012 at 1:41 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> [***@sipx1 etc]# groups PlcmSpIp
>> PlcmSpIp : PlcmSpIp
>>
>> ~Noah
>>
>> On Nov 15, 2012, at 1:35 PM, Tony Graziano <***@myitdepartment.net
>> >
>> wrote:
>>
>> What is the output of:
>>
>> groups PlcmSpIp
>>
>> On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>
>>> I can tell you I am the only person who could have made a change, and I
>>> can promise you I would not have made any changes to that user. So, the
>>> bigger question is how is this happening...
>>>
>>> From /etc/passwd:
>>>
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>>>
>>> However if I check /etc/shadow, there is indeed a password for that
>>> user. I certainly didn't set it.
>>>
>>> ~Noah
>>>
>>> On Nov 15, 2012, at 1:18 PM, Tony Graziano <
>>> ***@myitdepartment.net> wrote:
>>>
>>> If you do not have sendmail-cf installed I would do that. I would then
>>> look through the sendmail.m4 file.
>>>
>>> The default settings say ONLY ACCEPT from this box (being sipx).
>>>
>>> passwd PlcmSpIp
>>>
>>> you shouldn't need to do that. Unless you are actually able to
>>> correllate that user login with these occurrences. I have never seen this
>>> happen, but in your case it might be a first.
>>>
>>> You will also need to change all of your phones in order to update
>>> them if they use FTP.
>>>
>>> Have you considered tightening down your SSH config?
>>>
>>> The PlcmSpIp user has no SSH login by default. I tried (as an example)
>>> from my LAN wit IPTABLES OFF and I could not shell.
>>>
>>> So everyone here wants to know... what have you done to that user
>>> account? If it is authenticating via SSH it has been modified. The user
>>> shell is "/sbin/nologin" by default. I still doubt something has been
>>> hacked and rather think that someone has altered the user to make it less
>>> secure. If this is the case, its a result of that action.
>>>
>>> Explain who did what to the user PlcmSpIp.
>>>
>>> On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>>
>>>> I'm using "hacked" because as far as I can tell, this is not an smtp
>>>> relay issue. Therefore something on the system is open, and therefore been
>>>> "hacked".
>>>>
>>>> Here is some spam log entries in the maillog:
>>>>
>>>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org>,
>>>> size=349, class=0, nrcpts=1, msgid=<201211150138.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30349,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:06, xdelay=00:00:01,
>>>> mailer=relay, pri=120349, relay=sentinel1.tranet.net. [74.203.219.99],
>>>> dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
>>>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<
>>>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150139.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:02, xdelay=00:00:00,
>>>> mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99],
>>>> dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
>>>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<
>>>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150140.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:11, xdelay=00:00:01,
>>>> mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99],
>>>> dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
>>>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<
>>>> ***@rkw-lotus.com>, size=358, class=0, nrcpts=1, msgid=<201211150142.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:03, xdelay=00:00:01,
>>>> mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99],
>>>> dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
>>>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<
>>>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>>>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=60361,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=60361,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<
>>>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:06,
>>>> xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>>>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
>>>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<
>>>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<
>>>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:12,
>>>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>>>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
>>>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<
>>>> ***@rkw-lotus.com>, size=361, class=0, nrcpts=2, msgid=<201211150208.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<
>>>> ***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<
>>>> ***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:03,
>>>> xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
>>>> [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
>>>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<
>>>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150334.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<
>>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<
>>>> ***@hotmail.com>, delay=00:00:03, xdelay=00:00:02, mailer=relay,
>>>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>>> stat=Sent (Ok: queued as 479D81C0BDE)
>>>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<
>>>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150650.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<
>>>> ***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<
>>>> ***@hotmail.com>, delay=00:00:06, xdelay=00:00:03, mailer=relay,
>>>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>>> stat=Sent (Ok: queued as 309221C0F12)
>>>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<
>>>> ***@rkw-lotus.com>, size=5874, class=0, nrcpts=1, msgid=<201211150819.
>>>> ***@sipx1.sip.tranet.net>, proto=SMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<
>>>> ***@hotmail.com>, delay=00:00:00, mailer=relay, pri=35874,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<
>>>> ***@hotmail.com>, delay=00:00:04, xdelay=00:00:01, mailer=relay,
>>>> pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
>>>> stat=Sent (Ok: queued as 6B4E11C0F51)
>>>> Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<
>>>> ***@rkw-lotus.com>, size=5925, class=0, nrcpts=50,
>>>> msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
>>>> daemon=MTA, relay=localhost.localdomain [127.0.0.1]
>>>>
>>>> As opposed to a normal entry:
>>>>
>>>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
>>>> from=<***@localhost>, size=335352, class=0, nrcpts=1,
>>>> msgid=<1578812003.338.1352991743551.
>>>> ***@sipx1.sip.tranet.net>, proto=ESMTP, daemon=MTA,
>>>> relay=localhost.localdomain [127.0.0.1]
>>>> Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<
>>>> ***@signmuseum.org>, delay=00:00:00, mailer=relay, pri=365352,
>>>> dsn=4.4.3, stat=queued
>>>> Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<
>>>> ***@signmuseum.org>, delay=00:00:17, xdelay=00:00:14,
>>>> mailer=relay, pri=455352, relay=sentinel1.tranet.net. [74.203.219.99],
>>>> dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)
>>>>
>>>> So, they are being generated locally, as far as I can tell.
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com>
>>>> wrote:
>>>>
>>>> +1****
>>>>
>>>> *From:* sipx-users-***@list.sipfoundry.org [mailto:sipx-
>>>> users-***@list.sipfoundry.org]*On Behalf Of *Michael Picher
>>>> *Sent:* Thursday, November 15, 2012 7:49 AM
>>>> *To:* Discussion list for users of sipXecs software
>>>> *Subject:* Re: [sipx-users] Hacked SipXecs 4.4****
>>>> ** **
>>>> yes, and using the word hacked as your subject is not particularly...
>>>> helpful...****
>>>>
>>>> ** **
>>>> On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <
>>>> ***@myitdepartment.net> wrote:****
>>>> you really need to look at the mail log to see where the mail is
>>>> coming from regardless of your firewall settings. It can actually come from
>>>> inside you see.****
>>>>
>>>> ** **
>>>> On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com>
>>>> wrote:****
>>>> I am seeing more spam in my mail queue. I have iptables installed,
>>>> and here are my rules:
>>>>
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain RH-Firewall-1-INPUT (2 references)
>>>> target prot opt source destination
>>>> ACCEPT all -- anywhere anywhere
>>>> ACCEPT icmp -- anywhere anywhere icmp any
>>>> ACCEPT esp -- anywhere anywhere
>>>> ACCEPT ah -- anywhere anywhere
>>>> ACCEPT udp -- anywhere 224.0.0.251 udp
>>>> dpt:mdns
>>>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>>>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>>>> ACCEPT all -- anywhere anywhere state
>>>> RELATED,ESTABLISHED
>>>> ACCEPT tcp -- anywhere anywhere state NEW
>>>> tcp dpt:pcsync-https
>>>> ACCEPT tcp -- anywhere anywhere state NEW
>>>> tcp dpt:http
>>>> ACCEPT tcp -- anywhere anywhere state NEW
>>>> tcp dpt:xmpp-client
>>>> ACCEPT tcp -- anywhere anywhere state NEW
>>>> tcp dpt:5223
>>>> ACCEPT all -- 192.168.0.0/16 anywhere
>>>> ACCEPT udp -- anywhere anywhere state NEW
>>>> udp dpt:sip
>>>> ACCEPT tcp -- anywhere anywhere state NEW
>>>> tcp dpt:sip
>>>> ACCEPT tcp -- anywhere anywhere state NEW
>>>> tcp dpt:sip-tls
>>>> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
>>>> udp dpts:sip:5080
>>>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
>>>> udp dpts:sip:5080
>>>> REJECT all -- anywhere anywhere
>>>> reject-with icmp-host-prohibited
>>>>
>>>> As far as I can tell, no one should be able to use port 25 from the
>>>> world. Also, sendmail is only configured to allow relay from localhost:
>>>>
>>>> [***@sipx1 ~]# cat /etc/mail/access****
>>>>
>>>> # Check the /usr/share/doc/sendmail/README.cf file for a description
>>>> # of the format of this file. (search for access_db in that file)
>>>> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
>>>> # package.
>>>> #
>>>> # by default we allow relaying from localhost...
>>>> Connect:localhost.localdomain RELAY
>>>> Connect:localhost RELAY
>>>> Connect:127.0.0.1 RELAY****
>>>> Can someone please help me figure out where this spam is coming from?
>>>> Thanks.
>>>>
>>>> ~Noah****
>>>>
>>>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>>>
>>>> > I did not change the configuration of anything related to the
>>>> PlcmSpIp user. It does however make me feel better that it is related to
>>>> the vsftpd service and the polycom phones.
>>>> >
>>>> >> From /etc/passwd:
>>>> >
>>>> >
>>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>>>> >
>>>> > So, that user cannot ssh to a shell. So I don't think it was that.
>>>> >
>>>> > ~Noah
>>>> >
>>>> > On Oct 12, 2012, at 9:05 AM, Tony Graziano <
>>>> ***@myitdepartment.net> wrote:
>>>> >
>>>> >> ... more -- its a user that does not have login to the OS itself,
>>>> just
>>>> >> vsftpd, which is restricted to certain commands and must present a
>>>> >> request for its mac address in order to get a configuration file. It
>>>> >> is not logging into linux unless someone changed the rights of the
>>>> >> user.
>>>> >>
>>>> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>>>> wrote:
>>>> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>> >>> <***@myitdepartment.net> wrote:
>>>> >>>> this is not a valid system user unless you have manually added it
>>>> to the
>>>> >>>> system. I do think the logs would show more if access was granted.
>>>> Why are
>>>> >>>> you exposing sshd to the outside world with an acl or by
>>>> protecting it at
>>>> >>>> your firewall?
>>>> >>>>
>>>> >>>
>>>> >>> PlcmSpIp is the user used by polycom phones for fetching config
>>>> from server
>>>> >>>
>>>> >>> George
>>>> >>> _______________________________________________
>>>> >>> sipx-users mailing list
>>>> >>> sipx-***@list.sipfoundry.org
>>>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> ~~~~~~~~~~~~~~~~~~
>>>> >> Tony Graziano, Manager
>>>> >> Telephone: 434.984.8430
>>>> >> sip: ***@voice.myitdepartment.net
>>>> >> Fax: 434.465.6833
>>>> >> ~~~~~~~~~~~~~~~~~~
>>>> >> Linked-In Profile:
>>>> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> >> Ask about our Internet Fax services!
>>>> >> ~~~~~~~~~~~~~~~~~~
>>>> >>
>>>> >> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab 2013!
>>>> >>
>>>> >> --
>>>> >> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> >> Telephone: 434.984.8426
>>>> >> sip: ***@voice.myitdepartment.net
>>>> >>
>>>> >> Helpdesk Customers: http://myhelp.myitdepartment.net
>>>> >> Blog: http://blog.myitdepartment.net
>>>> >> _______________________________________________
>>>> >> sipx-users mailing list
>>>> >> sipx-***@list.sipfoundry.org
>>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >
>>>> >
>>>> > Scanned for viruses and content by the Tranet Spam Sentinel service.
>>>> > _______________________________________________
>>>> > sipx-users mailing list
>>>> > sipx-***@list.sipfoundry.org
>>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>>>
>>>>
>>>> ****
>>>> ** **
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~****
>>>> ** **
>>>> **** <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>>> *Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab 2013!
>>>>
>>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>*
>>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>****
>>>>
>>>> ** **
>>>> LAN/Telephony/Security and Control Systems Helpdesk:****
>>>> Telephone: 434.984.8426****
>>>> sip: ***@voice.myitdepartment.net****
>>>> ** **
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net****
>>>> Blog: http://blog.myitdepartment.net****
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/****
>>>>
>>>>
>>>> ****
>>>> ** **
>>>> --
>>>> Michael Picher, Director of Technical Services
>>>> eZuce, Inc.****
>>>> 300 Brickstone Square****
>>>> Suite 201****
>>>> Andover, MA. 01810****
>>>> O.978-296-1005 X2015
>>>> M.207-956-0262
>>>> @mpicher <http://twitter.com/mpicher> ****
>>>> linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
>>>> www.ezuce.com****
>>>> ** **
>>>> ------------------------------------------------------------------------------------------------------------
>>>> ****
>>>> There are 10 kinds of people in the world, those who understand
>>>> binary and those who don't.****
>>>> ** **
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> sipX-CoLab 2013!
>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>>
>>>
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-15 19:33:22 UTC

Permalink

OK,

Trident:~ noahmehl$ ssh ***@ip-address
***@ip-address's password:
Last login: Wed Nov 14 22:25:01 2012 from aca44192.ipt.aol.com<http://aca44192.ipt.aol.com>
This account is currently not available.
Connection to ip-address closed.

In this case, I am seeing that someone is able to exploit an ssh login using that user. That is, in my opinion a security issue with SipXecs. This should not be possible. End users should not have to disable this out of the box.

~Noah

On Nov 15, 2012, at 2:29 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

Because if the phone needs to FTP for its configuration it requires a password. I think this was mentioned already. If you DO NOT use remote users, you can SAFELY DELETE that user though. I think this was also mentioned to you.

On Thu, Nov 15, 2012 at 2:23 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I just tried a fresh install of 4.4.0 and the PlcmSpIp user has a password in /etc/shadow, why does this user have a password?

~Noah

On Nov 15, 2012, at 2:02 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

I have no remote users at the moment, but that is definitely possible.

I understand the wisdom of locking down ssh to the world, however I have almost a hundred linux based servers running this way, and have never had an issue. The reason I have never had an issue is that I NEVER use the root user or any default users for that matter, and all of my actual users are usually directory based, and for high value targets, use two-factor auth.

Either way, I have an issue, as I have many entries where this user was able to login, and in my opinion is a security problem. As I can account for all of the other ssh logins in the logs. And I was indeed "hacked". This looks to me like a default user with a default password, and there is apparently an active exploit for it.

In the mean time, I have removed outside ssh access.

~Noah

On Nov 15, 2012, at 1:52 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

This is correct. Do you have any remote users? If not, you can actually delete the user because tftp does not user login. The group is correct.

If it were me, and its not, I would make sure whatever firewall I have sipx behind is tightened down. There are a couple of ways to do that with ssh open, and one was mentioned to you early on in this thread.

For me I don't make SSH available, and I VPN in should I have the need. Then I login as a different user and su to root if I need that (dont allow root login with ssh either).

On Thu, Nov 15, 2012 at 1:41 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
[***@sipx1 etc]# groups PlcmSpIp
PlcmSpIp : PlcmSpIp

~Noah

On Nov 15, 2012, at 1:35 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

What is the output of:

groups PlcmSpIp

On Thu, Nov 15, 2012 at 1:28 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I can tell you I am the only person who could have made a change, and I can promise you I would not have made any changes to that user. So, the bigger question is how is this happening...

From /etc/passwd:

PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin

However if I check /etc/shadow, there is indeed a password for that user. I certainly didn't set it.

~Noah

On Nov 15, 2012, at 1:18 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

If you do not have sendmail-cf installed I would do that. I would then look through the sendmail.m4 file.

The default settings say ONLY ACCEPT from this box (being sipx).

passwd PlcmSpIp

you shouldn't need to do that. Unless you are actually able to correllate that user login with these occurrences. I have never seen this happen, but in your case it might be a first.

You will also need to change all of your phones in order to update them if they use FTP.

Have you considered tightening down your SSH config?

The PlcmSpIp user has no SSH login by default. I tried (as an example) from my LAN wit IPTABLES OFF and I could not shell.

So everyone here wants to know... what have you done to that user account? If it is authenticating via SSH it has been modified. The user shell is "/sbin/nologin" by default. I still doubt something has been hacked and rather think that someone has altered the user to make it less secure. If this is the case, its a result of that action.

Explain who did what to the user PlcmSpIp.

On Thu, Nov 15, 2012 at 12:56 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org<mailto:***@aol.org>>, size=349, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued
Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53)
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57)
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B)
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=358, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued
Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67)
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=361, class=0, nrcpts=2, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued
Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<***@yahoo.co.uk<mailto:***@yahoo.co.uk>>,<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE)
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12)
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5874, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued
Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<***@hotmail.com<mailto:***@hotmail.com>>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51)
Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<***@rkw-lotus.com<mailto:***@rkw-lotus.com>>, size=5925, class=0, nrcpts=50, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<***@localhost>, size=335352, class=0, nrcpts=1, msgid=<***@sipx1.sip.tranet.net<mailto:***@sipx1.sip.tranet.net>>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued
Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<***@signmuseum.org<mailto:***@signmuseum.org>>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net<http://sentinel1.tranet.net/>. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>>
wrote:

+1

From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org> [mailto:sipx-<mailto:sipx->users-***@list.sipfoundry.org<mailto:users-***@list.sipfoundry.org>]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly... helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Can someone please help me figure out where this spam is coming from? Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

> I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>> this is not a valid system user unless you have manually added it to the
>>>> system. I do think the logs would show more if access was granted. Why are
>>>> you exposing sshd to the outside world with an acl or by protecting it at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430<tel:434.984.8430>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833<tel:434.465.6833>
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426<tel:434.984.8426>
>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430<tel:434.984.8430>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833<tel:434.465.6833>
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426<tel:434.984.8426>
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com<http://www.ezuce.com/>

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Todd Hodgen

2012-11-15 18:21:26 UTC

Permalink

Yes, but how is this USER attaching to your server in order to send these
emails. They must have obtained access in order to use the sendmail
application.

You need to see how they are getting onto your server, there is no magic in
sending out the emails. The magic is gaining access to your server.

From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
Sent: Thursday, November 15, 2012 9:57 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

I'm using "hacked" because as far as I can tell, this is not an smtp relay
issue. Therefore something on the system is open, and therefore been
"hacked".

Here is some spam log entries in the maillog:

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<***@aol.org>,
size=349, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880:
to=<***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30349,
dsn=4.4.3, stat=queued

Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880:
to=<***@yahoo.co.uk>, delay=00:00:06, xdelay=00:00:01, mailer=relay,
pri=120349, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 0F7351C0B53)

Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945:
from=<***@rkw-lotus.com>, size=358, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945:
to=<***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
dsn=4.4.3, stat=queued

Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945:
to=<***@yahoo.co.uk>, delay=00:00:02, xdelay=00:00:00, mailer=relay,
pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 644861C0B57)

Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953:
from=<***@rkw-lotus.com>, size=358, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953:
to=<***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
dsn=4.4.3, stat=queued

Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953:
to=<***@yahoo.co.uk>, delay=00:00:11, xdelay=00:00:01, mailer=relay,
pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as ABC431C0B5B)

Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050:
from=<***@rkw-lotus.com>, size=358, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050:
to=<***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=30358,
dsn=4.4.3, stat=queued

Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050:
to=<***@yahoo.co.uk>, delay=00:00:03, xdelay=00:00:01, mailer=relay,
pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 488DE1C0B67)

Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545:
from=<***@rkw-lotus.com>, size=361, class=0, nrcpts=2,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545:
to=<***@hotmail.com>, delay=00:00:00, mailer=relay, pri=60361,
dsn=4.4.3, stat=queued

Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545:
to=<***@yahoo.co.uk>, delay=00:00:00, mailer=relay, pri=60361,
dsn=4.4.3, stat=queued

Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545:
to=<***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:06,
xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
[74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89)

Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549:
from=<***@rkw-lotus.com>, size=361, class=0, nrcpts=2,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549:
to=<***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
dsn=4.4.3, stat=queued

Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549:
to=<***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
dsn=4.4.3, stat=queued

Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549:
to=<***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:12,
xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
[74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F)

Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559:
from=<***@rkw-lotus.com>, size=361, class=0, nrcpts=2,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559:
to=<***@hotmail.com>, delay=00:00:01, mailer=relay, pri=60361,
dsn=4.4.3, stat=queued

Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559:
to=<***@yahoo.co.uk>, delay=00:00:01, mailer=relay, pri=60361,
dsn=4.4.3, stat=queued

Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559:
to=<***@yahoo.co.uk>,<***@hotmail.com>, delay=00:00:03,
xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net.
[74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB)

Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047:
from=<***@rkw-lotus.com>, size=5874, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047:
to=<***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
dsn=4.4.3, stat=queued

Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047:
to=<***@hotmail.com>, delay=00:00:03, xdelay=00:00:02, mailer=relay,
pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 479D81C0BDE)

Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176:
from=<***@rkw-lotus.com>, size=5874, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176:
to=<***@hotmail.com>, delay=00:00:01, mailer=relay, pri=35874,
dsn=4.4.3, stat=queued

Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176:
to=<***@hotmail.com>, delay=00:00:06, xdelay=00:00:03, mailer=relay,
pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 309221C0F12)

Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123:
from=<***@rkw-lotus.com>, size=5874, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123:
to=<***@hotmail.com>, delay=00:00:00, mailer=relay, pri=35874,
dsn=4.4.3, stat=queued

Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123:
to=<***@hotmail.com>, delay=00:00:04, xdelay=00:00:01, mailer=relay,
pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 6B4E11C0F51)

Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210:
from=<***@rkw-lotus.com>, size=5925, class=0, nrcpts=50,
msgid=<***@sipx1.sip.tranet.net>, proto=SMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

As opposed to a normal entry:

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
from=<***@localhost>, size=335352, class=0, nrcpts=1,
msgid=<***@sipx1.sip.tranet.net
>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170:
to=<***@signmuseum.org>, delay=00:00:00, mailer=relay, pri=365352,
dsn=4.4.3, stat=queued

Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170:
to=<***@signmuseum.org>, delay=00:00:17, xdelay=00:00:14, mailer=relay,
pri=455352, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0,
stat=Sent (Ok: queued as 501B41C1CBE)

So, they are being generated locally, as far as I can tell.

~Noah

On Nov 15, 2012, at 12:42 PM, Todd Hodgen <***@frontier.com>

wrote:

+1

From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org]On Behalf Of Michael Picher
Sent: Thursday, November 15, 2012 7:49 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

yes, and using the word hacked as your subject is not particularly...
helpful...

On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <
<mailto:***@myitdepartment.net> ***@myitdepartment.net> wrote:

you really need to look at the mail log to see where the mail is coming from
regardless of your firewall settings. It can actually come from inside you
see.

On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl < <mailto:***@tritonlimited.com>
***@tritonlimited.com> wrote:

I am seeing more spam in my mail queue. I have iptables installed, and here
are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:5223
ACCEPT all -- <http://192.168.0.0/16> 192.168.0.0/16 anywhere
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:sip-tls
ACCEPT udp -- <http://sip02.gafachi.com> sip02.gafachi.com
anywhere state NEW udp dpts:sip:5080
ACCEPT udp -- <http://204.11.192.0/22> 204.11.192.0/22 anywhere
state NEW udp dpts:sip:5080
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world.
Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access

# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

Can someone please help me figure out where this spam is coming from?
Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl < <mailto:***@tritonlimited.com>
***@tritonlimited.com> wrote:

> I did not change the configuration of anything related to the PlcmSpIp
user. It does however make me feel better that it is related to the vsftpd
service and the polycom phones.
>
>> From /etc/passwd:
>
>
PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/
nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <
<mailto:***@myitdepartment.net> ***@myitdepartment.net> wrote:
>
>> ... more -- its a user that does not have login to the OS itself, just
>> vsftpd, which is restricted to certain commands and must present a
>> request for its mac address in order to get a configuration file. It
>> is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <
<mailto:***@ezuce.com> ***@ezuce.com> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> < <mailto:***@myitdepartment.net> ***@myitdepartment.net>
wrote:
>>>> this is not a valid system user unless you have manually added it to
the
>>>> system. I do think the logs would show more if access was granted. Why
are
>>>> you exposing sshd to the outside world with an acl or by protecting it
at
>>>> your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from
server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> <mailto:sipx-***@list.sipfoundry.org> sipx-***@list.sipfoundry.org
>>> List Archive: <http://list.sipfoundry.org/archive/sipx-users/>
http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: <tel:434.984.8430> 434.984.8430
>> sip: <mailto:***@voice.myitdepartment.net>
***@voice.myitdepartment.net
>> Fax: <tel:434.465.6833> 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> <http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4>
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: <tel:434.984.8426> 434.984.8426
>> sip: <mailto:***@voice.myitdepartment.net>
***@voice.myitdepartment.net
>>
>> Helpdesk Customers: <http://myhelp.myitdepartment.net>
http://myhelp.myitdepartment.net
>> Blog: <http://blog.myitdepartment.net> http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> <mailto:sipx-***@list.sipfoundry.org> sipx-***@list.sipfoundry.org
>> List Archive: <http://list.sipfoundry.org/archive/sipx-users/>
http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> <mailto:sipx-***@list.sipfoundry.org> sipx-***@list.sipfoundry.org
> List Archive: <http://list.sipfoundry.org/archive/sipx-users/>
http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
<mailto:sipx-***@list.sipfoundry.org> sipx-***@list.sipfoundry.org
List Archive: <http://list.sipfoundry.org/archive/sipx-users/>
http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: <tel:434.984.8430> 434.984.8430
sip: <mailto:***@voice.myitdepartment.net>
***@voice.myitdepartment.net
Fax: <tel:434.465.6833> 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
<http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4>
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

<http://sipxcolab2013.eventbrite.com/?discount=tony2013> Using or
developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: <tel:434.984.8426> 434.984.8426

sip: <mailto:***@voice.myitdepartment.net>
***@voice.myitdepartment.net

Helpdesk Customers: <http://myhelp.myitdepartment.net>
http://myhelp.myitdepartment.net

Blog: <http://blog.myitdepartment.net> http://blog.myitdepartment.net

_______________________________________________
sipx-users mailing list
<mailto:sipx-***@list.sipfoundry.org> sipx-***@list.sipfoundry.org
List Archive: <http://list.sipfoundry.org/archive/sipx-users/>
http://list.sipfoundry.org/archive/sipx-users/

--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square

Suite 201

Andover, MA. 01810

O.978-296-1005 X2015
M.207-956-0262
@mpicher < <http://twitter.com/mpicher> http://twitter.com/mpicher>

<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro> linkedin
<http://www.ezuce.com> www.ezuce.com

----------------------------------------------------------------------------
--------------------------------

There are 10 kinds of people in the world, those who understand binary and
those who don't.

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--

Todd Hodgen

2012-11-15 17:38:47 UTC

Permalink

Look at var/spool/mail/root There is a report you can find in there that
shows system activity. Look for entries below ---------------------
pam_unix Begin ------------------------ and I think you will find the source
of your aggravation.

-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
Sent: Thursday, November 15, 2012 6:29 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

I am seeing more spam in my mail queue. I have iptables installed, and here
are my rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:5223
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:sip
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:sip-tls
ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp
dpts:sip:5080
ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp
dpts:sip:5080
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

As far as I can tell, no one should be able to use port 25 from the world.
Also, sendmail is only configured to allow relay from localhost:

[***@sipx1 ~]# cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description # of
the format of this file. (search for access_db in that file) # The
/usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

Can someone please help me figure out where this spam is coming from?
Thanks.

~Noah

On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:

> I did not change the configuration of anything related to the PlcmSpIp
user. It does however make me feel better that it is related to the vsftpd
service and the polycom phones.
>
>> From /etc/passwd:
>
> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
> /sbin/nologin
>
> So, that user cannot ssh to a shell. So I don't think it was that.
>
> ~Noah
>
> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net>
wrote:
>
>> ... more -- its a user that does not have login to the OS itself,
>> just vsftpd, which is restricted to certain commands and must present
>> a request for its mac address in order to get a configuration file.
>> It is not logging into linux unless someone changed the rights of the
>> user.
>>
>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com> wrote:
>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> <***@myitdepartment.net> wrote:
>>>> this is not a valid system user unless you have manually added it
>>>> to the system. I do think the logs would show more if access was
>>>> granted. Why are you exposing sshd to the outside world with an acl
>>>> or by protecting it at your firewall?
>>>>
>>>
>>> PlcmSpIp is the user used by polycom phones for fetching config from
>>> server
>>>
>>> George
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
>>
>> --
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.net
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> Scanned for viruses and content by the Tranet Spam Sentinel service.
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Noah Mehl

2012-11-15 18:04:22 UTC

Permalink

To that point:

Users logging in through sshd:
PlcmSpIp:
172.129.67.195 (AC8143C3.ipt.aol.com): 1 time

That can't be good. I understand that PlcmSplp is a user for the Polycom provisioning. I have removed ssh access to the box from the world, but how do I change the default password for that user? This seems like a big security risk, as every sipxecs install probably has this user with a default password?

~Noah

On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com> wrote:

> Look at var/spool/mail/root There is a report you can find in there that
> shows system activity. Look for entries below ---------------------
> pam_unix Begin ------------------------ and I think you will find the source
> of your aggravation.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org
> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 6:29 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> I am seeing more spam in my mail queue. I have iptables installed, and here
> are my rules:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:pcsync-https
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:xmpp-client
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:5223
> ACCEPT all -- 192.168.0.0/16 anywhere
> ACCEPT udp -- anywhere anywhere state NEW udp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip-tls
> ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp
> dpts:sip:5080
> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp
> dpts:sip:5080
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> As far as I can tell, no one should be able to use port 25 from the world.
> Also, sendmail is only configured to allow relay from localhost:
>
> [***@sipx1 ~]# cat /etc/mail/access
> # Check the /usr/share/doc/sendmail/README.cf file for a description # of
> the format of this file. (search for access_db in that file) # The
> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
> #
> # by default we allow relaying from localhost...
> Connect:localhost.localdomain RELAY
> Connect:localhost RELAY
> Connect:127.0.0.1 RELAY
>
> Can someone please help me figure out where this spam is coming from?
> Thanks.
>
> ~Noah
>
> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> I did not change the configuration of anything related to the PlcmSpIp
> user. It does however make me feel better that it is related to the vsftpd
> service and the polycom phones.
>>
>>> From /etc/passwd:
>>
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>> /sbin/nologin
>>
>> So, that user cannot ssh to a shell. So I don't think it was that.
>>
>> ~Noah
>>
>> On Oct 12, 2012, at 9:05 AM, Tony Graziano <***@myitdepartment.net>
> wrote:
>>
>>> ... more -- its a user that does not have login to the OS itself,
>>> just vsftpd, which is restricted to certain commands and must present
>>> a request for its mac address in order to get a configuration file.
>>> It is not logging into linux unless someone changed the rights of the
>>> user.
>>>
>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com> wrote:
>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>> <***@myitdepartment.net> wrote:
>>>>> this is not a valid system user unless you have manually added it
>>>>> to the system. I do think the logs would show more if access was
>>>>> granted. Why are you exposing sshd to the outside world with an acl
>>>>> or by protecting it at your firewall?
>>>>>
>>>>
>>>> PlcmSpIp is the user used by polycom phones for fetching config from
>>>> server
>>>>
>>>> George
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
>>>
>>> --
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.net
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Todd Hodgen

2012-11-16 00:06:09 UTC

Permalink

Here is a question I would have as well - 172.129.67.195 seems to be an
address that is local to your network. Who has that IP address, why are
they attempting to breach that server. If they are not a part of your
network, how are they getting to that server from outside your network -
there has to be an opening in a firewall somewhere that is allowing it.

Remember, this is a phone system, not a firewall, not a router. It's a
phone system with pretty standard authentication requirements, it's up to
the administrator to keep others off of the network.

-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
Sent: Thursday, November 15, 2012 10:04 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

To that point:

Users logging in through sshd:
PlcmSpIp:
172.129.67.195 (AC8143C3.ipt.aol.com): 1 time

That can't be good. I understand that PlcmSplp is a user for the Polycom
provisioning. I have removed ssh access to the box from the world, but how
do I change the default password for that user? This seems like a big
security risk, as every sipxecs install probably has this user with a
default password?

~Noah

On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com> wrote:

> Look at var/spool/mail/root There is a report you can find in there
that
> shows system activity. Look for entries below ---------------------
> pam_unix Begin ------------------------ and I think you will find the
> source of your aggravation.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org
> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 6:29 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> I am seeing more spam in my mail queue. I have iptables installed,
> and here are my rules:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:pcsync-https
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:xmpp-client
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:5223
> ACCEPT all -- 192.168.0.0/16 anywhere
> ACCEPT udp -- anywhere anywhere state NEW udp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:sip-tls
> ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp
> dpts:sip:5080
> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp
> dpts:sip:5080
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> As far as I can tell, no one should be able to use port 25 from the world.
> Also, sendmail is only configured to allow relay from localhost:
>
> [***@sipx1 ~]# cat /etc/mail/access
> # Check the /usr/share/doc/sendmail/README.cf file for a description #
> of the format of this file. (search for access_db in that file) # The
> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
> #
> # by default we allow relaying from localhost...
> Connect:localhost.localdomain RELAY
> Connect:localhost RELAY
> Connect:127.0.0.1 RELAY
>
> Can someone please help me figure out where this spam is coming from?
> Thanks.
>
> ~Noah
>
> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> I did not change the configuration of anything related to the
>> PlcmSpIp
> user. It does however make me feel better that it is related to the
> vsftpd service and the polycom phones.
>>
>>> From /etc/passwd:
>>
>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>> /sbin/nologin
>>
>> So, that user cannot ssh to a shell. So I don't think it was that.
>>
>> ~Noah
>>
>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>> <***@myitdepartment.net>
> wrote:
>>
>>> ... more -- its a user that does not have login to the OS itself,
>>> just vsftpd, which is restricted to certain commands and must
>>> present a request for its mac address in order to get a configuration
file.
>>> It is not logging into linux unless someone changed the rights of
>>> the user.
>>>
>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
wrote:
>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>> <***@myitdepartment.net> wrote:
>>>>> this is not a valid system user unless you have manually added it
>>>>> to the system. I do think the logs would show more if access was
>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>> acl or by protecting it at your firewall?
>>>>>
>>>>
>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>> from server
>>>>
>>>> George
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> sipX-CoLab
> 2013!
>>>
>>> --
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.net
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Noah Mehl

2012-11-16 15:07:30 UTC

Permalink

Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.

I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org
> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org
>> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16 anywhere
>> ACCEPT udp -- anywhere anywhere state NEW udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>>> Blog: http://blog.myitdepartment.net
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Gerald Drouillard

2012-11-16 15:25:33 UTC

Permalink

On 11/16/2012 10:07 AM, Noah Mehl wrote:
> Todd,
>
> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.
>
> I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>
>
I would recommend all your ssh servers have sshd_config with at least:
AllowUsers user1name,user2name
PermitRootLogin no

I am also a big fan of fail2ban

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz

Tony Graziano

2012-11-16 16:26:01 UTC

Permalink

It really sounds like you don't have a method to harden your server if you
are exposing it. Its entirely possible you were targeted with a ddos attack
that overwhelmed the Linux system. If you had properly crafted iptables
rules I and ssh protection mechanisms it would most likely not have
happened.

Any did or ddos can overwhelm system services to the point of failure this
allowing (by unavailability) internal logging or protection mechanisms. Put
the served behind a firewall and protect the vulnerable service (ssh) by
limiting the footprint. Backup the system, wipe and restore it in the event
a root kit was planted.

I don't think iptables was adequately configured. I don't think there is
anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any
vulnerabilities exposed are really Linux vulnerabilities and Linux is not
hack proof.

Good luck.
On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:

> Todd,
>
> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public
> IP address, which is part of AOL in Nevada I think. I actually have over
> 80 different public IP address entries in my log using that user to SSH to
> my SipXecs box.
>
> I understand that it's a phone system and not a firewall. However it's a
> linux server, and IPtables is the best firewall in world, IMHO. I did have
> SSH access open to the world, that was my choice. I have never been bitten
> by this before. Either way, you should not be able to execute anything by
> SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>
> ~Noah
>
> On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:
>
> > Here is a question I would have as well - 172.129.67.195 seems to be an
> > address that is local to your network. Who has that IP address, why are
> > they attempting to breach that server. If they are not a part of your
> > network, how are they getting to that server from outside your network -
> > there has to be an opening in a firewall somewhere that is allowing it.
> >
> > Remember, this is a phone system, not a firewall, not a router. It's a
> > phone system with pretty standard authentication requirements, it's up to
> > the administrator to keep others off of the network.
> >
> > -----Original Message-----
> > From: sipx-users-***@list.sipfoundry.org
> > [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
> > Sent: Thursday, November 15, 2012 10:04 AM
> > To: Discussion list for users of sipXecs software
> > Subject: Re: [sipx-users] Hacked SipXecs 4.4
> >
> > To that point:
> >
> > Users logging in through sshd:
> > PlcmSpIp:
> > 172.129.67.195 (AC8143C3.ipt.aol.com): 1 time
> >
> > That can't be good. I understand that PlcmSplp is a user for the Polycom
> > provisioning. I have removed ssh access to the box from the world, but
> how
> > do I change the default password for that user? This seems like a big
> > security risk, as every sipxecs install probably has this user with a
> > default password?
> >
> > ~Noah
> >
> > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com> wrote:
> >
> >> Look at var/spool/mail/root There is a report you can find in there
> > that
> >> shows system activity. Look for entries below ---------------------
> >> pam_unix Begin ------------------------ and I think you will find the
> >> source of your aggravation.
> >>
> >> -----Original Message-----
> >> From: sipx-users-***@list.sipfoundry.org
> >> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
> >> Sent: Thursday, November 15, 2012 6:29 AM
> >> To: Discussion list for users of sipXecs software
> >> Subject: Re: [sipx-users] Hacked SipXecs 4.4
> >>
> >> I am seeing more spam in my mail queue. I have iptables installed,
> >> and here are my rules:
> >>
> >> Chain INPUT (policy ACCEPT)
> >> target prot opt source destination
> >> RH-Firewall-1-INPUT all -- anywhere anywhere
> >>
> >> Chain FORWARD (policy ACCEPT)
> >> target prot opt source destination
> >> RH-Firewall-1-INPUT all -- anywhere anywhere
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target prot opt source destination
> >>
> >> Chain RH-Firewall-1-INPUT (2 references)
> >> target prot opt source destination
> >> ACCEPT all -- anywhere anywhere
> >> ACCEPT icmp -- anywhere anywhere icmp any
> >> ACCEPT esp -- anywhere anywhere
> >> ACCEPT ah -- anywhere anywhere
> >> ACCEPT udp -- anywhere 224.0.0.251 udp
> dpt:mdns
> >> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> >> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> >> ACCEPT all -- anywhere anywhere state
> >> RELATED,ESTABLISHED
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:pcsync-https
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:http
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:xmpp-client
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:5223
> >> ACCEPT all -- 192.168.0.0/16 anywhere
> >> ACCEPT udp -- anywhere anywhere state NEW
> udp
> >> dpt:sip
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:sip
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:sip-tls
> >> ACCEPT udp -- sip02.gafachi.com anywhere state NEW
> udp
> >> dpts:sip:5080
> >> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
> udp
> >> dpts:sip:5080
> >> REJECT all -- anywhere anywhere reject-with
> >> icmp-host-prohibited
> >>
> >> As far as I can tell, no one should be able to use port 25 from the
> world.
> >> Also, sendmail is only configured to allow relay from localhost:
> >>
> >> [***@sipx1 ~]# cat /etc/mail/access
> >> # Check the /usr/share/doc/sendmail/README.cf file for a description #
> >> of the format of this file. (search for access_db in that file) # The
> >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
> >> #
> >> # by default we allow relaying from localhost...
> >> Connect:localhost.localdomain RELAY
> >> Connect:localhost RELAY
> >> Connect:127.0.0.1 RELAY
> >>
> >> Can someone please help me figure out where this spam is coming from?
> >> Thanks.
> >>
> >> ~Noah
> >>
> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
> >>
> >>> I did not change the configuration of anything related to the
> >>> PlcmSpIp
> >> user. It does however make me feel better that it is related to the
> >> vsftpd service and the polycom phones.
> >>>
> >>>> From /etc/passwd:
> >>>
> >>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
> >>> /sbin/nologin
> >>>
> >>> So, that user cannot ssh to a shell. So I don't think it was that.
> >>>
> >>> ~Noah
> >>>
> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
> >>> <***@myitdepartment.net>
> >> wrote:
> >>>
> >>>> ... more -- its a user that does not have login to the OS itself,
> >>>> just vsftpd, which is restricted to certain commands and must
> >>>> present a request for its mac address in order to get a configuration
> > file.
> >>>> It is not logging into linux unless someone changed the rights of
> >>>> the user.
> >>>>
> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
> > wrote:
> >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
> >>>>> <***@myitdepartment.net> wrote:
> >>>>>> this is not a valid system user unless you have manually added it
> >>>>>> to the system. I do think the logs would show more if access was
> >>>>>> granted. Why are you exposing sshd to the outside world with an
> >>>>>> acl or by protecting it at your firewall?
> >>>>>>
> >>>>>
> >>>>> PlcmSpIp is the user used by polycom phones for fetching config
> >>>>> from server
> >>>>>
> >>>>> George
> >>>>> _______________________________________________
> >>>>> sipx-users mailing list
> >>>>> sipx-***@list.sipfoundry.org
> >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> ~~~~~~~~~~~~~~~~~~
> >>>> Tony Graziano, Manager
> >>>> Telephone: 434.984.8430
> >>>> sip: ***@voice.myitdepartment.net
> >>>> Fax: 434.465.6833
> >>>> ~~~~~~~~~~~~~~~~~~
> >>>> Linked-In Profile:
> >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> >>>> Ask about our Internet Fax services!
> >>>> ~~~~~~~~~~~~~~~~~~
> >>>>
> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about
> >>>> sipX-CoLab
> >> 2013!
> >>>>
> >>>> --
> >>>> LAN/Telephony/Security and Control Systems Helpdesk:
> >>>> Telephone: 434.984.8426
> >>>> sip: ***@voice.myitdepartment.net
> >>>>
> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net
> >>>> Blog: http://blog.myitdepartment.net
> >>>> _______________________________________________
> >>>> sipx-users mailing list
> >>>> sipx-***@list.sipfoundry.org
> >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >>>
> >>>
> >>> Scanned for viruses and content by the Tranet Spam Sentinel service.
> >>> _______________________________________________
> >>> sipx-users mailing list
> >>> sipx-***@list.sipfoundry.org
> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >>
> >> _______________________________________________
> >> sipx-users mailing list
> >> sipx-***@list.sipfoundry.org
> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >>
> >> _______________________________________________
> >> sipx-users mailing list
> >> sipx-***@list.sipfoundry.org
> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >
> > _______________________________________________
> > sipx-users mailing list
> > sipx-***@list.sipfoundry.org
> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
> >
> > _______________________________________________
> > sipx-users mailing list
> > sipx-***@list.sipfoundry.org
> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 16:36:29 UTC

Permalink

The only hardening required to solve this particular problem would be an addition to the sshd config:

DenyUsers PlcmSpIp

I think this should be included in the default distribution of SipXecs isos and/or packages (I've only ever used the iso) because this is something that is specific to the distribution. That user, and its password and access, are created by SipXecs, and that addition to the sshd config should be made OOTB. Unless someone has a reason that PlcmSpIp should be able to have any ssh access?

I'd really like some input from someone from eZuce, as this is an easy solution and protects the entire community.

This was NOT a DDOS attack. This it that the PlcmSpIp user has a default password of PlcmSpIp, and there's something about the default access of that user that allow remote execution via SSH OOTB, and that IS a security issue. You know why? Because as far as I know, no other default linux service account is susceptible to this attack. Probably because linux system accounts DON'T HAVE PASSWORDS! In other words, if you're creating service users with default passwords, they probably should be denied from ssh OOTB. This is also, not documented as far as I can tell...

~Noah

On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

It really sounds like you don't have a method to harden your server if you are exposing it. Its entirely possible you were targeted with a ddos attack that overwhelmed the Linux system. If you had properly crafted iptables rules I and ssh protection mechanisms it would most likely not have happened.

Any did or ddos can overwhelm system services to the point of failure this allowing (by unavailability) internal logging or protection mechanisms. Put the served behind a firewall and protect the vulnerable service (ssh) by limiting the footprint. Backup the system, wipe and restore it in the event a root kit was planted.

I don't think iptables was adequately configured. I don't think there is anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any vulnerabilities exposed are really Linux vulnerabilities and Linux is not hack proof.

Good luck.

On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.

I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
>> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
>> ACCEPT udp -- anywhere anywhere state NEW udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Tony Graziano

2012-11-16 16:46:25 UTC

Permalink

The user doesn't have login via ssh. Ssh in and of itself is not protected
and it is exposed.

It is trivial to change the user password and/or delete it. We typically
don't expose ssh at all. You haven't provides any real evidence that a
dictionary attack didn't overwhelm the pam service either.

I don't share your opinion here. My firewall protects against all kinds of
ids stuff even if I had ssh open. Just because you have iptables running it
doesn't mean you are inherently secure at all.

Our firewalls sitting in front of sipx had ids rules running that would
protect anything behind it from a known attack against a well known service
like ssh. Ssh has lots of options which should be exercised according to
your security border device.
On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com> wrote:

> The only hardening required to solve this particular problem would be an
> addition to the sshd config:
>
> DenyUsers PlcmSpIp
>
> I think this should be included in the default distribution of SipXecs
> isos and/or packages (I've only ever used the iso) because this is
> something that is specific to the distribution. That user, and its
> password and access, are created by SipXecs, and that addition to the sshd
> config should be made OOTB. Unless someone has a reason that PlcmSpIp
> should be able to have any ssh access?
>
> I'd really like some input from someone from eZuce, as this is an easy
> solution and protects the entire community.
>
> This was NOT a DDOS attack. This it that the PlcmSpIp user has a
> default password of PlcmSpIp, and there's something about the default
> access of that user that allow remote execution via SSH OOTB, and that *IS
> * a security issue. You know why? Because as far as I know, no other
> default linux service account is susceptible to this attack. Probably
> because linux system accounts DON'T HAVE PASSWORDS! In other words, if
> you're creating service users with default passwords, they probably should
> be denied from ssh OOTB. This is also, not documented as far as I can
> tell...
>
> ~Noah
>
> On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> It really sounds like you don't have a method to harden your server if
> you are exposing it. Its entirely possible you were targeted with a ddos
> attack that overwhelmed the Linux system. If you had properly crafted
> iptables rules I and ssh protection mechanisms it would most likely not
> have happened.
>
> Any did or ddos can overwhelm system services to the point of failure this
> allowing (by unavailability) internal logging or protection mechanisms. Put
> the served behind a firewall and protect the vulnerable service (ssh) by
> limiting the footprint. Backup the system, wipe and restore it in the event
> a root kit was planted.
>
> I don't think iptables was adequately configured. I don't think there is
> anything inherently wrong with Sipx here either.
>
> It is a phone system. It is up to you to protect and/or harden it. Any
> vulnerabilities exposed are really Linux vulnerabilities and Linux is not
> hack proof.
>
> Good luck.
> On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>
>> Todd,
>>
>> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public
>> IP address, which is part of AOL in Nevada I think. I actually have over
>> 80 different public IP address entries in my log using that user to SSH to
>> my SipXecs box.
>>
>> I understand that it's a phone system and not a firewall. However it's a
>> linux server, and IPtables is the best firewall in world, IMHO. I did have
>> SSH access open to the world, that was my choice. I have never been bitten
>> by this before. Either way, you should not be able to execute anything by
>> SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>>
>> ~Noah
>>
>> On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:
>>
>> > Here is a question I would have as well - 172.129.67.195 seems to be an
>> > address that is local to your network. Who has that IP address, why
>> are
>> > they attempting to breach that server. If they are not a part of your
>> > network, how are they getting to that server from outside your network -
>> > there has to be an opening in a firewall somewhere that is allowing it.
>> >
>> > Remember, this is a phone system, not a firewall, not a router. It's a
>> > phone system with pretty standard authentication requirements, it's up
>> to
>> > the administrator to keep others off of the network.
>> >
>> > -----Original Message-----
>> > From: sipx-users-***@list.sipfoundry.org
>> > [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
>> > Sent: Thursday, November 15, 2012 10:04 AM
>> > To: Discussion list for users of sipXecs software
>> > Subject: Re: [sipx-users] Hacked SipXecs 4.4
>> >
>> > To that point:
>> >
>> > Users logging in through sshd:
>> > PlcmSpIp:
>> > 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>):
>> 1 time
>> >
>> > That can't be good. I understand that PlcmSplp is a user for the
>> Polycom
>> > provisioning. I have removed ssh access to the box from the world, but
>> how
>> > do I change the default password for that user? This seems like a big
>> > security risk, as every sipxecs install probably has this user with a
>> > default password?
>> >
>> > ~Noah
>> >
>> > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com> wrote:
>> >
>> >> Look at var/spool/mail/root There is a report you can find in there
>> > that
>> >> shows system activity. Look for entries below ---------------------
>> >> pam_unix Begin ------------------------ and I think you will find the
>> >> source of your aggravation.
>> >>
>> >> -----Original Message-----
>> >> From: sipx-users-***@list.sipfoundry.org
>> >> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
>> >> Sent: Thursday, November 15, 2012 6:29 AM
>> >> To: Discussion list for users of sipXecs software
>> >> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>> >>
>> >> I am seeing more spam in my mail queue. I have iptables installed,
>> >> and here are my rules:
>> >>
>> >> Chain INPUT (policy ACCEPT)
>> >> target prot opt source destination
>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>> >>
>> >> Chain FORWARD (policy ACCEPT)
>> >> target prot opt source destination
>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>> >>
>> >> Chain OUTPUT (policy ACCEPT)
>> >> target prot opt source destination
>> >>
>> >> Chain RH-Firewall-1-INPUT (2 references)
>> >> target prot opt source destination
>> >> ACCEPT all -- anywhere anywhere
>> >> ACCEPT icmp -- anywhere anywhere icmp any
>> >> ACCEPT esp -- anywhere anywhere
>> >> ACCEPT ah -- anywhere anywhere
>> >> ACCEPT udp -- anywhere 224.0.0.251 udp
>> dpt:mdns
>> >> ACCEPT udp -- anywhere anywhere udp
>> dpt:ipp
>> >> ACCEPT tcp -- anywhere anywhere tcp
>> dpt:ipp
>> >> ACCEPT all -- anywhere anywhere state
>> >> RELATED,ESTABLISHED
>> >> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp
>> >> dpt:pcsync-https
>> >> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp
>> >> dpt:http
>> >> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp
>> >> dpt:xmpp-client
>> >> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp
>> >> dpt:5223
>> >> ACCEPT all -- 192.168.0.0/16 anywhere
>> >> ACCEPT udp -- anywhere anywhere state NEW
>> udp
>> >> dpt:sip
>> >> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp
>> >> dpt:sip
>> >> ACCEPT tcp -- anywhere anywhere state NEW
>> tcp
>> >> dpt:sip-tls
>> >> ACCEPT udp -- sip02.gafachi.com anywhere state
>> NEW udp
>> >> dpts:sip:5080
>> >> ACCEPT udp -- 204.11.192.0/22 anywhere state
>> NEW udp
>> >> dpts:sip:5080
>> >> REJECT all -- anywhere anywhere
>> reject-with
>> >> icmp-host-prohibited
>> >>
>> >> As far as I can tell, no one should be able to use port 25 from the
>> world.
>> >> Also, sendmail is only configured to allow relay from localhost:
>> >>
>> >> [***@sipx1 ~]# cat /etc/mail/access
>> >> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> >> of the format of this file. (search for access_db in that file) # The
>> >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc #
>> package.
>> >> #
>> >> # by default we allow relaying from localhost...
>> >> Connect:localhost.localdomain RELAY
>> >> Connect:localhost RELAY
>> >> Connect:127.0.0.1 RELAY
>> >>
>> >> Can someone please help me figure out where this spam is coming from?
>> >> Thanks.
>> >>
>> >> ~Noah
>> >>
>> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com>
>> wrote:
>> >>
>> >>> I did not change the configuration of anything related to the
>> >>> PlcmSpIp
>> >> user. It does however make me feel better that it is related to the
>> >> vsftpd service and the polycom phones.
>> >>>
>> >>>> From /etc/passwd:
>> >>>
>> >>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>> >>> /sbin/nologin
>> >>>
>> >>> So, that user cannot ssh to a shell. So I don't think it was that.
>> >>>
>> >>> ~Noah
>> >>>
>> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>> >>> <***@myitdepartment.net>
>> >> wrote:
>> >>>
>> >>>> ... more -- its a user that does not have login to the OS itself,
>> >>>> just vsftpd, which is restricted to certain commands and must
>> >>>> present a request for its mac address in order to get a configuration
>> > file.
>> >>>> It is not logging into linux unless someone changed the rights of
>> >>>> the user.
>> >>>>
>> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>> > wrote:
>> >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>> >>>>> <***@myitdepartment.net> wrote:
>> >>>>>> this is not a valid system user unless you have manually added it
>> >>>>>> to the system. I do think the logs would show more if access was
>> >>>>>> granted. Why are you exposing sshd to the outside world with an
>> >>>>>> acl or by protecting it at your firewall?
>> >>>>>>
>> >>>>>
>> >>>>> PlcmSpIp is the user used by polycom phones for fetching config
>> >>>>> from server
>> >>>>>
>> >>>>> George
>> >>>>> _______________________________________________
>> >>>>> sipx-users mailing list
>> >>>>> sipx-***@list.sipfoundry.org
>> >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> ~~~~~~~~~~~~~~~~~~
>> >>>> Tony Graziano, Manager
>> >>>> Telephone: 434.984.8430
>> >>>> sip: ***@voice.myitdepartment.net
>> >>>> Fax: 434.465.6833
>> >>>> ~~~~~~~~~~~~~~~~~~
>> >>>> Linked-In Profile:
>> >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> >>>> Ask about our Internet Fax services!
>> >>>> ~~~~~~~~~~~~~~~~~~
>> >>>>
>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> >>>> sipX-CoLab
>> >> 2013!
>> >>>>
>> >>>> --
>> >>>> LAN/Telephony/Security and Control Systems Helpdesk:
>> >>>> Telephone: 434.984.8426
>> >>>> sip: ***@voice.myitdepartment.net
>> >>>>
>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> >>>> Blog: http://blog.myitdepartment.net
>> >>>> _______________________________________________
>> >>>> sipx-users mailing list
>> >>>> sipx-***@list.sipfoundry.org
>> >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>>
>> >>>
>> >>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>> >>> _______________________________________________
>> >>> sipx-users mailing list
>> >>> sipx-***@list.sipfoundry.org
>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>
>> >> _______________________________________________
>> >> sipx-users mailing list
>> >> sipx-***@list.sipfoundry.org
>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >>
>> >> _______________________________________________
>> >> sipx-users mailing list
>> >> sipx-***@list.sipfoundry.org
>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >
>> > _______________________________________________
>> > sipx-users mailing list
>> > sipx-***@list.sipfoundry.org
>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>> >
>> > _______________________________________________
>> > sipx-users mailing list
>> > sipx-***@list.sipfoundry.org
>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 17:45:55 UTC

Permalink

Tony,

I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/:

$sudo ssh -vN -L25:localhost:25 ***@sipxecsip
$sudo ssh -vN -R25:localhost:25 ***@sipxecsip
$telnet localhost 25

Tell me if your ids stops that?

This works on a stock SipXecs 4.4.0 install.

~Noah

On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

The user doesn't have login via ssh. Ssh in and of itself is not protected and it is exposed.

It is trivial to change the user password and/or delete it. We typically don't expose ssh at all. You haven't provides any real evidence that a dictionary attack didn't overwhelm the pam service either.

I don't share your opinion here. My firewall protects against all kinds of ids stuff even if I had ssh open. Just because you have iptables running it doesn't mean you are inherently secure at all.

Our firewalls sitting in front of sipx had ids rules running that would protect anything behind it from a known attack against a well known service like ssh. Ssh has lots of options which should be exercised according to your security border device.

On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
The only hardening required to solve this particular problem would be an addition to the sshd config:

DenyUsers PlcmSpIp

I think this should be included in the default distribution of SipXecs isos and/or packages (I've only ever used the iso) because this is something that is specific to the distribution. That user, and its password and access, are created by SipXecs, and that addition to the sshd config should be made OOTB. Unless someone has a reason that PlcmSpIp should be able to have any ssh access?

I'd really like some input from someone from eZuce, as this is an easy solution and protects the entire community.

This was NOT a DDOS attack. This it that the PlcmSpIp user has a default password of PlcmSpIp, and there's something about the default access of that user that allow remote execution via SSH OOTB, and that IS a security issue. You know why? Because as far as I know, no other default linux service account is susceptible to this attack. Probably because linux system accounts DON'T HAVE PASSWORDS! In other words, if you're creating service users with default passwords, they probably should be denied from ssh OOTB. This is also, not documented as far as I can tell...

~Noah

On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

It really sounds like you don't have a method to harden your server if you are exposing it. Its entirely possible you were targeted with a ddos attack that overwhelmed the Linux system. If you had properly crafted iptables rules I and ssh protection mechanisms it would most likely not have happened.

Any did or ddos can overwhelm system services to the point of failure this allowing (by unavailability) internal logging or protection mechanisms. Put the served behind a firewall and protect the vulnerable service (ssh) by limiting the footprint. Backup the system, wipe and restore it in the event a root kit was planted.

I don't think iptables was adequately configured. I don't think there is anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any vulnerabilities exposed are really Linux vulnerabilities and Linux is not hack proof.

Good luck.

On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.

I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
>> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
>> ACCEPT udp -- anywhere anywhere state NEW udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Noah Mehl

2012-11-16 17:52:03 UTC

Permalink

I can confirm that adding:

DenyUsers PlcmSpIp

to /etc/ssh/sshd_config solves this exploit.

I'm back to my original opinion that if this user is installed automatically, without my intervention, then that line should be added to the sshd_config.

~Noah

On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Tony,

I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/:

$sudo ssh -vN -L25:localhost:25 ***@sipxecsip
$sudo ssh -vN -R25:localhost:25 ***@sipxecsip
$telnet localhost 25

Tell me if your ids stops that?

This works on a stock SipXecs 4.4.0 install.

~Noah

On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

The user doesn't have login via ssh. Ssh in and of itself is not protected and it is exposed.

It is trivial to change the user password and/or delete it. We typically don't expose ssh at all. You haven't provides any real evidence that a dictionary attack didn't overwhelm the pam service either.

I don't share your opinion here. My firewall protects against all kinds of ids stuff even if I had ssh open. Just because you have iptables running it doesn't mean you are inherently secure at all.

Our firewalls sitting in front of sipx had ids rules running that would protect anything behind it from a known attack against a well known service like ssh. Ssh has lots of options which should be exercised according to your security border device.

On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
The only hardening required to solve this particular problem would be an addition to the sshd config:

DenyUsers PlcmSpIp

I think this should be included in the default distribution of SipXecs isos and/or packages (I've only ever used the iso) because this is something that is specific to the distribution. That user, and its password and access, are created by SipXecs, and that addition to the sshd config should be made OOTB. Unless someone has a reason that PlcmSpIp should be able to have any ssh access?

I'd really like some input from someone from eZuce, as this is an easy solution and protects the entire community.

This was NOT a DDOS attack. This it that the PlcmSpIp user has a default password of PlcmSpIp, and there's something about the default access of that user that allow remote execution via SSH OOTB, and that IS a security issue. You know why? Because as far as I know, no other default linux service account is susceptible to this attack. Probably because linux system accounts DON'T HAVE PASSWORDS! In other words, if you're creating service users with default passwords, they probably should be denied from ssh OOTB. This is also, not documented as far as I can tell...

~Noah

On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

It really sounds like you don't have a method to harden your server if you are exposing it. Its entirely possible you were targeted with a ddos attack that overwhelmed the Linux system. If you had properly crafted iptables rules I and ssh protection mechanisms it would most likely not have happened.

Any did or ddos can overwhelm system services to the point of failure this allowing (by unavailability) internal logging or protection mechanisms. Put the served behind a firewall and protect the vulnerable service (ssh) by limiting the footprint. Backup the system, wipe and restore it in the event a root kit was planted.

I don't think iptables was adequately configured. I don't think there is anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any vulnerabilities exposed are really Linux vulnerabilities and Linux is not hack proof.

Good luck.

On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.

I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
>> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
>> ACCEPT udp -- anywhere anywhere state NEW udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Tony Graziano

2012-11-16 18:18:17 UTC

Permalink

Fwiw I can test the exploit and my ids (commercial snort rules).

Polycom provisioning in Sipx will cease using ftp and the user account will
be removed (most likely) when this is done.

Your exploit though appears to originate from inside your network though
doesn't it? If it originates inside it not passing any firewall except
iptables which implicitly allows the connection, right?
On Nov 16, 2012 12:52 PM, "Noah Mehl" <***@tritonlimited.com> wrote:

> I can confirm that adding:
>
> DenyUsers PlcmSpIp
>
> to /etc/ssh/sshd_config solves this exploit.
>
> I'm back to my original opinion that if this user is installed
> automatically, without my intervention, then that line should be added to
> the sshd_config.
>
> ~Noah
>
> On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
> Tony,
>
> I just figured out an exploit in 15 minutes with the help of Google
> http://www.semicomplete.com/articles/ssh-security/:
>
> $sudo ssh -vN -L25:localhost:25 ***@sipxecsip
> $sudo ssh -vN -R25:localhost:25 ***@sipxecsip
> $telnet localhost 25
>
> Tell me if your ids stops that?
>
> This works on a stock SipXecs 4.4.0 install.
>
> ~Noah
>
> On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net
> >
> wrote:
>
> The user doesn't have login via ssh. Ssh in and of itself is not
> protected and it is exposed.
>
> It is trivial to change the user password and/or delete it. We typically
> don't expose ssh at all. You haven't provides any real evidence that a
> dictionary attack didn't overwhelm the pam service either.
>
> I don't share your opinion here. My firewall protects against all kinds of
> ids stuff even if I had ssh open. Just because you have iptables running it
> doesn't mean you are inherently secure at all.
>
> Our firewalls sitting in front of sipx had ids rules running that would
> protect anything behind it from a known attack against a well known service
> like ssh. Ssh has lots of options which should be exercised according to
> your security border device.
> On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>
>> The only hardening required to solve this particular problem would be an
>> addition to the sshd config:
>>
>> DenyUsers PlcmSpIp
>>
>> I think this should be included in the default distribution of SipXecs
>> isos and/or packages (I've only ever used the iso) because this is
>> something that is specific to the distribution. That user, and its
>> password and access, are created by SipXecs, and that addition to the sshd
>> config should be made OOTB. Unless someone has a reason that PlcmSpIp
>> should be able to have any ssh access?
>>
>> I'd really like some input from someone from eZuce, as this is an easy
>> solution and protects the entire community.
>>
>> This was NOT a DDOS attack. This it that the PlcmSpIp user has a
>> default password of PlcmSpIp, and there's something about the default
>> access of that user that allow remote execution via SSH OOTB, and that *
>> IS* a security issue. You know why? Because as far as I know, no other
>> default linux service account is susceptible to this attack. Probably
>> because linux system accounts DON'T HAVE PASSWORDS! In other words, if
>> you're creating service users with default passwords, they probably should
>> be denied from ssh OOTB. This is also, not documented as far as I can
>> tell...
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 11:26 AM, Tony Graziano <
>> ***@myitdepartment.net> wrote:
>>
>> It really sounds like you don't have a method to harden your server if
>> you are exposing it. Its entirely possible you were targeted with a ddos
>> attack that overwhelmed the Linux system. If you had properly crafted
>> iptables rules I and ssh protection mechanisms it would most likely not
>> have happened.
>>
>> Any did or ddos can overwhelm system services to the point of failure
>> this allowing (by unavailability) internal logging or protection
>> mechanisms. Put the served behind a firewall and protect the vulnerable
>> service (ssh) by limiting the footprint. Backup the system, wipe and
>> restore it in the event a root kit was planted.
>>
>> I don't think iptables was adequately configured. I don't think there is
>> anything inherently wrong with Sipx here either.
>>
>> It is a phone system. It is up to you to protect and/or harden it. Any
>> vulnerabilities exposed are really Linux vulnerabilities and Linux is not
>> hack proof.
>>
>> Good luck.
>> On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>
>>> Todd,
>>>
>>> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public
>>> IP address, which is part of AOL in Nevada I think. I actually have over
>>> 80 different public IP address entries in my log using that user to SSH to
>>> my SipXecs box.
>>>
>>> I understand that it's a phone system and not a firewall. However it's
>>> a linux server, and IPtables is the best firewall in world, IMHO. I did
>>> have SSH access open to the world, that was my choice. I have never been
>>> bitten by this before. Either way, you should not be able to execute
>>> anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>>>
>>> ~Noah
>>>
>>> On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:
>>>
>>> > Here is a question I would have as well - 172.129.67.195 seems to be an
>>> > address that is local to your network. Who has that IP address, why
>>> are
>>> > they attempting to breach that server. If they are not a part of your
>>> > network, how are they getting to that server from outside your network
>>> -
>>> > there has to be an opening in a firewall somewhere that is allowing it.
>>> >
>>> > Remember, this is a phone system, not a firewall, not a router. It's
>>> a
>>> > phone system with pretty standard authentication requirements, it's up
>>> to
>>> > the administrator to keep others off of the network.
>>> >
>>> > -----Original Message-----
>>> > From: sipx-users-***@list.sipfoundry.org
>>> > [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
>>> > Sent: Thursday, November 15, 2012 10:04 AM
>>> > To: Discussion list for users of sipXecs software
>>> > Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>> >
>>> > To that point:
>>> >
>>> > Users logging in through sshd:
>>> > PlcmSpIp:
>>> > 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>):
>>> 1 time
>>> >
>>> > That can't be good. I understand that PlcmSplp is a user for the
>>> Polycom
>>> > provisioning. I have removed ssh access to the box from the world,
>>> but how
>>> > do I change the default password for that user? This seems like a big
>>> > security risk, as every sipxecs install probably has this user with a
>>> > default password?
>>> >
>>> > ~Noah
>>> >
>>> > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com>
>>> wrote:
>>> >
>>> >> Look at var/spool/mail/root There is a report you can find in there
>>> > that
>>> >> shows system activity. Look for entries below ---------------------
>>> >> pam_unix Begin ------------------------ and I think you will find the
>>> >> source of your aggravation.
>>> >>
>>> >> -----Original Message-----
>>> >> From: sipx-users-***@list.sipfoundry.org
>>> >> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah
>>> Mehl
>>> >> Sent: Thursday, November 15, 2012 6:29 AM
>>> >> To: Discussion list for users of sipXecs software
>>> >> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>> >>
>>> >> I am seeing more spam in my mail queue. I have iptables installed,
>>> >> and here are my rules:
>>> >>
>>> >> Chain INPUT (policy ACCEPT)
>>> >> target prot opt source destination
>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>> >>
>>> >> Chain FORWARD (policy ACCEPT)
>>> >> target prot opt source destination
>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>> >>
>>> >> Chain OUTPUT (policy ACCEPT)
>>> >> target prot opt source destination
>>> >>
>>> >> Chain RH-Firewall-1-INPUT (2 references)
>>> >> target prot opt source destination
>>> >> ACCEPT all -- anywhere anywhere
>>> >> ACCEPT icmp -- anywhere anywhere icmp any
>>> >> ACCEPT esp -- anywhere anywhere
>>> >> ACCEPT ah -- anywhere anywhere
>>> >> ACCEPT udp -- anywhere 224.0.0.251 udp
>>> dpt:mdns
>>> >> ACCEPT udp -- anywhere anywhere udp
>>> dpt:ipp
>>> >> ACCEPT tcp -- anywhere anywhere tcp
>>> dpt:ipp
>>> >> ACCEPT all -- anywhere anywhere state
>>> >> RELATED,ESTABLISHED
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:pcsync-https
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:http
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:xmpp-client
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:5223
>>> >> ACCEPT all -- 192.168.0.0/16 anywhere
>>> >> ACCEPT udp -- anywhere anywhere state
>>> NEW udp
>>> >> dpt:sip
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:sip
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:sip-tls
>>> >> ACCEPT udp -- sip02.gafachi.com anywhere state
>>> NEW udp
>>> >> dpts:sip:5080
>>> >> ACCEPT udp -- 204.11.192.0/22 anywhere state
>>> NEW udp
>>> >> dpts:sip:5080
>>> >> REJECT all -- anywhere anywhere
>>> reject-with
>>> >> icmp-host-prohibited
>>> >>
>>> >> As far as I can tell, no one should be able to use port 25 from the
>>> world.
>>> >> Also, sendmail is only configured to allow relay from localhost:
>>> >>
>>> >> [***@sipx1 ~]# cat /etc/mail/access
>>> >> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>>> >> of the format of this file. (search for access_db in that file) # The
>>> >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc #
>>> package.
>>> >> #
>>> >> # by default we allow relaying from localhost...
>>> >> Connect:localhost.localdomain RELAY
>>> >> Connect:localhost RELAY
>>> >> Connect:127.0.0.1 RELAY
>>> >>
>>> >> Can someone please help me figure out where this spam is coming from?
>>> >> Thanks.
>>> >>
>>> >> ~Noah
>>> >>
>>> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com>
>>> wrote:
>>> >>
>>> >>> I did not change the configuration of anything related to the
>>> >>> PlcmSpIp
>>> >> user. It does however make me feel better that it is related to the
>>> >> vsftpd service and the polycom phones.
>>> >>>
>>> >>>> From /etc/passwd:
>>> >>>
>>> >>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> >>> /sbin/nologin
>>> >>>
>>> >>> So, that user cannot ssh to a shell. So I don't think it was that.
>>> >>>
>>> >>> ~Noah
>>> >>>
>>> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> >>> <***@myitdepartment.net>
>>> >> wrote:
>>> >>>
>>> >>>> ... more -- its a user that does not have login to the OS itself,
>>> >>>> just vsftpd, which is restricted to certain commands and must
>>> >>>> present a request for its mac address in order to get a
>>> configuration
>>> > file.
>>> >>>> It is not logging into linux unless someone changed the rights of
>>> >>>> the user.
>>> >>>>
>>> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>>> > wrote:
>>> >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> >>>>> <***@myitdepartment.net> wrote:
>>> >>>>>> this is not a valid system user unless you have manually added it
>>> >>>>>> to the system. I do think the logs would show more if access was
>>> >>>>>> granted. Why are you exposing sshd to the outside world with an
>>> >>>>>> acl or by protecting it at your firewall?
>>> >>>>>>
>>> >>>>>
>>> >>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>> >>>>> from server
>>> >>>>>
>>> >>>>> George
>>> >>>>> _______________________________________________
>>> >>>>> sipx-users mailing list
>>> >>>>> sipx-***@list.sipfoundry.org
>>> >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> ~~~~~~~~~~~~~~~~~~
>>> >>>> Tony Graziano, Manager
>>> >>>> Telephone: 434.984.8430
>>> >>>> sip: ***@voice.myitdepartment.net
>>> >>>> Fax: 434.465.6833
>>> >>>> ~~~~~~~~~~~~~~~~~~
>>> >>>> Linked-In Profile:
>>> >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> >>>> Ask about our Internet Fax services!
>>> >>>> ~~~~~~~~~~~~~~~~~~
>>> >>>>
>>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> >>>> sipX-CoLab
>>> >> 2013!
>>> >>>>
>>> >>>> --
>>> >>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> >>>> Telephone: 434.984.8426
>>> >>>> sip: ***@voice.myitdepartment.net
>>> >>>>
>>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> >>>> Blog: http://blog.myitdepartment.net
>>> >>>> _______________________________________________
>>> >>>> sipx-users mailing list
>>> >>>> sipx-***@list.sipfoundry.org
>>> >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>>
>>> >>>
>>> >>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> >>> _______________________________________________
>>> >>> sipx-users mailing list
>>> >>> sipx-***@list.sipfoundry.org
>>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>
>>> >> _______________________________________________
>>> >> sipx-users mailing list
>>> >> sipx-***@list.sipfoundry.org
>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>
>>> >> _______________________________________________
>>> >> sipx-users mailing list
>>> >> sipx-***@list.sipfoundry.org
>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >
>>> > _______________________________________________
>>> > sipx-users mailing list
>>> > sipx-***@list.sipfoundry.org
>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >
>>> > _______________________________________________
>>> > sipx-users mailing list
>>> > sipx-***@list.sipfoundry.org
>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Tony Graziano

2012-11-16 18:48:33 UTC

Permalink

Fwiw I can test the exploit and my ids (commercial snort rules).

so polycom provisioning in Sipx will cease using ftp and the user account
will be removed at that time and move to http/HTTPS.
On Nov 16, 2012 12:52 PM, "Noah Mehl" <***@tritonlimited.com> wrote:

> I can confirm that adding:
>
> DenyUsers PlcmSpIp
>
> to /etc/ssh/sshd_config solves this exploit.
>
> I'm back to my original opinion that if this user is installed
> automatically, without my intervention, then that line should be added to
> the sshd_config.
>
> ~Noah
>
> On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
> Tony,
>
> I just figured out an exploit in 15 minutes with the help of Google
> http://www.semicomplete.com/articles/ssh-security/:
>
> $sudo ssh -vN -L25:localhost:25 ***@sipxecsip
> $sudo ssh -vN -R25:localhost:25 ***@sipxecsip
> $telnet localhost 25
>
> Tell me if your ids stops that?
>
> This works on a stock SipXecs 4.4.0 install.
>
> ~Noah
>
> On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net
> >
> wrote:
>
> The user doesn't have login via ssh. Ssh in and of itself is not
> protected and it is exposed.
>
> It is trivial to change the user password and/or delete it. We typically
> don't expose ssh at all. You haven't provides any real evidence that a
> dictionary attack didn't overwhelm the pam service either.
>
> I don't share your opinion here. My firewall protects against all kinds of
> ids stuff even if I had ssh open. Just because you have iptables running it
> doesn't mean you are inherently secure at all.
>
> Our firewalls sitting in front of sipx had ids rules running that would
> protect anything behind it from a known attack against a well known service
> like ssh. Ssh has lots of options which should be exercised according to
> your security border device.
> On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>
>> The only hardening required to solve this particular problem would be an
>> addition to the sshd config:
>>
>> DenyUsers PlcmSpIp
>>
>> I think this should be included in the default distribution of SipXecs
>> isos and/or packages (I've only ever used the iso) because this is
>> something that is specific to the distribution. That user, and its
>> password and access, are created by SipXecs, and that addition to the sshd
>> config should be made OOTB. Unless someone has a reason that PlcmSpIp
>> should be able to have any ssh access?
>>
>> I'd really like some input from someone from eZuce, as this is an easy
>> solution and protects the entire community.
>>
>> This was NOT a DDOS attack. This it that the PlcmSpIp user has a
>> default password of PlcmSpIp, and there's something about the default
>> access of that user that allow remote execution via SSH OOTB, and that *
>> IS* a security issue. You know why? Because as far as I know, no other
>> default linux service account is susceptible to this attack. Probably
>> because linux system accounts DON'T HAVE PASSWORDS! In other words, if
>> you're creating service users with default passwords, they probably should
>> be denied from ssh OOTB. This is also, not documented as far as I can
>> tell...
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 11:26 AM, Tony Graziano <
>> ***@myitdepartment.net> wrote:
>>
>> It really sounds like you don't have a method to harden your server if
>> you are exposing it. Its entirely possible you were targeted with a ddos
>> attack that overwhelmed the Linux system. If you had properly crafted
>> iptables rules I and ssh protection mechanisms it would most likely not
>> have happened.
>>
>> Any did or ddos can overwhelm system services to the point of failure
>> this allowing (by unavailability) internal logging or protection
>> mechanisms. Put the served behind a firewall and protect the vulnerable
>> service (ssh) by limiting the footprint. Backup the system, wipe and
>> restore it in the event a root kit was planted.
>>
>> I don't think iptables was adequately configured. I don't think there is
>> anything inherently wrong with Sipx here either.
>>
>> It is a phone system. It is up to you to protect and/or harden it. Any
>> vulnerabilities exposed are really Linux vulnerabilities and Linux is not
>> hack proof.
>>
>> Good luck.
>> On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>
>>> Todd,
>>>
>>> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public
>>> IP address, which is part of AOL in Nevada I think. I actually have over
>>> 80 different public IP address entries in my log using that user to SSH to
>>> my SipXecs box.
>>>
>>> I understand that it's a phone system and not a firewall. However it's
>>> a linux server, and IPtables is the best firewall in world, IMHO. I did
>>> have SSH access open to the world, that was my choice. I have never been
>>> bitten by this before. Either way, you should not be able to execute
>>> anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>>>
>>> ~Noah
>>>
>>> On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:
>>>
>>> > Here is a question I would have as well - 172.129.67.195 seems to be an
>>> > address that is local to your network. Who has that IP address, why
>>> are
>>> > they attempting to breach that server. If they are not a part of your
>>> > network, how are they getting to that server from outside your network
>>> -
>>> > there has to be an opening in a firewall somewhere that is allowing it.
>>> >
>>> > Remember, this is a phone system, not a firewall, not a router. It's
>>> a
>>> > phone system with pretty standard authentication requirements, it's up
>>> to
>>> > the administrator to keep others off of the network.
>>> >
>>> > -----Original Message-----
>>> > From: sipx-users-***@list.sipfoundry.org
>>> > [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
>>> > Sent: Thursday, November 15, 2012 10:04 AM
>>> > To: Discussion list for users of sipXecs software
>>> > Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>> >
>>> > To that point:
>>> >
>>> > Users logging in through sshd:
>>> > PlcmSpIp:
>>> > 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>):
>>> 1 time
>>> >
>>> > That can't be good. I understand that PlcmSplp is a user for the
>>> Polycom
>>> > provisioning. I have removed ssh access to the box from the world,
>>> but how
>>> > do I change the default password for that user? This seems like a big
>>> > security risk, as every sipxecs install probably has this user with a
>>> > default password?
>>> >
>>> > ~Noah
>>> >
>>> > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com>
>>> wrote:
>>> >
>>> >> Look at var/spool/mail/root There is a report you can find in there
>>> > that
>>> >> shows system activity. Look for entries below ---------------------
>>> >> pam_unix Begin ------------------------ and I think you will find the
>>> >> source of your aggravation.
>>> >>
>>> >> -----Original Message-----
>>> >> From: sipx-users-***@list.sipfoundry.org
>>> >> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah
>>> Mehl
>>> >> Sent: Thursday, November 15, 2012 6:29 AM
>>> >> To: Discussion list for users of sipXecs software
>>> >> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>> >>
>>> >> I am seeing more spam in my mail queue. I have iptables installed,
>>> >> and here are my rules:
>>> >>
>>> >> Chain INPUT (policy ACCEPT)
>>> >> target prot opt source destination
>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>> >>
>>> >> Chain FORWARD (policy ACCEPT)
>>> >> target prot opt source destination
>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>> >>
>>> >> Chain OUTPUT (policy ACCEPT)
>>> >> target prot opt source destination
>>> >>
>>> >> Chain RH-Firewall-1-INPUT (2 references)
>>> >> target prot opt source destination
>>> >> ACCEPT all -- anywhere anywhere
>>> >> ACCEPT icmp -- anywhere anywhere icmp any
>>> >> ACCEPT esp -- anywhere anywhere
>>> >> ACCEPT ah -- anywhere anywhere
>>> >> ACCEPT udp -- anywhere 224.0.0.251 udp
>>> dpt:mdns
>>> >> ACCEPT udp -- anywhere anywhere udp
>>> dpt:ipp
>>> >> ACCEPT tcp -- anywhere anywhere tcp
>>> dpt:ipp
>>> >> ACCEPT all -- anywhere anywhere state
>>> >> RELATED,ESTABLISHED
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:pcsync-https
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:http
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:xmpp-client
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:5223
>>> >> ACCEPT all -- 192.168.0.0/16 anywhere
>>> >> ACCEPT udp -- anywhere anywhere state
>>> NEW udp
>>> >> dpt:sip
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:sip
>>> >> ACCEPT tcp -- anywhere anywhere state
>>> NEW tcp
>>> >> dpt:sip-tls
>>> >> ACCEPT udp -- sip02.gafachi.com anywhere state
>>> NEW udp
>>> >> dpts:sip:5080
>>> >> ACCEPT udp -- 204.11.192.0/22 anywhere state
>>> NEW udp
>>> >> dpts:sip:5080
>>> >> REJECT all -- anywhere anywhere
>>> reject-with
>>> >> icmp-host-prohibited
>>> >>
>>> >> As far as I can tell, no one should be able to use port 25 from the
>>> world.
>>> >> Also, sendmail is only configured to allow relay from localhost:
>>> >>
>>> >> [***@sipx1 ~]# cat /etc/mail/access
>>> >> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>>> >> of the format of this file. (search for access_db in that file) # The
>>> >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc #
>>> package.
>>> >> #
>>> >> # by default we allow relaying from localhost...
>>> >> Connect:localhost.localdomain RELAY
>>> >> Connect:localhost RELAY
>>> >> Connect:127.0.0.1 RELAY
>>> >>
>>> >> Can someone please help me figure out where this spam is coming from?
>>> >> Thanks.
>>> >>
>>> >> ~Noah
>>> >>
>>> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com>
>>> wrote:
>>> >>
>>> >>> I did not change the configuration of anything related to the
>>> >>> PlcmSpIp
>>> >> user. It does however make me feel better that it is related to the
>>> >> vsftpd service and the polycom phones.
>>> >>>
>>> >>>> From /etc/passwd:
>>> >>>
>>> >>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> >>> /sbin/nologin
>>> >>>
>>> >>> So, that user cannot ssh to a shell. So I don't think it was that.
>>> >>>
>>> >>> ~Noah
>>> >>>
>>> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> >>> <***@myitdepartment.net>
>>> >> wrote:
>>> >>>
>>> >>>> ... more -- its a user that does not have login to the OS itself,
>>> >>>> just vsftpd, which is restricted to certain commands and must
>>> >>>> present a request for its mac address in order to get a
>>> configuration
>>> > file.
>>> >>>> It is not logging into linux unless someone changed the rights of
>>> >>>> the user.
>>> >>>>
>>> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>>> > wrote:
>>> >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>> >>>>> <***@myitdepartment.net> wrote:
>>> >>>>>> this is not a valid system user unless you have manually added it
>>> >>>>>> to the system. I do think the logs would show more if access was
>>> >>>>>> granted. Why are you exposing sshd to the outside world with an
>>> >>>>>> acl or by protecting it at your firewall?
>>> >>>>>>
>>> >>>>>
>>> >>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>> >>>>> from server
>>> >>>>>
>>> >>>>> George
>>> >>>>> _______________________________________________
>>> >>>>> sipx-users mailing list
>>> >>>>> sipx-***@list.sipfoundry.org
>>> >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> ~~~~~~~~~~~~~~~~~~
>>> >>>> Tony Graziano, Manager
>>> >>>> Telephone: 434.984.8430
>>> >>>> sip: ***@voice.myitdepartment.net
>>> >>>> Fax: 434.465.6833
>>> >>>> ~~~~~~~~~~~~~~~~~~
>>> >>>> Linked-In Profile:
>>> >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> >>>> Ask about our Internet Fax services!
>>> >>>> ~~~~~~~~~~~~~~~~~~
>>> >>>>
>>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> >>>> sipX-CoLab
>>> >> 2013!
>>> >>>>
>>> >>>> --
>>> >>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> >>>> Telephone: 434.984.8426
>>> >>>> sip: ***@voice.myitdepartment.net
>>> >>>>
>>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> >>>> Blog: http://blog.myitdepartment.net
>>> >>>> _______________________________________________
>>> >>>> sipx-users mailing list
>>> >>>> sipx-***@list.sipfoundry.org
>>> >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>>
>>> >>>
>>> >>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> >>> _______________________________________________
>>> >>> sipx-users mailing list
>>> >>> sipx-***@list.sipfoundry.org
>>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>
>>> >> _______________________________________________
>>> >> sipx-users mailing list
>>> >> sipx-***@list.sipfoundry.org
>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >>
>>> >> _______________________________________________
>>> >> sipx-users mailing list
>>> >> sipx-***@list.sipfoundry.org
>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >
>>> > _______________________________________________
>>> > sipx-users mailing list
>>> > sipx-***@list.sipfoundry.org
>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>> >
>>> > _______________________________________________
>>> > sipx-users mailing list
>>> > sipx-***@list.sipfoundry.org
>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 19:08:51 UTC

Permalink

I don't understand:

"so polycom provisioning in Sipx will cease using ftp and the user account will be removed at that time and move to http/HTTPS."

Why would denying the PlcmSpIp user in the sshd config affect provision?

Honestly, the exploit is the ability to use SSH port forwarding with the default PlcmSpIp user/pass. I doubt your ids will stop that if you have ssh access to the machine.

~Noah

On Nov 16, 2012, at 1:48 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

Fwiw I can test the exploit and my ids (commercial snort rules).

so polycom provisioning in Sipx will cease using ftp and the user account will be removed at that time and move to http/HTTPS.

On Nov 16, 2012 12:52 PM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I can confirm that adding:

DenyUsers PlcmSpIp

to /etc/ssh/sshd_config solves this exploit.

I'm back to my original opinion that if this user is installed automatically, without my intervention, then that line should be added to the sshd_config.

~Noah

On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Tony,

I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/:

$sudo ssh -vN -L25:localhost:25 ***@sipxecsip
$sudo ssh -vN -R25:localhost:25 ***@sipxecsip
$telnet localhost 25

Tell me if your ids stops that?

This works on a stock SipXecs 4.4.0 install.

~Noah

On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

The user doesn't have login via ssh. Ssh in and of itself is not protected and it is exposed.

It is trivial to change the user password and/or delete it. We typically don't expose ssh at all. You haven't provides any real evidence that a dictionary attack didn't overwhelm the pam service either.

I don't share your opinion here. My firewall protects against all kinds of ids stuff even if I had ssh open. Just because you have iptables running it doesn't mean you are inherently secure at all.

Our firewalls sitting in front of sipx had ids rules running that would protect anything behind it from a known attack against a well known service like ssh. Ssh has lots of options which should be exercised according to your security border device.

On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
The only hardening required to solve this particular problem would be an addition to the sshd config:

DenyUsers PlcmSpIp

I think this should be included in the default distribution of SipXecs isos and/or packages (I've only ever used the iso) because this is something that is specific to the distribution. That user, and its password and access, are created by SipXecs, and that addition to the sshd config should be made OOTB. Unless someone has a reason that PlcmSpIp should be able to have any ssh access?

I'd really like some input from someone from eZuce, as this is an easy solution and protects the entire community.

This was NOT a DDOS attack. This it that the PlcmSpIp user has a default password of PlcmSpIp, and there's something about the default access of that user that allow remote execution via SSH OOTB, and that IS a security issue. You know why? Because as far as I know, no other default linux service account is susceptible to this attack. Probably because linux system accounts DON'T HAVE PASSWORDS! In other words, if you're creating service users with default passwords, they probably should be denied from ssh OOTB. This is also, not documented as far as I can tell...

~Noah

On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

It really sounds like you don't have a method to harden your server if you are exposing it. Its entirely possible you were targeted with a ddos attack that overwhelmed the Linux system. If you had properly crafted iptables rules I and ssh protection mechanisms it would most likely not have happened.

Any did or ddos can overwhelm system services to the point of failure this allowing (by unavailability) internal logging or protection mechanisms. Put the served behind a firewall and protect the vulnerable service (ssh) by limiting the footprint. Backup the system, wipe and restore it in the event a root kit was planted.

I don't think iptables was adequately configured. I don't think there is anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any vulnerabilities exposed are really Linux vulnerabilities and Linux is not hack proof.

Good luck.

On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.

I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
>> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
>> ACCEPT udp -- anywhere anywhere state NEW udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Tony Graziano

2012-11-16 19:11:34 UTC

Permalink

It would mean the user would no longer be present on the system because it
would not be required.

On Fri, Nov 16, 2012 at 2:08 PM, Noah Mehl <***@tritonlimited.com> wrote:

> I don't understand:
>
> "so polycom provisioning in Sipx will cease using ftp and the user
> account will be removed at that time and move to http/HTTPS."
>
> Why would denying the PlcmSpIp user in the sshd config affect provision?
>
> Honestly, the exploit is the ability to use SSH port forwarding with the
> default PlcmSpIp user/pass. I doubt your ids will stop that if you have
> ssh access to the machine.
>
> ~Noah
>
> On Nov 16, 2012, at 1:48 PM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> Fwiw I can test the exploit and my ids (commercial snort rules).
>
> so polycom provisioning in Sipx will cease using ftp and the user account
> will be removed at that time and move to http/HTTPS.
> On Nov 16, 2012 12:52 PM, "Noah Mehl" <***@tritonlimited.com> wrote:
>
>> I can confirm that adding:
>>
>> DenyUsers PlcmSpIp
>>
>> to /etc/ssh/sshd_config solves this exploit.
>>
>> I'm back to my original opinion that if this user is installed
>> automatically, without my intervention, then that line should be added to
>> the sshd_config.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>> Tony,
>>
>> I just figured out an exploit in 15 minutes with the help of Google
>> http://www.semicomplete.com/articles/ssh-security/:
>>
>> $sudo ssh -vN -L25:localhost:25 ***@sipxecsip
>> $sudo ssh -vN -R25:localhost:25 ***@sipxecsip
>> $telnet localhost 25
>>
>> Tell me if your ids stops that?
>>
>> This works on a stock SipXecs 4.4.0 install.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 11:46 AM, Tony Graziano <
>> ***@myitdepartment.net>
>> wrote:
>>
>> The user doesn't have login via ssh. Ssh in and of itself is not
>> protected and it is exposed.
>>
>> It is trivial to change the user password and/or delete it. We typically
>> don't expose ssh at all. You haven't provides any real evidence that a
>> dictionary attack didn't overwhelm the pam service either.
>>
>> I don't share your opinion here. My firewall protects against all kinds
>> of ids stuff even if I had ssh open. Just because you have iptables running
>> it doesn't mean you are inherently secure at all.
>>
>> Our firewalls sitting in front of sipx had ids rules running that would
>> protect anything behind it from a known attack against a well known service
>> like ssh. Ssh has lots of options which should be exercised according to
>> your security border device.
>> On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>
>>> The only hardening required to solve this particular problem would be an
>>> addition to the sshd config:
>>>
>>> DenyUsers PlcmSpIp
>>>
>>> I think this should be included in the default distribution of SipXecs
>>> isos and/or packages (I've only ever used the iso) because this is
>>> something that is specific to the distribution. That user, and its
>>> password and access, are created by SipXecs, and that addition to the sshd
>>> config should be made OOTB. Unless someone has a reason that PlcmSpIp
>>> should be able to have any ssh access?
>>>
>>> I'd really like some input from someone from eZuce, as this is an easy
>>> solution and protects the entire community.
>>>
>>> This was NOT a DDOS attack. This it that the PlcmSpIp user has a
>>> default password of PlcmSpIp, and there's something about the default
>>> access of that user that allow remote execution via SSH OOTB, and that *
>>> IS* a security issue. You know why? Because as far as I know, no
>>> other default linux service account is susceptible to this attack.
>>> Probably because linux system accounts DON'T HAVE PASSWORDS! In other
>>> words, if you're creating service users with default passwords, they
>>> probably should be denied from ssh OOTB. This is also, not documented as
>>> far as I can tell...
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 11:26 AM, Tony Graziano <
>>> ***@myitdepartment.net> wrote:
>>>
>>> It really sounds like you don't have a method to harden your server if
>>> you are exposing it. Its entirely possible you were targeted with a ddos
>>> attack that overwhelmed the Linux system. If you had properly crafted
>>> iptables rules I and ssh protection mechanisms it would most likely not
>>> have happened.
>>>
>>> Any did or ddos can overwhelm system services to the point of failure
>>> this allowing (by unavailability) internal logging or protection
>>> mechanisms. Put the served behind a firewall and protect the vulnerable
>>> service (ssh) by limiting the footprint. Backup the system, wipe and
>>> restore it in the event a root kit was planted.
>>>
>>> I don't think iptables was adequately configured. I don't think there is
>>> anything inherently wrong with Sipx here either.
>>>
>>> It is a phone system. It is up to you to protect and/or harden it. Any
>>> vulnerabilities exposed are really Linux vulnerabilities and Linux is not
>>> hack proof.
>>>
>>> Good luck.
>>> On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>>
>>>> Todd,
>>>>
>>>> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a
>>>> public IP address, which is part of AOL in Nevada I think. I actually have
>>>> over 80 different public IP address entries in my log using that user to
>>>> SSH to my SipXecs box.
>>>>
>>>> I understand that it's a phone system and not a firewall. However it's
>>>> a linux server, and IPtables is the best firewall in world, IMHO. I did
>>>> have SSH access open to the world, that was my choice. I have never been
>>>> bitten by this before. Either way, you should not be able to execute
>>>> anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:
>>>>
>>>> > Here is a question I would have as well - 172.129.67.195 seems to be
>>>> an
>>>> > address that is local to your network. Who has that IP address, why
>>>> are
>>>> > they attempting to breach that server. If they are not a part of
>>>> your
>>>> > network, how are they getting to that server from outside your
>>>> network -
>>>> > there has to be an opening in a firewall somewhere that is allowing
>>>> it.
>>>> >
>>>> > Remember, this is a phone system, not a firewall, not a router.
>>>> It's a
>>>> > phone system with pretty standard authentication requirements, it's
>>>> up to
>>>> > the administrator to keep others off of the network.
>>>> >
>>>> > -----Original Message-----
>>>> > From: sipx-users-***@list.sipfoundry.org
>>>> > [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah
>>>> Mehl
>>>> > Sent: Thursday, November 15, 2012 10:04 AM
>>>> > To: Discussion list for users of sipXecs software
>>>> > Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>>> >
>>>> > To that point:
>>>> >
>>>> > Users logging in through sshd:
>>>> > PlcmSpIp:
>>>> > 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>):
>>>> 1 time
>>>> >
>>>> > That can't be good. I understand that PlcmSplp is a user for the
>>>> Polycom
>>>> > provisioning. I have removed ssh access to the box from the world,
>>>> but how
>>>> > do I change the default password for that user? This seems like a big
>>>> > security risk, as every sipxecs install probably has this user with a
>>>> > default password?
>>>> >
>>>> > ~Noah
>>>> >
>>>> > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com>
>>>> wrote:
>>>> >
>>>> >> Look at var/spool/mail/root There is a report you can find in
>>>> there
>>>> > that
>>>> >> shows system activity. Look for entries below ---------------------
>>>> >> pam_unix Begin ------------------------ and I think you will find the
>>>> >> source of your aggravation.
>>>> >>
>>>> >> -----Original Message-----
>>>> >> From: sipx-users-***@list.sipfoundry.org
>>>> >> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah
>>>> Mehl
>>>> >> Sent: Thursday, November 15, 2012 6:29 AM
>>>> >> To: Discussion list for users of sipXecs software
>>>> >> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>>> >>
>>>> >> I am seeing more spam in my mail queue. I have iptables installed,
>>>> >> and here are my rules:
>>>> >>
>>>> >> Chain INPUT (policy ACCEPT)
>>>> >> target prot opt source destination
>>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>> >>
>>>> >> Chain FORWARD (policy ACCEPT)
>>>> >> target prot opt source destination
>>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>> >>
>>>> >> Chain OUTPUT (policy ACCEPT)
>>>> >> target prot opt source destination
>>>> >>
>>>> >> Chain RH-Firewall-1-INPUT (2 references)
>>>> >> target prot opt source destination
>>>> >> ACCEPT all -- anywhere anywhere
>>>> >> ACCEPT icmp -- anywhere anywhere icmp any
>>>> >> ACCEPT esp -- anywhere anywhere
>>>> >> ACCEPT ah -- anywhere anywhere
>>>> >> ACCEPT udp -- anywhere 224.0.0.251 udp
>>>> dpt:mdns
>>>> >> ACCEPT udp -- anywhere anywhere udp
>>>> dpt:ipp
>>>> >> ACCEPT tcp -- anywhere anywhere tcp
>>>> dpt:ipp
>>>> >> ACCEPT all -- anywhere anywhere state
>>>> >> RELATED,ESTABLISHED
>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>> NEW tcp
>>>> >> dpt:pcsync-https
>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>> NEW tcp
>>>> >> dpt:http
>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>> NEW tcp
>>>> >> dpt:xmpp-client
>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>> NEW tcp
>>>> >> dpt:5223
>>>> >> ACCEPT all -- 192.168.0.0/16 anywhere
>>>> >> ACCEPT udp -- anywhere anywhere state
>>>> NEW udp
>>>> >> dpt:sip
>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>> NEW tcp
>>>> >> dpt:sip
>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>> NEW tcp
>>>> >> dpt:sip-tls
>>>> >> ACCEPT udp -- sip02.gafachi.com anywhere state
>>>> NEW udp
>>>> >> dpts:sip:5080
>>>> >> ACCEPT udp -- 204.11.192.0/22 anywhere state
>>>> NEW udp
>>>> >> dpts:sip:5080
>>>> >> REJECT all -- anywhere anywhere
>>>> reject-with
>>>> >> icmp-host-prohibited
>>>> >>
>>>> >> As far as I can tell, no one should be able to use port 25 from the
>>>> world.
>>>> >> Also, sendmail is only configured to allow relay from localhost:
>>>> >>
>>>> >> [***@sipx1 ~]# cat /etc/mail/access
>>>> >> # Check the /usr/share/doc/sendmail/README.cf file for a description
>>>> #
>>>> >> of the format of this file. (search for access_db in that file) # The
>>>> >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc #
>>>> package.
>>>> >> #
>>>> >> # by default we allow relaying from localhost...
>>>> >> Connect:localhost.localdomain RELAY
>>>> >> Connect:localhost RELAY
>>>> >> Connect:127.0.0.1 RELAY
>>>> >>
>>>> >> Can someone please help me figure out where this spam is coming from?
>>>> >> Thanks.
>>>> >>
>>>> >> ~Noah
>>>> >>
>>>> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com>
>>>> wrote:
>>>> >>
>>>> >>> I did not change the configuration of anything related to the
>>>> >>> PlcmSpIp
>>>> >> user. It does however make me feel better that it is related to the
>>>> >> vsftpd service and the polycom phones.
>>>> >>>
>>>> >>>> From /etc/passwd:
>>>> >>>
>>>> >>>
>>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>>> >>> /sbin/nologin
>>>> >>>
>>>> >>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>> >>>
>>>> >>> ~Noah
>>>> >>>
>>>> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>>> >>> <***@myitdepartment.net>
>>>> >> wrote:
>>>> >>>
>>>> >>>> ... more -- its a user that does not have login to the OS itself,
>>>> >>>> just vsftpd, which is restricted to certain commands and must
>>>> >>>> present a request for its mac address in order to get a
>>>> configuration
>>>> > file.
>>>> >>>> It is not logging into linux unless someone changed the rights of
>>>> >>>> the user.
>>>> >>>>
>>>> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
>>>> > wrote:
>>>> >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>> >>>>> <***@myitdepartment.net> wrote:
>>>> >>>>>> this is not a valid system user unless you have manually added it
>>>> >>>>>> to the system. I do think the logs would show more if access was
>>>> >>>>>> granted. Why are you exposing sshd to the outside world with an
>>>> >>>>>> acl or by protecting it at your firewall?
>>>> >>>>>>
>>>> >>>>>
>>>> >>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>> >>>>> from server
>>>> >>>>>
>>>> >>>>> George
>>>> >>>>> _______________________________________________
>>>> >>>>> sipx-users mailing list
>>>> >>>>> sipx-***@list.sipfoundry.org
>>>> >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> --
>>>> >>>> ~~~~~~~~~~~~~~~~~~
>>>> >>>> Tony Graziano, Manager
>>>> >>>> Telephone: 434.984.8430
>>>> >>>> sip: ***@voice.myitdepartment.net
>>>> >>>> Fax: 434.465.6833
>>>> >>>> ~~~~~~~~~~~~~~~~~~
>>>> >>>> Linked-In Profile:
>>>> >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> >>>> Ask about our Internet Fax services!
>>>> >>>> ~~~~~~~~~~~~~~~~~~
>>>> >>>>
>>>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> >>>> sipX-CoLab
>>>> >> 2013!
>>>> >>>>
>>>> >>>> --
>>>> >>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> >>>> Telephone: 434.984.8426
>>>> >>>> sip: ***@voice.myitdepartment.net
>>>> >>>>
>>>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>>> >>>> Blog: http://blog.myitdepartment.net
>>>> >>>> _______________________________________________
>>>> >>>> sipx-users mailing list
>>>> >>>> sipx-***@list.sipfoundry.org
>>>> >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >>>
>>>> >>>
>>>> >>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>>> >>> _______________________________________________
>>>> >>> sipx-users mailing list
>>>> >>> sipx-***@list.sipfoundry.org
>>>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >>
>>>> >> _______________________________________________
>>>> >> sipx-users mailing list
>>>> >> sipx-***@list.sipfoundry.org
>>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >>
>>>> >> _______________________________________________
>>>> >> sipx-users mailing list
>>>> >> sipx-***@list.sipfoundry.org
>>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >
>>>> > _______________________________________________
>>>> > sipx-users mailing list
>>>> > sipx-***@list.sipfoundry.org
>>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>> >
>>>> > _______________________________________________
>>>> > sipx-users mailing list
>>>> > sipx-***@list.sipfoundry.org
>>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 19:14:08 UTC

Permalink

OK,

The must be some sort of communication issue here. Why would denying ssh access remove a user from the system? I thought provisioning happens via ftp, tftp, http, or https. I'm not talking about deleting the linux user, only specifically denying any ssh access to the sipxecs server for that user?

~Noah

On Nov 16, 2012, at 2:11 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

It would mean the user would no longer be present on the system because it would not be required.

On Fri, Nov 16, 2012 at 2:08 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I don't understand:

"so polycom provisioning in Sipx will cease using ftp and the user account will be removed at that time and move to http/HTTPS."

Why would denying the PlcmSpIp user in the sshd config affect provision?

Honestly, the exploit is the ability to use SSH port forwarding with the default PlcmSpIp user/pass. I doubt your ids will stop that if you have ssh access to the machine.

~Noah

On Nov 16, 2012, at 1:48 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

Fwiw I can test the exploit and my ids (commercial snort rules).

so polycom provisioning in Sipx will cease using ftp and the user account will be removed at that time and move to http/HTTPS.

On Nov 16, 2012 12:52 PM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I can confirm that adding:

DenyUsers PlcmSpIp

to /etc/ssh/sshd_config solves this exploit.

I'm back to my original opinion that if this user is installed automatically, without my intervention, then that line should be added to the sshd_config.

~Noah

On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Tony,

I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/:

$sudo ssh -vN -L25:localhost:25 ***@sipxecsip
$sudo ssh -vN -R25:localhost:25 ***@sipxecsip
$telnet localhost 25

Tell me if your ids stops that?

This works on a stock SipXecs 4.4.0 install.

~Noah

On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

The user doesn't have login via ssh. Ssh in and of itself is not protected and it is exposed.

It is trivial to change the user password and/or delete it. We typically don't expose ssh at all. You haven't provides any real evidence that a dictionary attack didn't overwhelm the pam service either.

I don't share your opinion here. My firewall protects against all kinds of ids stuff even if I had ssh open. Just because you have iptables running it doesn't mean you are inherently secure at all.

Our firewalls sitting in front of sipx had ids rules running that would protect anything behind it from a known attack against a well known service like ssh. Ssh has lots of options which should be exercised according to your security border device.

On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
The only hardening required to solve this particular problem would be an addition to the sshd config:

DenyUsers PlcmSpIp

I think this should be included in the default distribution of SipXecs isos and/or packages (I've only ever used the iso) because this is something that is specific to the distribution. That user, and its password and access, are created by SipXecs, and that addition to the sshd config should be made OOTB. Unless someone has a reason that PlcmSpIp should be able to have any ssh access?

I'd really like some input from someone from eZuce, as this is an easy solution and protects the entire community.

This was NOT a DDOS attack. This it that the PlcmSpIp user has a default password of PlcmSpIp, and there's something about the default access of that user that allow remote execution via SSH OOTB, and that IS a security issue. You know why? Because as far as I know, no other default linux service account is susceptible to this attack. Probably because linux system accounts DON'T HAVE PASSWORDS! In other words, if you're creating service users with default passwords, they probably should be denied from ssh OOTB. This is also, not documented as far as I can tell...

~Noah

On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

It really sounds like you don't have a method to harden your server if you are exposing it. Its entirely possible you were targeted with a ddos attack that overwhelmed the Linux system. If you had properly crafted iptables rules I and ssh protection mechanisms it would most likely not have happened.

Any did or ddos can overwhelm system services to the point of failure this allowing (by unavailability) internal logging or protection mechanisms. Put the served behind a firewall and protect the vulnerable service (ssh) by limiting the footprint. Backup the system, wipe and restore it in the event a root kit was planted.

I don't think iptables was adequately configured. I don't think there is anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any vulnerabilities exposed are really Linux vulnerabilities and Linux is not hack proof.

Good luck.

On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box.

I understand that it's a phone system and not a firewall. However it's a linux server, and IPtables is the best firewall in world, IMHO. I did have SSH access open to the world, that was my choice. I have never been bitten by this before. Either way, you should not be able to execute anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com<mailto:***@frontier.com>> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>
>> [mailto:sipx-users-***@list.sipfoundry.org<mailto:sipx-users-***@list.sipfoundry.org>] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16<http://192.168.0.0/16> anywhere
>> ACCEPT udp -- anywhere anywhere state NEW udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com<http://sip02.gafachi.com/> anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22<http://204.11.192.0/22> anywhere state NEW udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com<mailto:***@ezuce.com>>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

Melcon Moraes

2012-11-16 20:49:17 UTC

Permalink

What Tony meant to say is that in a near future, there will be no longer
FTP provisioning for Polycom, so the user will probably be removed.

Denying ssh access to polycom user won't affect FTP provisioning and will
secure the box against the this exploit itself. Also, if you don't need the
forwarding, you can add "AllowTcpForwarding no" into the sshd_config.

It's a nice catch Noah. I would say the DenyUsers approach would suffice
for a stock install. Not sure how dificult it would be to implement
automatically.

-
MM

On Fri, Nov 16, 2012 at 5:14 PM, Noah Mehl <***@tritonlimited.com> wrote:

> OK,
>
> The must be some sort of communication issue here. Why would denying
> ssh access remove a user from the system? I thought provisioning happens
> via ftp, tftp, http, or https. I'm not talking about deleting the linux
> user, only specifically denying any ssh access to the sipxecs server for
> that userâŠ?
>
> ~Noah
>
> On Nov 16, 2012, at 2:11 PM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> It would mean the user would no longer be present on the system because it
> would not be required.
>
> On Fri, Nov 16, 2012 at 2:08 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> I don't understand:
>>
>> "so polycom provisioning in Sipx will cease using ftp and the user
>> account will be removed at that time and move to http/HTTPS."
>>
>> Why would denying the PlcmSpIp user in the sshd config affect provision?
>>
>> Honestly, the exploit is the ability to use SSH port forwarding with
>> the default PlcmSpIp user/pass. I doubt your ids will stop that if you
>> have ssh access to the machine.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 1:48 PM, Tony Graziano <***@myitdepartment.net>
>> wrote:
>>
>> Fwiw I can test the exploit and my ids (commercial snort rules).
>>
>> so polycom provisioning in Sipx will cease using ftp and the user account
>> will be removed at that time and move to http/HTTPS.
>> On Nov 16, 2012 12:52 PM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>
>>> I can confirm that adding:
>>>
>>> DenyUsers PlcmSpIp
>>>
>>> to /etc/ssh/sshd_config solves this exploit.
>>>
>>> I'm back to my original opinion that if this user is installed
>>> automatically, without my intervention, then that line should be added to
>>> the sshd_config.
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com> wrote:
>>>
>>> Tony,
>>>
>>> I just figured out an exploit in 15 minutes with the help of Google
>>> http://www.semicomplete.com/articles/ssh-security/:
>>>
>>> $sudo ssh -vN -L25:localhost:25 ***@sipxecsip
>>> $sudo ssh -vN -R25:localhost:25 ***@sipxecsip
>>> $telnet localhost 25
>>>
>>> Tell me if your ids stops that?
>>>
>>> This works on a stock SipXecs 4.4.0 install.
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 11:46 AM, Tony Graziano <
>>> ***@myitdepartment.net>
>>> wrote:
>>>
>>> The user doesn't have login via ssh. Ssh in and of itself is not
>>> protected and it is exposed.
>>>
>>> It is trivial to change the user password and/or delete it. We typically
>>> don't expose ssh at all. You haven't provides any real evidence that a
>>> dictionary attack didn't overwhelm the pam service either.
>>>
>>> I don't share your opinion here. My firewall protects against all kinds
>>> of ids stuff even if I had ssh open. Just because you have iptables running
>>> it doesn't mean you are inherently secure at all.
>>>
>>> Our firewalls sitting in front of sipx had ids rules running that would
>>> protect anything behind it from a known attack against a well known service
>>> like ssh. Ssh has lots of options which should be exercised according to
>>> your security border device.
>>> On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>>
>>>> The only hardening required to solve this particular problem would be
>>>> an addition to the sshd config:
>>>>
>>>> DenyUsers PlcmSpIp
>>>>
>>>> I think this should be included in the default distribution of
>>>> SipXecs isos and/or packages (I've only ever used the iso) because this is
>>>> something that is specific to the distribution. That user, and its
>>>> password and access, are created by SipXecs, and that addition to the sshd
>>>> config should be made OOTB. Unless someone has a reason that PlcmSpIp
>>>> should be able to have any ssh access?
>>>>
>>>> I'd really like some input from someone from eZuce, as this is an
>>>> easy solution and protects the entire community.
>>>>
>>>> This was NOT a DDOS attack. This it that the PlcmSpIp user has a
>>>> default password of PlcmSpIp, and there's something about the default
>>>> access of that user that allow remote execution via SSH OOTB, and that
>>>> *IS* a security issue. You know why? Because as far as I know, no
>>>> other default linux service account is susceptible to this attack.
>>>> Probably because linux system accounts DON'T HAVE PASSWORDS! In other
>>>> words, if you're creating service users with default passwords, they
>>>> probably should be denied from ssh OOTB. This is also, not documented as
>>>> far as I can tell...
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 16, 2012, at 11:26 AM, Tony Graziano <
>>>> ***@myitdepartment.net> wrote:
>>>>
>>>> It really sounds like you don't have a method to harden your server
>>>> if you are exposing it. Its entirely possible you were targeted with a ddos
>>>> attack that overwhelmed the Linux system. If you had properly crafted
>>>> iptables rules I and ssh protection mechanisms it would most likely not
>>>> have happened.
>>>>
>>>> Any did or ddos can overwhelm system services to the point of failure
>>>> this allowing (by unavailability) internal logging or protection
>>>> mechanisms. Put the served behind a firewall and protect the vulnerable
>>>> service (ssh) by limiting the footprint. Backup the system, wipe and
>>>> restore it in the event a root kit was planted.
>>>>
>>>> I don't think iptables was adequately configured. I don't think there
>>>> is anything inherently wrong with Sipx here either.
>>>>
>>>> It is a phone system. It is up to you to protect and/or harden it. Any
>>>> vulnerabilities exposed are really Linux vulnerabilities and Linux is not
>>>> hack proof.
>>>>
>>>> Good luck.
>>>> On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:
>>>>
>>>>> Todd,
>>>>>
>>>>> The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a
>>>>> public IP address, which is part of AOL in Nevada I think. I actually have
>>>>> over 80 different public IP address entries in my log using that user to
>>>>> SSH to my SipXecs box.
>>>>>
>>>>> I understand that it's a phone system and not a firewall. However
>>>>> it's a linux server, and IPtables is the best firewall in world, IMHO. I
>>>>> did have SSH access open to the world, that was my choice. I have never
>>>>> been bitten by this before. Either way, you should not be able to execute
>>>>> anything by SSH'ing with the PlcmSpIp user, whether it's a public IP or not.
>>>>>
>>>>> ~Noah
>>>>>
>>>>> On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:
>>>>>
>>>>> > Here is a question I would have as well - 172.129.67.195 seems to be
>>>>> an
>>>>> > address that is local to your network. Who has that IP address,
>>>>> why are
>>>>> > they attempting to breach that server. If they are not a part of
>>>>> your
>>>>> > network, how are they getting to that server from outside your
>>>>> network -
>>>>> > there has to be an opening in a firewall somewhere that is allowing
>>>>> it.
>>>>> >
>>>>> > Remember, this is a phone system, not a firewall, not a router.
>>>>> It's a
>>>>> > phone system with pretty standard authentication requirements, it's
>>>>> up to
>>>>> > the administrator to keep others off of the network.
>>>>> >
>>>>> > -----Original Message-----
>>>>> > From: sipx-users-***@list.sipfoundry.org
>>>>> > [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah
>>>>> Mehl
>>>>> > Sent: Thursday, November 15, 2012 10:04 AM
>>>>> > To: Discussion list for users of sipXecs software
>>>>> > Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>>>> >
>>>>> > To that point:
>>>>> >
>>>>> > Users logging in through sshd:
>>>>> > PlcmSpIp:
>>>>> > 172.129.67.195 (AC8143C3.ipt.aol.com<http://ac8143c3.ipt.aol.com/>):
>>>>> 1 time
>>>>> >
>>>>> > That can't be good. I understand that PlcmSplp is a user for the
>>>>> Polycom
>>>>> > provisioning. I have removed ssh access to the box from the world,
>>>>> but how
>>>>> > do I change the default password for that user? This seems like a
>>>>> big
>>>>> > security risk, as every sipxecs install probably has this user with a
>>>>> > default password?
>>>>> >
>>>>> > ~Noah
>>>>> >
>>>>> > On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com>
>>>>> wrote:
>>>>> >
>>>>> >> Look at var/spool/mail/root There is a report you can find in
>>>>> there
>>>>> > that
>>>>> >> shows system activity. Look for entries below ---------------------
>>>>> >> pam_unix Begin ------------------------ and I think you will find
>>>>> the
>>>>> >> source of your aggravation.
>>>>> >>
>>>>> >> -----Original Message-----
>>>>> >> From: sipx-users-***@list.sipfoundry.org
>>>>> >> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah
>>>>> Mehl
>>>>> >> Sent: Thursday, November 15, 2012 6:29 AM
>>>>> >> To: Discussion list for users of sipXecs software
>>>>> >> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>>>> >>
>>>>> >> I am seeing more spam in my mail queue. I have iptables installed,
>>>>> >> and here are my rules:
>>>>> >>
>>>>> >> Chain INPUT (policy ACCEPT)
>>>>> >> target prot opt source destination
>>>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>>> >>
>>>>> >> Chain FORWARD (policy ACCEPT)
>>>>> >> target prot opt source destination
>>>>> >> RH-Firewall-1-INPUT all -- anywhere anywhere
>>>>> >>
>>>>> >> Chain OUTPUT (policy ACCEPT)
>>>>> >> target prot opt source destination
>>>>> >>
>>>>> >> Chain RH-Firewall-1-INPUT (2 references)
>>>>> >> target prot opt source destination
>>>>> >> ACCEPT all -- anywhere anywhere
>>>>> >> ACCEPT icmp -- anywhere anywhere icmp
>>>>> any
>>>>> >> ACCEPT esp -- anywhere anywhere
>>>>> >> ACCEPT ah -- anywhere anywhere
>>>>> >> ACCEPT udp -- anywhere 224.0.0.251 udp
>>>>> dpt:mdns
>>>>> >> ACCEPT udp -- anywhere anywhere udp
>>>>> dpt:ipp
>>>>> >> ACCEPT tcp -- anywhere anywhere tcp
>>>>> dpt:ipp
>>>>> >> ACCEPT all -- anywhere anywhere state
>>>>> >> RELATED,ESTABLISHED
>>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>>> NEW tcp
>>>>> >> dpt:pcsync-https
>>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>>> NEW tcp
>>>>> >> dpt:http
>>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>>> NEW tcp
>>>>> >> dpt:xmpp-client
>>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>>> NEW tcp
>>>>> >> dpt:5223
>>>>> >> ACCEPT all -- 192.168.0.0/16 anywhere
>>>>> >> ACCEPT udp -- anywhere anywhere state
>>>>> NEW udp
>>>>> >> dpt:sip
>>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>>> NEW tcp
>>>>> >> dpt:sip
>>>>> >> ACCEPT tcp -- anywhere anywhere state
>>>>> NEW tcp
>>>>> >> dpt:sip-tls
>>>>> >> ACCEPT udp -- sip02.gafachi.com anywhere state
>>>>> NEW udp
>>>>> >> dpts:sip:5080
>>>>> >> ACCEPT udp -- 204.11.192.0/22 anywhere state
>>>>> NEW udp
>>>>> >> dpts:sip:5080
>>>>> >> REJECT all -- anywhere anywhere
>>>>> reject-with
>>>>> >> icmp-host-prohibited
>>>>> >>
>>>>> >> As far as I can tell, no one should be able to use port 25 from the
>>>>> world.
>>>>> >> Also, sendmail is only configured to allow relay from localhost:
>>>>> >>
>>>>> >> [***@sipx1 ~]# cat /etc/mail/access
>>>>> >> # Check the /usr/share/doc/sendmail/README.cf file for a
>>>>> description #
>>>>> >> of the format of this file. (search for access_db in that file) #
>>>>> The
>>>>> >> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc #
>>>>> package.
>>>>> >> #
>>>>> >> # by default we allow relaying from localhost...
>>>>> >> Connect:localhost.localdomain RELAY
>>>>> >> Connect:localhost RELAY
>>>>> >> Connect:127.0.0.1 RELAY
>>>>> >>
>>>>> >> Can someone please help me figure out where this spam is coming
>>>>> from?
>>>>> >> Thanks.
>>>>> >>
>>>>> >> ~Noah
>>>>> >>
>>>>> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com>
>>>>> wrote:
>>>>> >>
>>>>> >>> I did not change the configuration of anything related to the
>>>>> >>> PlcmSpIp
>>>>> >> user. It does however make me feel better that it is related to the
>>>>> >> vsftpd service and the polycom phones.
>>>>> >>>
>>>>> >>>> From /etc/passwd:
>>>>> >>>
>>>>> >>>
>>>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>>>> >>> /sbin/nologin
>>>>> >>>
>>>>> >>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>>> >>>
>>>>> >>> ~Noah
>>>>> >>>
>>>>> >>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>>>> >>> <***@myitdepartment.net>
>>>>> >> wrote:
>>>>> >>>
>>>>> >>>> ... more -- its a user that does not have login to the OS itself,
>>>>> >>>> just vsftpd, which is restricted to certain commands and must
>>>>> >>>> present a request for its mac address in order to get a
>>>>> configuration
>>>>> > file.
>>>>> >>>> It is not logging into linux unless someone changed the rights of
>>>>> >>>> the user.
>>>>> >>>>
>>>>> >>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com
>>>>> >
>>>>> > wrote:
>>>>> >>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> >>>>> <***@myitdepartment.net> wrote:
>>>>> >>>>>> this is not a valid system user unless you have manually added
>>>>> it
>>>>> >>>>>> to the system. I do think the logs would show more if access was
>>>>> >>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>> >>>>>> acl or by protecting it at your firewall?
>>>>> >>>>>>
>>>>> >>>>>
>>>>> >>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> >>>>> from server
>>>>> >>>>>
>>>>> >>>>> George
>>>>> >>>>> _______________________________________________
>>>>> >>>>> sipx-users mailing list
>>>>> >>>>> sipx-***@list.sipfoundry.org
>>>>> >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> --
>>>>> >>>> ~~~~~~~~~~~~~~~~~~
>>>>> >>>> Tony Graziano, Manager
>>>>> >>>> Telephone: 434.984.8430
>>>>> >>>> sip: ***@voice.myitdepartment.net
>>>>> >>>> Fax: 434.465.6833
>>>>> >>>> ~~~~~~~~~~~~~~~~~~
>>>>> >>>> Linked-In Profile:
>>>>> >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>>> >>>> Ask about our Internet Fax services!
>>>>> >>>> ~~~~~~~~~~~~~~~~~~
>>>>> >>>>
>>>>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>>> >>>> sipX-CoLab
>>>>> >> 2013!
>>>>> >>>>
>>>>> >>>> --
>>>>> >>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>>> >>>> Telephone: 434.984.8426
>>>>> >>>> sip: ***@voice.myitdepartment.net
>>>>> >>>>
>>>>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>>>> >>>> Blog: http://blog.myitdepartment.net
>>>>> >>>> _______________________________________________
>>>>> >>>> sipx-users mailing list
>>>>> >>>> sipx-***@list.sipfoundry.org
>>>>> >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>> >>>
>>>>> >>>
>>>>> >>> Scanned for viruses and content by the Tranet Spam Sentinel
>>>>> service.
>>>>> >>> _______________________________________________
>>>>> >>> sipx-users mailing list
>>>>> >>> sipx-***@list.sipfoundry.org
>>>>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> sipx-users mailing list
>>>>> >> sipx-***@list.sipfoundry.org
>>>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> sipx-users mailing list
>>>>> >> sipx-***@list.sipfoundry.org
>>>>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>> >
>>>>> > _______________________________________________
>>>>> > sipx-users mailing list
>>>>> > sipx-***@list.sipfoundry.org
>>>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>> >
>>>>> > _______________________________________________
>>>>> > sipx-users mailing list
>>>>> > sipx-***@list.sipfoundry.org
>>>>> > List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>>
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>>
>>>>
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> ÂÂ
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>> ÂÂ
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>> ÂÂ
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>> ÂÂ
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> ÂÂ
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

Gerald Drouillard

2012-11-16 18:33:58 UTC

Permalink

On 11/16/2012 12:45 PM, Noah Mehl wrote:
> Tony,
>
> I just figured out an exploit in 15 minutes with the help of Google
> http://www.semicomplete.com/articles/ssh-security/:
> <http://www.semicomplete.com/articles/ssh-security/:>
>
> $sudo ssh -vN -L25:localhost:25 ***@sipxecsip
> $sudo ssh -vN -R25:localhost:25 ***@sipxecsip
> $telnet localhost 25
>
>
Of course you can telnet to port 25 (smtp) on the server to localhost.
You have sendmail running on local host. If your sendmail is configured
properly you will not be able to access port 25 for another machine or
the real ip address of the server.

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz

Tony Graziano

2012-11-16 18:46:33 UTC

Permalink

But there again SMTP is for some reason open on that machine and unless you
are also using it as a mail server I don't see the point in making it
available to the public at large. Send mail does not need to have SMTP open
in order to send. This is yet another thing that confuses me about your
firewall arrangements.
On Nov 16, 2012 1:34 PM, "Gerald Drouillard" <***@drouillard.ca>
wrote:

> On 11/16/2012 12:45 PM, Noah Mehl wrote:
>
> Tony,
>
> I just figured out an exploit in 15 minutes with the help of Google
> http://www.semicomplete.com/articles/ssh-security/:
>
> $sudo ssh -vN -L25:localhost:25 ***@sipxecsip
> $sudo ssh -vN -R25:localhost:25 ***@sipxecsip
> $telnet localhost 25
>
>
> Of course you can telnet to port 25 (smtp) on the server to localhost.
> You have sendmail running on local host. If your sendmail is configured
> properly you will not be able to access port 25 for another machine or the
> real ip address of the server.
>
> --
> Regards
> --------------------------------------
> Gerald Drouillard
> Technology Architect
> Drouillard & Associates, Inc.http://www.Drouillard.biz
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 18:57:25 UTC

Permalink

Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah

On Nov 16, 2012, at 1:34 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 12:45 PM, Noah Mehl wrote:
Tony,

I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/:

$sudo ssh -vN -L25:localhost:25 ***@sipxecsip
$sudo ssh -vN -R25:localhost:25 ***@sipxecsip
$telnet localhost 25

Of course you can telnet to port 25 (smtp) on the server to localhost. You have sendmail running on local host. If your sendmail is configured properly you will not be able to access port 25 for another machine or the real ip address of the server.

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Gerald Drouillard

2012-11-16 22:17:22 UTC

Permalink

On 11/16/2012 1:57 PM, Noah Mehl wrote:
> Does nobody on the list know what SSH port forwarding is? I am
> running the first two commands from a remote machine (connecting to
> the sipxecs machine) in separate terminals to forward my local 25 port
> to the sipxecs box, and the 25 port on the sipxecs box locally. The
> third command is run locally on the remote machine. This exploit
> gives the remote machine access to port 25 on the SipXecs box even if
> all other ports are blocked. This could be used for any port that is
> blocked by firewall, ids, etc, if the remote machine has ssh access to
> the sipxecs box.
>
> ~Noah
Do you understand that if your sipx smtp server is only running on
localhost that you will not be able to connect to it via
telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz

Noah Mehl

2012-11-16 22:20:13 UTC

Permalink

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Noah Mehl

2012-11-16 22:24:00 UTC

Permalink

Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Tony Graziano

2012-11-16 22:37:35 UTC

Permalink

You do realize the other side of this argument is that SSH forwarding is
enabled by default on Redhat/Centos and that since you have SSH available
to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and
posting a link on the users and dev groups so people can comment and/or
vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com> wrote:

> Shall I make a screencast to explain?
>
> ~Noah
>
> On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
> Gerald.
>
> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP
> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass
> of PlcmSIp, utilizing ssh port forwarding.
>
> ~Noah
>
> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca>
> wrote:
>
> On 11/16/2012 1:57 PM, Noah Mehl wrote:
>
> Does nobody on the list know what SSH port forwarding is? I am running
> the first two commands from a remote machine (connecting to the sipxecs
> machine) in separate terminals to forward my local 25 port to the sipxecs
> box, and the 25 port on the sipxecs box locally. The third command is run
> locally on the remote machine. This exploit gives the remote machine
> access to port 25 on the SipXecs box even if all other ports are blocked.
> This could be used for any port that is blocked by firewall, ids, etc, if
> the remote machine has ssh access to the sipxecs box.
>
> ~Noah
>
> Do you understand that if your sipx smtp server is only running on
> localhost that you will not be able to connect to it via
> telnet/ssh/whatever?
>
>
> --
> Regards
> --------------------------------------
> Gerald Drouillard
> Technology Architect
> Drouillard & Associates, Inc.http://www.Drouillard.biz <http://www.drouillard.biz/>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 22:50:43 UTC

Permalink

Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?

No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.

I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.

Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...

As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.

This serves as a warning to ALL SipXecs 4.4.x users:

1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open

I don't care how one solves the issue, we have 3 solutions so far:

1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config

I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.

~Noah

On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Tony Graziano

2012-11-16 23:01:46 UTC

Permalink

There is that too. I keep bringing it up but he skips over it.

In a default sipx installation, the output shows:

sendmail TCP localhost.localdomain:smtp (LISTEN)

and there are no other entries related to SMTP. So again, something is
different here than in all the others (remember that kids game?). Why is
your installation different? Why is SMTP open to begin with? Why is SMTP
open on your system and noone else's?

I still don't agree with your assessment. It is the way your firewall
and/or sendmail is configured to begin with that is not consistent with the
way the system is used. Security is the admin's and certainly port SSH
forward can be turned off and the user can be denied. I don't think it very
helpful to make changes to secure a system if someone keeps opening holes
or changing smtp configs and then opening another case that the system is
not secure enough... I'm just saying. You still have neglected to explain
why SMTP is open from waaaayyyy back in this thread.

Realize the developers list are some of the same people here (I won't
dissuade you from posting to it to that list, or opening a JIRA) but
realize it can be discussed and decided there is no problem and a change is
not warranted, only an implementation decision gone awry. On the other
hand, if enough people agree those are two things that can be done by
default "in the event someone decides to open SMTP". I'm not a fortune
teller.

I think it took a lot of your time to find it and to bring it up, and I
think its worthy of consideration though.

On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com> wrote:

> Hey! FINALLY, I got some information that's actually usefully to me!!!
> Where is the JIRA link where I can post a bug? Is there a different
> mailing list for Sipxecs dev?
>
> No, my argument is that two users are created by the SipXecs install:
> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from
> the install script.
>
> I do not believe that this is a Redhat/Centos problem, because they DO
> NOT ship system users with passwords in /etc/shadow. Or any user with a
> password in /etc/shadow except for the password one sets for root during
> install, and the password for the first user during install.
>
> Since SipXecs install creates these users, and thereby creates the
> security issue, part of the user creation should deny those users access to
> ssh in the sshd_config. That's the only part of this scenario that isn't
> secure. I will be happy to submit a bug, etc...
>
> As it happens, I'm not the first person to be hacked because of this:
> http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no
> one knew what the cause was.
>
> This serves as a warning to ALL SipXecs 4.4.x users:
>
> 1. If you have SipXecs 4.4.x
> 2. You still have the PlcmSIp and lvp2890 users, with unchanged password
> (which you would by default, not knowing they had been added to your server)
> 3. Anyone has SSH port access to the server
> 4. Then you are wide open
>
> I don't care how one solves the issue, we have 3 solutions so far:
>
> 1. Disable or heavily restrict all ssh access to the machine
> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
> 3. AllowTcpForwarding no in /etc/ssh/sshd_config
>
> I prefer method 2 because I don't want to remove a useful tool in my
> arsenal (ssh port forwarding), and I don't want to change the default
> passwords (because of provision stock phones). But I HIGHLY suggest
> everyone takes a quick look at their settings, because I bet a lot of
> people are susceptible to this. Thanks.
>
> ~Noah
>
> On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net
> >
> wrote:
>
> You do realize the other side of this argument is that SSH forwarding is
> enabled by default on Redhat/Centos and that since you have SSH available
> to the public at large it also makes this an effective use of your system.
>
> I think the place for you to ask for a change is submitting a JIRA and
> posting a link on the users and dev groups so people can comment and/or
> vote for this change...
>
> add in /etc/ssh/sshd_config by default:
>
> AllowTcpForwarding no
> DenyUsers PlcmSpIp
>
>
>
>
> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> Shall I make a screencast to explain?
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>> Gerald.
>>
>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP
>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass
>> of PlcmSIp, utilizing ssh port forwarding.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca>
>> wrote:
>>
>> On 11/16/2012 1:57 PM, Noah Mehl wrote:
>>
>> Does nobody on the list know what SSH port forwarding is? I am running
>> the first two commands from a remote machine (connecting to the sipxecs
>> machine) in separate terminals to forward my local 25 port to the sipxecs
>> box, and the 25 port on the sipxecs box locally. The third command is run
>> locally on the remote machine. This exploit gives the remote machine
>> access to port 25 on the SipXecs box even if all other ports are blocked.
>> This could be used for any port that is blocked by firewall, ids, etc, if
>> the remote machine has ssh access to the sipxecs box.
>>
>> ~Noah
>>
>> Do you understand that if your sipx smtp server is only running on
>> localhost that you will not be able to connect to it via
>> telnet/ssh/whatever?
>>
>>
>> --
>> Regards
>> --------------------------------------
>> Gerald Drouillard
>> Technology Architect
>> Drouillard & Associates, Inc.http://www.Drouillard.biz <http://www.drouillard.biz/>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 23:11:52 UTC

Permalink

This is my problem:

You are arguing with me when you don't understand how SSH port forwarding works.

In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw.

I have not made changes to the smtp config.

~Noah

On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

There is that too. I keep bringing it up but he skips over it.

In a default sipx installation, the output shows:

sendmail TCP localhost.localdomain:smtp (LISTEN)

and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's?

I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread.

Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller.

I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though.

On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?

No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.

I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.

Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...

As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.

This serves as a warning to ALL SipXecs 4.4.x users:

1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open

I don't care how one solves the issue, we have 3 solutions so far:

1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config

I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.

~Noah

On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[cid:]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Tony Graziano

2012-11-16 23:17:38 UTC

Permalink

can you provide the output of: lsof -i | grep LISTEN

and post what SMTP is listening to?

On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com> wrote:

> This is my problem:
>
> You are arguing with me when you don't understand how SSH port
> forwarding works.
>
> In the exploit I've illustrated, the port is tunneled via SSH. Then on
> the remote machine (the sipxecs server) the traffic originates as
> LOCALHOST. That's why it's a OOTB security flaw.
>
> I have not made changes to the smtp config.
>
> ~Noah
>
> On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net>
> wrote:
>
> There is that too. I keep bringing it up but he skips over it.
>
> In a default sipx installation, the output shows:
>
> sendmail TCP localhost.localdomain:smtp (LISTEN)
>
> and there are no other entries related to SMTP. So again, something is
> different here than in all the others (remember that kids game?). Why is
> your installation different? Why is SMTP open to begin with? Why is SMTP
> open on your system and noone else's?
>
> I still don't agree with your assessment. It is the way your firewall
> and/or sendmail is configured to begin with that is not consistent with the
> way the system is used. Security is the admin's and certainly port SSH
> forward can be turned off and the user can be denied. I don't think it very
> helpful to make changes to secure a system if someone keeps opening holes
> or changing smtp configs and then opening another case that the system is
> not secure enough... I'm just saying. You still have neglected to explain
> why SMTP is open from waaaayyyy back in this thread.
>
> Realize the developers list are some of the same people here (I won't
> dissuade you from posting to it to that list, or opening a JIRA) but
> realize it can be discussed and decided there is no problem and a change is
> not warranted, only an implementation decision gone awry. On the other
> hand, if enough people agree those are two things that can be done by
> default "in the event someone decides to open SMTP". I'm not a fortune
> teller.
>
> I think it took a lot of your time to find it and to bring it up, and I
> think its worthy of consideration though.
>
> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> Hey! FINALLY, I got some information that's actually usefully to me!!!
>> Where is the JIRA link where I can post a bug? Is there a different
>> mailing list for Sipxecs dev?
>>
>> No, my argument is that two users are created by the SipXecs install:
>> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from
>> the install script.
>>
>> I do not believe that this is a Redhat/Centos problem, because they DO
>> NOT ship system users with passwords in /etc/shadow. Or any user with a
>> password in /etc/shadow except for the password one sets for root during
>> install, and the password for the first user during install.
>>
>> Since SipXecs install creates these users, and thereby creates the
>> security issue, part of the user creation should deny those users access to
>> ssh in the sshd_config. That's the only part of this scenario that isn't
>> secure. I will be happy to submit a bug, etc...
>>
>> As it happens, I'm not the first person to be hacked because of this:
>> http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no
>> one knew what the cause was.
>>
>> This serves as a warning to ALL SipXecs 4.4.x users:
>>
>> 1. If you have SipXecs 4.4.x
>> 2. You still have the PlcmSIp and lvp2890 users, with unchanged password
>> (which you would by default, not knowing they had been added to your server)
>> 3. Anyone has SSH port access to the server
>> 4. Then you are wide open
>>
>> I don't care how one solves the issue, we have 3 solutions so far:
>>
>> 1. Disable or heavily restrict all ssh access to the machine
>> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
>> 3. AllowTcpForwarding no in /etc/ssh/sshd_config
>>
>> I prefer method 2 because I don't want to remove a useful tool in my
>> arsenal (ssh port forwarding), and I don't want to change the default
>> passwords (because of provision stock phones). But I HIGHLY suggest
>> everyone takes a quick look at their settings, because I bet a lot of
>> people are susceptible to this. Thanks.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 5:37 PM, Tony Graziano <
>> ***@myitdepartment.net>
>> wrote:
>>
>> You do realize the other side of this argument is that SSH forwarding
>> is enabled by default on Redhat/Centos and that since you have SSH
>> available to the public at large it also makes this an effective use of
>> your system.
>>
>> I think the place for you to ask for a change is submitting a JIRA and
>> posting a link on the users and dev groups so people can comment and/or
>> vote for this change...
>>
>> add in /etc/ssh/sshd_config by default:
>>
>> AllowTcpForwarding no
>> DenyUsers PlcmSpIp
>>
>>
>>
>>
>> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>
>>> Shall I make a screencast to explain?
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com> wrote:
>>>
>>> Gerald.
>>>
>>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP
>>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass
>>> of PlcmSIp, utilizing ssh port forwarding.
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca>
>>> wrote:
>>>
>>> On 11/16/2012 1:57 PM, Noah Mehl wrote:
>>>
>>> Does nobody on the list know what SSH port forwarding is? I am running
>>> the first two commands from a remote machine (connecting to the sipxecs
>>> machine) in separate terminals to forward my local 25 port to the sipxecs
>>> box, and the 25 port on the sipxecs box locally. The third command is run
>>> locally on the remote machine. This exploit gives the remote machine
>>> access to port 25 on the SipXecs box even if all other ports are blocked.
>>> This could be used for any port that is blocked by firewall, ids, etc, if
>>> the remote machine has ssh access to the sipxecs box.
>>>
>>> ~Noah
>>>
>>> Do you understand that if your sipx smtp server is only running on
>>> localhost that you will not be able to connect to it via
>>> telnet/ssh/whatever?
>>>
>>>
>>> --
>>> Regards
>>> --------------------------------------
>>> Gerald Drouillard
>>> Technology Architect
>>> Drouillard & Associates, Inc.http://www.Drouillard.biz <http://www.drouillard.biz/>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net>
> Blog: http://blog.myitdepartment.net
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-16 23:20:23 UTC

Permalink

sendmail 10779 root 4u IPv4 6764026 0t0 TCP localhost.localdomain:smtp (LISTEN)

~Noah

On Nov 16, 2012, at 6:18 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

can you provide the output of: lsof -i | grep LISTEN

and post what SMTP is listening to?

On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
This is my problem:

You are arguing with me when you don't understand how SSH port forwarding works.

In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw.

I have not made changes to the smtp config.

~Noah

On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

There is that too. I keep bringing it up but he skips over it.

In a default sipx installation, the output shows:

sendmail TCP localhost.localdomain:smtp (LISTEN)

and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's?

I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread.

Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller.

I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though.

On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?

No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.

I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.

Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...

As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.

This serves as a warning to ALL SipXecs 4.4.x users:

1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open

I don't care how one solves the issue, we have 3 solutions so far:

1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config

I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.

~Noah

On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Alan Worstell

2012-11-16 23:23:44 UTC

Permalink

What Noah is posting about is correct. SMTP is listening on 127.0.0.1.
However, if you use SSH port redirection, from an outside host you can
forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested
this with a development 4.6 server we have, from a system completely
off-network:
ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25
After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and
send mail. I would consider that to be a pretty large security flaw, as
every sipx server out there that has SSH Password logins allowed to the
world can be used as spam relays.

Regards,

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email ***@a-1networks.com or call 707-703-1050

On 11/16/12 3:17 PM, Tony Graziano wrote:
> can you provide the output of: lsof -i | grep LISTEN
>
> and post what SMTP is listening to?
>
>
>
> On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com
> <mailto:***@tritonlimited.com>> wrote:
>
> This is my problem:
>
> You are arguing with me when you don't understand how SSH port
> forwarding works.
>
> In the exploit I've illustrated, the port is tunneled via SSH.
> Then on the remote machine (the sipxecs server) the traffic
> originates as LOCALHOST. That's why it's a OOTB security flaw.
>
> I have not made changes to the smtp config.
>
> ~Noah
>
> On Nov 16, 2012, at 6:02 PM, "Tony Graziano"
> <***@myitdepartment.net
> <mailto:***@myitdepartment.net>> wrote:
>
>> There is that too. I keep bringing it up but he skips over it.
>>
>> In a default sipx installation, the output shows:
>>
>> sendmail TCP localhost.localdomain:smtp (LISTEN)
>>
>> and there are no other entries related to SMTP. So again,
>> something is different here than in all the others (remember that
>> kids game?). Why is your installation different? Why is SMTP open
>> to begin with? Why is SMTP open on your system and noone else's?
>>
>> I still don't agree with your assessment. It is the way your
>> firewall and/or sendmail is configured to begin with that is not
>> consistent with the way the system is used. Security is the
>> admin's and certainly port SSH forward can be turned off and the
>> user can be denied. I don't think it very helpful to make changes
>> to secure a system if someone keeps opening holes or changing
>> smtp configs and then opening another case that the system is not
>> secure enough... I'm just saying. You still have neglected to
>> explain why SMTP is open from waaaayyyy back in this thread.
>>
>> Realize the developers list are some of the same people here (I
>> won't dissuade you from posting to it to that list, or opening a
>> JIRA) but realize it can be discussed and decided there is no
>> problem and a change is not warranted, only an implementation
>> decision gone awry. On the other hand, if enough people agree
>> those are two things that can be done by default "in the event
>> someone decides to open SMTP". I'm not a fortune teller.
>>
>> I think it took a lot of your time to find it and to bring it up,
>> and I think its worthy of consideration though.
>>
>> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl
>> <***@tritonlimited.com <mailto:***@tritonlimited.com>> wrote:
>>
>> Hey! FINALLY, I got some information that's actually
>> usefully to me!!! Where is the JIRA link where I can post a
>> bug? Is there a different mailing list for Sipxecs dev?
>>
>> No, my argument is that two users are created by the SipXecs
>> install: PlcmSIp and lvp2890. These user have passwords set
>> in the /etc/shadow from the install script.
>>
>> I do not believe that this is a Redhat/Centos problem,
>> because they DO NOT ship system users with passwords in
>> /etc/shadow. Or any user with a password in /etc/shadow
>> except for the password one sets for root during install, and
>> the password for the first user during install.
>>
>> Since SipXecs install creates these users, and thereby
>> creates the security issue, part of the user creation should
>> deny those users access to ssh in the sshd_config. That's
>> the only part of this scenario that isn't secure. I will be
>> happy to submit a bug, etc...
>>
>> As it happens, I'm not the first person to be hacked because
>> of this:
>> http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html
>> And it's highly likely that many people have been bitten by
>> this, and no one knew what the cause was.
>>
>> This serves as a warning to ALL SipXecs 4.4.x users:
>>
>> 1. If you have SipXecs 4.4.x
>> 2. You still have the PlcmSIp and lvp2890 users, with
>> unchanged password (which you would by default, not knowing
>> they had been added to your server)
>> 3. Anyone has SSH port access to the server
>> 4. Then you are wide open
>>
>> I don't care how one solves the issue, we have 3 solutions so
>> far:
>>
>> 1. Disable or heavily restrict all ssh access to the machine
>> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
>> 3. AllowTcpForwarding no in /etc/ssh/sshd_config
>>
>> I prefer method 2 because I don't want to remove a useful
>> tool in my arsenal (ssh port forwarding), and I don't want to
>> change the default passwords (because of provision stock
>> phones). But I HIGHLY suggest everyone takes a quick look at
>> their settings, because I bet a lot of people are susceptible
>> to this. Thanks.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 5:37 PM, Tony Graziano
>> <***@myitdepartment.net
>> <mailto:***@myitdepartment.net>>
>> wrote:
>>
>>> You do realize the other side of this argument is that SSH
>>> forwarding is enabled by default on Redhat/Centos and that
>>> since you have SSH available to the public at large it also
>>> makes this an effective use of your system.
>>>
>>> I think the place for you to ask for a change is submitting
>>> a JIRA and posting a link on the users and dev groups so
>>> people can comment and/or vote for this change...
>>>
>>> add in /etc/ssh/sshd_config by default:
>>>
>>> AllowTcpForwarding no
>>> DenyUsers PlcmSpIp
>>>
>>>
>>>
>>>
>>> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl
>>> <***@tritonlimited.com <mailto:***@tritonlimited.com>> wrote:
>>>
>>> Shall I make a screencast to explain?
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 5:20 PM, Noah Mehl
>>> <***@tritonlimited.com <mailto:***@tritonlimited.com>>
>>> wrote:
>>>
>>>> Gerald.
>>>>
>>>> That's the security hole. I AM ABLE TO CONNECT TO THE
>>>> LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH
>>>> remotely using the default user/pass of PlcmSIp,
>>>> utilizing ssh port forwarding.
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard
>>>> <***@drouillard.ca
>>>> <mailto:***@drouillard.ca>> wrote:
>>>>
>>>>> On 11/16/2012 1:57 PM, Noah Mehl wrote:
>>>>>> Does nobody on the list know what SSH port forwarding
>>>>>> is? I am running the first two commands from a
>>>>>> remote machine (connecting to the sipxecs machine) in
>>>>>> separate terminals to forward my local 25 port to the
>>>>>> sipxecs box, and the 25 port on the sipxecs box
>>>>>> locally. The third command is run locally on the
>>>>>> remote machine. This exploit gives the remote
>>>>>> machine access to port 25 on the SipXecs box even if
>>>>>> all other ports are blocked. This could be used for
>>>>>> any port that is blocked by firewall, ids, etc, if
>>>>>> the remote machine has ssh access to the sipxecs box.
>>>>>>
>>>>>> ~Noah
>>>>> Do you understand that if your sipx smtp server is
>>>>> only running on localhost that you will not be able to
>>>>> connect to it via telnet/ssh/whatever?
>>>>>
>>>>>
>>>>> --
>>>>> Regards
>>>>> --------------------------------------
>>>>> Gerald Drouillard
>>>>> Technology Architect
>>>>> Drouillard & Associates, Inc.
>>>>> http://www.Drouillard.biz <http://www.drouillard.biz/>
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> <mailto:sipx-***@list.sipfoundry.org>
>>>>> List Archive:
>>>>> http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> <mailto:sipx-***@list.sipfoundry.org>
>>>> List Archive:
>>>> http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> <mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> <mailto:***@voice.myitdepartment.net>
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me
>>> about sipX-CoLab 2013!
>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>>
>>>
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.net
>>> <mailto:***@voice.myitdepartment.net>
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> <http://myhelp.myitdepartment.net/>
>>> Blog: http://blog.myitdepartment.net
>>> <http://blog.myitdepartment.net/>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> <mailto:sipx-***@list.sipfoundry.org>
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> <mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> <mailto:***@voice.myitdepartment.net>
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.net
>> <mailto:***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> <http://myhelp.myitdepartment.net>
>> Blog: http://blog.myitdepartment.net
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> <mailto:sipx-***@list.sipfoundry.org>
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org <mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> <mailto:***@voice.myitdepartment.net>
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about
> sipX-CoLab 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.net
> <mailto:***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.net
> <http://myhelp.myitdepartment.net>
> Blog: http://blog.myitdepartment.net
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Noah Mehl

2012-11-16 23:39:15 UTC

Permalink

I would also like to mention:

This works for any port, including SIP. There might be huge amounts of SIP piracy across peoples servers.

~Noah

On Nov 16, 2012, at 6:27 PM, Alan Worstell <***@a-1networks.com<mailto:***@a-1networks.com>> wrote:

What Noah is posting about is correct. SMTP is listening on 127.0.0.1. However, if you use SSH port redirection, from an outside host you can forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested this with a development 4.6 server we have, from a system completely off-network:
ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25
After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send mail. I would consider that to be a pretty large security flaw, as every sipx server out there that has SSH Password logins allowed to the world can be used as spam relays.

Regards,

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email ***@a-1networks.com<mailto:***@a-1networks.com> or call 707-703-1050

On 11/16/12 3:17 PM, Tony Graziano wrote:
can you provide the output of: lsof -i | grep LISTEN

and post what SMTP is listening to?

On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
This is my problem:

You are arguing with me when you don't understand how SSH port forwarding works.

In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw.

I have not made changes to the smtp config.

~Noah

On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

There is that too. I keep bringing it up but he skips over it.

In a default sipx installation, the output shows:

sendmail TCP localhost.localdomain:smtp (LISTEN)

and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's?

I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread.

Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller.

I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though.

On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?

No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.

I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.

Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...

As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.

This serves as a warning to ALL SipXecs 4.4.x users:

1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open

I don't care how one solves the issue, we have 3 solutions so far:

1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config

I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.

~Noah

On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Tony Graziano

2012-11-17 00:30:06 UTC

Permalink

That is with ssh open or available from the outside.

I still suggest a JIRA...
On Nov 16, 2012 6:41 PM, "Noah Mehl" <***@tritonlimited.com> wrote:

> I would also like to mention:
>
> This works for any port, including SIP. There might be huge amounts of
> SIP piracy across peoples servers.
>
> ~Noah
>
> On Nov 16, 2012, at 6:27 PM, Alan Worstell <***@a-1networks.com>
> wrote:
>
> What Noah is posting about is correct. SMTP is listening on 127.0.0.1.
> However, if you use SSH port redirection, from an outside host you can
> forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested
> this with a development 4.6 server we have, from a system completely
> off-network:
> ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25
> After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send
> mail. I would consider that to be a pretty large security flaw, as every
> sipx server out there that has SSH Password logins allowed to the world can
> be used as spam relays.
>
> Regards,
>
> Alan Worstell
> A1 Networks - Systems Administrator
> VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
> (707)570-2021 x204
> For support issues please email ***@a-1networks.com or call 707-703-1050
>
> On 11/16/12 3:17 PM, Tony Graziano wrote:
>
> can you provide the output of: lsof -i | grep LISTEN
>
> and post what SMTP is listening to?
>
>
>
> On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com> wrote:
>
>> This is my problem:
>>
>> You are arguing with me when you don't understand how SSH port
>> forwarding works.
>>
>> In the exploit I've illustrated, the port is tunneled via SSH. Then on
>> the remote machine (the sipxecs server) the traffic originates as
>> LOCALHOST. That's why it's a OOTB security flaw.
>>
>> I have not made changes to the smtp config.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <
>> ***@myitdepartment.net> wrote:
>>
>> There is that too. I keep bringing it up but he skips over it.
>>
>> In a default sipx installation, the output shows:
>>
>> sendmail TCP localhost.localdomain:smtp (LISTEN)
>>
>> and there are no other entries related to SMTP. So again, something is
>> different here than in all the others (remember that kids game?). Why is
>> your installation different? Why is SMTP open to begin with? Why is SMTP
>> open on your system and noone else's?
>>
>> I still don't agree with your assessment. It is the way your firewall
>> and/or sendmail is configured to begin with that is not consistent with the
>> way the system is used. Security is the admin's and certainly port SSH
>> forward can be turned off and the user can be denied. I don't think it very
>> helpful to make changes to secure a system if someone keeps opening holes
>> or changing smtp configs and then opening another case that the system is
>> not secure enough... I'm just saying. You still have neglected to explain
>> why SMTP is open from waaaayyyy back in this thread.
>>
>> Realize the developers list are some of the same people here (I won't
>> dissuade you from posting to it to that list, or opening a JIRA) but
>> realize it can be discussed and decided there is no problem and a change is
>> not warranted, only an implementation decision gone awry. On the other
>> hand, if enough people agree those are two things that can be done by
>> default "in the event someone decides to open SMTP". I'm not a fortune
>> teller.
>>
>> I think it took a lot of your time to find it and to bring it up, and I
>> think its worthy of consideration though.
>>
>> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>
>>> Hey! FINALLY, I got some information that's actually usefully to me!!!
>>> Where is the JIRA link where I can post a bug? Is there a different
>>> mailing list for Sipxecs dev?
>>>
>>> No, my argument is that two users are created by the SipXecs install:
>>> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from
>>> the install script.
>>>
>>> I do not believe that this is a Redhat/Centos problem, because they DO
>>> NOT ship system users with passwords in /etc/shadow. Or any user with a
>>> password in /etc/shadow except for the password one sets for root during
>>> install, and the password for the first user during install.
>>>
>>> Since SipXecs install creates these users, and thereby creates the
>>> security issue, part of the user creation should deny those users access to
>>> ssh in the sshd_config. That's the only part of this scenario that isn't
>>> secure. I will be happy to submit a bug, etc...
>>>
>>> As it happens, I'm not the first person to be hacked because of this:
>>> http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no
>>> one knew what the cause was.
>>>
>>> This serves as a warning to ALL SipXecs 4.4.x users:
>>>
>>> 1. If you have SipXecs 4.4.x
>>> 2. You still have the PlcmSIp and lvp2890 users, with unchanged password
>>> (which you would by default, not knowing they had been added to your server)
>>> 3. Anyone has SSH port access to the server
>>> 4. Then you are wide open
>>>
>>> I don't care how one solves the issue, we have 3 solutions so far:
>>>
>>> 1. Disable or heavily restrict all ssh access to the machine
>>> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
>>> 3. AllowTcpForwarding no in /etc/ssh/sshd_config
>>>
>>> I prefer method 2 because I don't want to remove a useful tool in my
>>> arsenal (ssh port forwarding), and I don't want to change the default
>>> passwords (because of provision stock phones). But I HIGHLY suggest
>>> everyone takes a quick look at their settings, because I bet a lot of
>>> people are susceptible to this. Thanks.
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 5:37 PM, Tony Graziano <
>>> ***@myitdepartment.net>
>>> wrote:
>>>
>>> You do realize the other side of this argument is that SSH forwarding
>>> is enabled by default on Redhat/Centos and that since you have SSH
>>> available to the public at large it also makes this an effective use of
>>> your system.
>>>
>>> I think the place for you to ask for a change is submitting a JIRA and
>>> posting a link on the users and dev groups so people can comment and/or
>>> vote for this change...
>>>
>>> add in /etc/ssh/sshd_config by default:
>>>
>>> AllowTcpForwarding no
>>> DenyUsers PlcmSpIp
>>>
>>>
>>>
>>>
>>> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>>
>>>> Shall I make a screencast to explain?
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com> wrote:
>>>>
>>>> Gerald.
>>>>
>>>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP
>>>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass
>>>> of PlcmSIp, utilizing ssh port forwarding.
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <
>>>> ***@drouillard.ca> wrote:
>>>>
>>>> On 11/16/2012 1:57 PM, Noah Mehl wrote:
>>>>
>>>> Does nobody on the list know what SSH port forwarding is? I am running
>>>> the first two commands from a remote machine (connecting to the sipxecs
>>>> machine) in separate terminals to forward my local 25 port to the sipxecs
>>>> box, and the 25 port on the sipxecs box locally. The third command is run
>>>> locally on the remote machine. This exploit gives the remote machine
>>>> access to port 25 on the SipXecs box even if all other ports are blocked.
>>>> This could be used for any port that is blocked by firewall, ids, etc, if
>>>> the remote machine has ssh access to the sipxecs box.
>>>>
>>>> ~Noah
>>>>
>>>> Do you understand that if your sipx smtp server is only running on
>>>> localhost that you will not be able to connect to it via
>>>> telnet/ssh/whatever?
>>>>
>>>>
>>>> --
>>>> Regards
>>>> --------------------------------------
>>>> Gerald Drouillard
>>>> Technology Architect
>>>> Drouillard & Associates, Inc.http://www.Drouillard.biz <http://www.drouillard.biz/>
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> sipX-CoLab 2013!
>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>>
>>>
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.net
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> Blog: http://blog.myitdepartment.net
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.net
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.net
>> Blog: http://blog.myitdepartment.net
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
> 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
>
>
> _______________________________________________
> sipx-users mailing listsipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

Noah Mehl

2012-11-17 02:15:56 UTC

Permalink

Tony,

You know what? I think everyone is clear on YOUR opinion on the matter.

In MY opinion, this is a serious bug. I have created a Jira story:

http://track.sipfoundry.org/browse/XX-10529

Next time, I would appreciate constructive comments instead of: "This is only a problem for you... You must be doing something wrong You're not setting a firewall/ids up correctly." I know I am not the only person who thinks this is a serious issue.

~Noah

On Nov 16, 2012, at 7:30 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

That is with ssh open or available from the outside.

I still suggest a JIRA...

On Nov 16, 2012 6:41 PM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I would also like to mention:

This works for any port, including SIP. There might be huge amounts of SIP piracy across peoples servers.

~Noah

On Nov 16, 2012, at 6:27 PM, Alan Worstell <***@a-1networks.com<mailto:***@a-1networks.com>> wrote:

What Noah is posting about is correct. SMTP is listening on 127.0.0.1. However, if you use SSH port redirection, from an outside host you can forward your remote 127.0.0.1:25<http://127.0.0.1:25/> to your own 127.0.0.1:25<http://127.0.0.1:25/>. I just tested this with a development 4.6 server we have, from a system completely off-network:
ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25<http://127.0.0.1:25/>
After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send mail. I would consider that to be a pretty large security flaw, as every sipx server out there that has SSH Password logins allowed to the world can be used as spam relays.

Regards,

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email ***@a-1networks.com<mailto:***@a-1networks.com> or call 707-703-1050

On 11/16/12 3:17 PM, Tony Graziano wrote:
can you provide the output of: lsof -i | grep LISTEN

and post what SMTP is listening to?

On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
This is my problem:

You are arguing with me when you don't understand how SSH port forwarding works.

In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw.

I have not made changes to the smtp config.

~Noah

On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

There is that too. I keep bringing it up but he skips over it.

In a default sipx installation, the output shows:

sendmail TCP localhost.localdomain:smtp (LISTEN)

and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's?

I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread.

Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller.

I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though.

On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?

No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.

I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.

Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...

As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.

This serves as a warning to ALL SipXecs 4.4.x users:

1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open

I don't care how one solves the issue, we have 3 solutions so far:

1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config

I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.

~Noah

On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[X]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Tony Graziano

2012-11-17 09:39:46 UTC

Permalink

Thanks for the JIRA.
On Nov 16, 2012 9:16 PM, "Noah Mehl" <***@tritonlimited.com> wrote:

> Tony,
>
> You know what? I think everyone is clear on *YOUR* opinion on the
> matter.
>
> In *MY* opinion, this is a serious bug. I have created a Jira story:
>
> http://track.sipfoundry.org/browse/XX-10529
>
> Next time, I would appreciate constructive comments instead of: "This is
> only a problem for you... You must be doing something wrong You're not
> setting a firewall/ids up correctly." I know I am not the only person who
> thinks this is a serious issue.
>
> ~Noah
>
>
> On Nov 16, 2012, at 7:30 PM, Tony Graziano <***@myitdepartment.net>
> wrote:
>
> That is with ssh open or available from the outside.
>
> I still suggest a JIRA...
> On Nov 16, 2012 6:41 PM, "Noah Mehl" <***@tritonlimited.com> wrote:
>
>> I would also like to mention:
>>
>> This works for any port, including SIP. There might be huge amounts of
>> SIP piracy across peoples servers.
>>
>> ~Noah
>>
>> On Nov 16, 2012, at 6:27 PM, Alan Worstell <***@a-1networks.com>
>> wrote:
>>
>> What Noah is posting about is correct. SMTP is listening on 127.0.0.1.
>> However, if you use SSH port redirection, from an outside host you can
>> forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested
>> this with a development 4.6 server we have, from a system completely
>> off-network:
>> ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25
>> After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and
>> send mail. I would consider that to be a pretty large security flaw, as
>> every sipx server out there that has SSH Password logins allowed to the
>> world can be used as spam relays.
>>
>> Regards,
>>
>> Alan Worstell
>> A1 Networks - Systems Administrator
>> VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
>> (707)570-2021 x204
>> For support issues please email ***@a-1networks.com or call 707-703-1050
>>
>> On 11/16/12 3:17 PM, Tony Graziano wrote:
>>
>> can you provide the output of: lsof -i | grep LISTEN
>>
>> and post what SMTP is listening to?
>>
>>
>>
>> On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>
>>> This is my problem:
>>>
>>> You are arguing with me when you don't understand how SSH port
>>> forwarding works.
>>>
>>> In the exploit I've illustrated, the port is tunneled via SSH. Then on
>>> the remote machine (the sipxecs server) the traffic originates as
>>> LOCALHOST. That's why it's a OOTB security flaw.
>>>
>>> I have not made changes to the smtp config.
>>>
>>> ~Noah
>>>
>>> On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <
>>> ***@myitdepartment.net> wrote:
>>>
>>> There is that too. I keep bringing it up but he skips over it.
>>>
>>> In a default sipx installation, the output shows:
>>>
>>> sendmail TCP localhost.localdomain:smtp (LISTEN)
>>>
>>> and there are no other entries related to SMTP. So again, something is
>>> different here than in all the others (remember that kids game?). Why is
>>> your installation different? Why is SMTP open to begin with? Why is SMTP
>>> open on your system and noone else's?
>>>
>>> I still don't agree with your assessment. It is the way your firewall
>>> and/or sendmail is configured to begin with that is not consistent with the
>>> way the system is used. Security is the admin's and certainly port SSH
>>> forward can be turned off and the user can be denied. I don't think it very
>>> helpful to make changes to secure a system if someone keeps opening holes
>>> or changing smtp configs and then opening another case that the system is
>>> not secure enough... I'm just saying. You still have neglected to explain
>>> why SMTP is open from waaaayyyy back in this thread.
>>>
>>> Realize the developers list are some of the same people here (I won't
>>> dissuade you from posting to it to that list, or opening a JIRA) but
>>> realize it can be discussed and decided there is no problem and a change is
>>> not warranted, only an implementation decision gone awry. On the other
>>> hand, if enough people agree those are two things that can be done by
>>> default "in the event someone decides to open SMTP". I'm not a fortune
>>> teller.
>>>
>>> I think it took a lot of your time to find it and to bring it up, and
>>> I think its worthy of consideration though.
>>>
>>> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>>
>>>> Hey! FINALLY, I got some information that's actually usefully to me!!!
>>>> Where is the JIRA link where I can post a bug? Is there a different
>>>> mailing list for Sipxecs dev?
>>>>
>>>> No, my argument is that two users are created by the SipXecs install:
>>>> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from
>>>> the install script.
>>>>
>>>> I do not believe that this is a Redhat/Centos problem, because they
>>>> DO NOT ship system users with passwords in /etc/shadow. Or any user with a
>>>> password in /etc/shadow except for the password one sets for root during
>>>> install, and the password for the first user during install.
>>>>
>>>> Since SipXecs install creates these users, and thereby creates the
>>>> security issue, part of the user creation should deny those users access to
>>>> ssh in the sshd_config. That's the only part of this scenario that isn't
>>>> secure. I will be happy to submit a bug, etc...
>>>>
>>>> As it happens, I'm not the first person to be hacked because of this:
>>>> http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no
>>>> one knew what the cause was.
>>>>
>>>> This serves as a warning to ALL SipXecs 4.4.x users:
>>>>
>>>> 1. If you have SipXecs 4.4.x
>>>> 2. You still have the PlcmSIp and lvp2890 users, with unchanged
>>>> password (which you would by default, not knowing they had been added to
>>>> your server)
>>>> 3. Anyone has SSH port access to the server
>>>> 4. Then you are wide open
>>>>
>>>> I don't care how one solves the issue, we have 3 solutions so far:
>>>>
>>>> 1. Disable or heavily restrict all ssh access to the machine
>>>> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
>>>> 3. AllowTcpForwarding no in /etc/ssh/sshd_config
>>>>
>>>> I prefer method 2 because I don't want to remove a useful tool in my
>>>> arsenal (ssh port forwarding), and I don't want to change the default
>>>> passwords (because of provision stock phones). But I HIGHLY suggest
>>>> everyone takes a quick look at their settings, because I bet a lot of
>>>> people are susceptible to this. Thanks.
>>>>
>>>> ~Noah
>>>>
>>>> On Nov 16, 2012, at 5:37 PM, Tony Graziano <
>>>> ***@myitdepartment.net>
>>>> wrote:
>>>>
>>>> You do realize the other side of this argument is that SSH forwarding
>>>> is enabled by default on Redhat/Centos and that since you have SSH
>>>> available to the public at large it also makes this an effective use of
>>>> your system.
>>>>
>>>> I think the place for you to ask for a change is submitting a JIRA
>>>> and posting a link on the users and dev groups so people can comment and/or
>>>> vote for this change...
>>>>
>>>> add in /etc/ssh/sshd_config by default:
>>>>
>>>> AllowTcpForwarding no
>>>> DenyUsers PlcmSpIp
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com>wrote:
>>>>
>>>>> Shall I make a screencast to explain?
>>>>>
>>>>> ~Noah
>>>>>
>>>>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com>
>>>>> wrote:
>>>>>
>>>>> Gerald.
>>>>>
>>>>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP
>>>>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass
>>>>> of PlcmSIp, utilizing ssh port forwarding.
>>>>>
>>>>> ~Noah
>>>>>
>>>>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <
>>>>> ***@drouillard.ca> wrote:
>>>>>
>>>>> On 11/16/2012 1:57 PM, Noah Mehl wrote:
>>>>>
>>>>> Does nobody on the list know what SSH port forwarding is? I am
>>>>> running the first two commands from a remote machine (connecting to the
>>>>> sipxecs machine) in separate terminals to forward my local 25 port to the
>>>>> sipxecs box, and the 25 port on the sipxecs box locally. The third command
>>>>> is run locally on the remote machine. This exploit gives the remote
>>>>> machine access to port 25 on the SipXecs box even if all other ports are
>>>>> blocked. This could be used for any port that is blocked by firewall, ids,
>>>>> etc, if the remote machine has ssh access to the sipxecs box.
>>>>>
>>>>> ~Noah
>>>>>
>>>>> Do you understand that if your sipx smtp server is only running on
>>>>> localhost that you will not be able to connect to it via
>>>>> telnet/ssh/whatever?
>>>>>
>>>>>
>>>>> --
>>>>> Regards
>>>>> --------------------------------------
>>>>> Gerald Drouillard
>>>>> Technology Architect
>>>>> Drouillard & Associates, Inc.http://www.Drouillard.biz <http://www.drouillard.biz/>
>>>>>
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab 2013!
>>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>>>
>>>>
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>>> Blog: http://blog.myitdepartment.net
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>
>>>
>>>
>>> --
>>> ~~~~~~~~~~~~~~~~~~
>>> Tony Graziano, Manager
>>> Telephone: 434.984.8430
>>> sip: ***@voice.myitdepartment.net
>>> Fax: 434.465.6833
>>> ~~~~~~~~~~~~~~~~~~
>>> Linked-In Profile:
>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>> Ask about our Internet Fax services!
>>> ~~~~~~~~~~~~~~~~~~
>>>
>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>> sipX-CoLab 2013!
>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>>
>>>
>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>> Telephone: 434.984.8426
>>> sip: ***@voice.myitdepartment.net
>>>
>>> Helpdesk Customers: http://myhelp.myitdepartment.net
>>> Blog: http://blog.myitdepartment.net
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>
>>
>>
>> --
>> ~~~~~~~~~~~~~~~~~~
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: ***@voice.myitdepartment.net
>> Fax: 434.465.6833
>> ~~~~~~~~~~~~~~~~~~
>> Linked-In Profile:
>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>> Ask about our Internet Fax services!
>> ~~~~~~~~~~~~~~~~~~
>>
>> Using or developing for sipXecs from SIPFoundry? Ask me about
>> sipX-CoLab 2013!
>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>>
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>>
>> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
>> Blog: http://blog.myitdepartment.net
>>
>>
>> _______________________________________________
>> sipx-users mailing listsipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>>
>>
>>
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.**net<***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>

--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net

m***@mattkeys.net

2012-11-17 11:29:04 UTC

Permalink

Good catch Noah, thank you for reporting it. I agree it's important to address this even if your sipx box is behind a firewall. Good network admins will only allow smtp out from specific internal hosts as to restrict where mail destined for the wan can come from. sipx would likely be allowed to mail the wan side to deliver voicemail email, so that puts it at risk for both public and private network attack.

For users wanting to check if you've been exploited I'd suggest running (as root or preceding with sudo) "lastlog -u PlcmSpIp" or "lastlog -u lvp2890". As suggested earlier applying "DenyUsers PlcmSpIp lvp2890" or inversely "AllowUsers <trusted users separated with spaces>" to /etc/ssh/sshd_config and restarting sshd is necessary to plug the hole.

Beware that iptables is disabled by default in v4.4 so I recommend running sshd on a non-standard port if you need to leave it disabled. If you do want to use iptables and want to restrict who can use ssh from the outside, add to /etc/sysconfig/iptables something like :

-A INPUT -s <trusted IP or dyndns fqdn> -p tcp --dport 22 -j ACCEPT

(see http://wiki.sipfoundry.org/display/sipXecs/Firewall+Configuration for more you'll need)

Alternatively you could use tcp wrappers by appending "sshd: <trusted IP>" to /etc/hosts.allow and then adding "sshd: ALL" in /etc/hosts.deny. fail2ban or denyhosts would also help tremendously. I prefer DenyHosts because it has the online database feature.

Installing logwatch and OSSEC are also very good ideas to catch things like this if you're vigilant about reading the email reports. I've been running OSSEC clients with active response enabled on production sipx 4.4 for a long time without issues.

________________________________________
From: sipx-users-***@list.sipfoundry.org [sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl [***@tritonlimited.com]
Sent: Friday, November 16, 2012 9:15 PM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

Tony,

You know what? I think everyone is clear on YOUR opinion on the matter.

In MY opinion, this is a serious bug. I have created a Jira story:

http://track.sipfoundry.org/browse/XX-10529

Next time, I would appreciate constructive comments instead of: "This is only a problem for you... You must be doing something wrong… You're not setting a firewall/ids up correctly…." I know I am not the only person who thinks this is a serious issue.

~Noah

On Nov 16, 2012, at 7:30 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

That is with ssh open or available from the outside.

I still suggest a JIRA...

On Nov 16, 2012 6:41 PM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
I would also like to mention:

This works for any port, including SIP. There might be huge amounts of SIP piracy across peoples servers.

~Noah

On Nov 16, 2012, at 6:27 PM, Alan Worstell <***@a-1networks.com<mailto:***@a-1networks.com>> wrote:

What Noah is posting about is correct. SMTP is listening on 127.0.0.1. However, if you use SSH port redirection, from an outside host you can forward your remote 127.0.0.1:25<http://127.0.0.1:25/> to your own 127.0.0.1:25<http://127.0.0.1:25/>. I just tested this with a development 4.6 server we have, from a system completely off-network:
ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25<http://127.0.0.1:25/>
After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send mail. I would consider that to be a pretty large security flaw, as every sipx server out there that has SSH Password logins allowed to the world can be used as spam relays.

Regards,

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email ***@a-1networks.com<mailto:***@a-1networks.com> or call 707-703-1050

On 11/16/12 3:17 PM, Tony Graziano wrote:
can you provide the output of: lsof -i | grep LISTEN

and post what SMTP is listening to?

On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
This is my problem:

You are arguing with me when you don't understand how SSH port forwarding works.

In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw.

I have not made changes to the smtp config.

~Noah

On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:

There is that too. I keep bringing it up but he skips over it.

In a default sipx installation, the output shows:

sendmail TCP localhost.localdomain:smtp (LISTEN)

and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's?

I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread.

Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller.

I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though.

On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?

No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.

I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.

Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...

As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.

This serves as a warning to ALL SipXecs 4.4.x users:

1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open

I don't care how one solves the issue, we have 3 solutions so far:

1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config

I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.

~Noah

On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
wrote:

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.

I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...

add in /etc/ssh/sshd_config by default:

AllowTcpForwarding no
DenyUsers PlcmSpIp

On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
Shall I make a screencast to explain?

~Noah

On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:

Gerald.

That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.

~Noah

On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:

On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.

~Noah
Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>

Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Noah Mehl

2012-11-17 15:50:43 UTC

Permalink

Matt,

Thanks for the comments. These are all great!

~Noah

On Nov 17, 2012, at 6:29 AM, ***@mattkeys.net wrote:

> Good catch Noah, thank you for reporting it. I agree it's important to address this even if your sipx box is behind a firewall. Good network admins will only allow smtp out from specific internal hosts as to restrict where mail destined for the wan can come from. sipx would likely be allowed to mail the wan side to deliver voicemail email, so that puts it at risk for both public and private network attack.
>
> For users wanting to check if you've been exploited I'd suggest running (as root or preceding with sudo) "lastlog -u PlcmSpIp" or "lastlog -u lvp2890". As suggested earlier applying "DenyUsers PlcmSpIp lvp2890" or inversely "AllowUsers <trusted users separated with spaces>" to /etc/ssh/sshd_config and restarting sshd is necessary to plug the hole.
>
> Beware that iptables is disabled by default in v4.4 so I recommend running sshd on a non-standard port if you need to leave it disabled. If you do want to use iptables and want to restrict who can use ssh from the outside, add to /etc/sysconfig/iptables something like :
>
> -A INPUT -s <trusted IP or dyndns fqdn> -p tcp --dport 22 -j ACCEPT
>
> (see http://wiki.sipfoundry.org/display/sipXecs/Firewall+Configuration for more you'll need)
>
> Alternatively you could use tcp wrappers by appending "sshd: <trusted IP>" to /etc/hosts.allow and then adding "sshd: ALL" in /etc/hosts.deny. fail2ban or denyhosts would also help tremendously. I prefer DenyHosts because it has the online database feature.
>
> Installing logwatch and OSSEC are also very good ideas to catch things like this if you're vigilant about reading the email reports. I've been running OSSEC clients with active response enabled on production sipx 4.4 for a long time without issues.
>
> ________________________________________
> From: sipx-users-***@list.sipfoundry.org [sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl [***@tritonlimited.com]
> Sent: Friday, November 16, 2012 9:15 PM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> Tony,
>
> You know what? I think everyone is clear on YOUR opinion on the matter.
>
> In MY opinion, this is a serious bug. I have created a Jira story:
>
> http://track.sipfoundry.org/browse/XX-10529
>
> Next time, I would appreciate constructive comments instead of: "This is only a problem for you... You must be doing something wrong… You're not setting a firewall/ids up correctly…." I know I am not the only person who thinks this is a serious issue.
>
> ~Noah
>
>
> On Nov 16, 2012, at 7:30 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
>
> That is with ssh open or available from the outside.
>
> I still suggest a JIRA...
>
> On Nov 16, 2012 6:41 PM, "Noah Mehl" <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
> I would also like to mention:
>
> This works for any port, including SIP. There might be huge amounts of SIP piracy across peoples servers.
>
> ~Noah
>
> On Nov 16, 2012, at 6:27 PM, Alan Worstell <***@a-1networks.com<mailto:***@a-1networks.com>> wrote:
>
> What Noah is posting about is correct. SMTP is listening on 127.0.0.1. However, if you use SSH port redirection, from an outside host you can forward your remote 127.0.0.1:25<http://127.0.0.1:25/> to your own 127.0.0.1:25<http://127.0.0.1:25/>. I just tested this with a development 4.6 server we have, from a system completely off-network:
> ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25<http://127.0.0.1:25/>
> After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send mail. I would consider that to be a pretty large security flaw, as every sipx server out there that has SSH Password logins allowed to the world can be used as spam relays.
>
> Regards,
>
> Alan Worstell
> A1 Networks - Systems Administrator
> VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
> (707)570-2021 x204
> For support issues please email ***@a-1networks.com<mailto:***@a-1networks.com> or call 707-703-1050
>
> On 11/16/12 3:17 PM, Tony Graziano wrote:
> can you provide the output of: lsof -i | grep LISTEN
>
> and post what SMTP is listening to?
>
>
>
> On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
> This is my problem:
>
> You are arguing with me when you don't understand how SSH port forwarding works.
>
> In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw.
>
> I have not made changes to the smtp config.
>
> ~Noah
>
> On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <***@myitdepartment.net<mailto:***@myitdepartment.net>> wrote:
>
> There is that too. I keep bringing it up but he skips over it.
>
> In a default sipx installation, the output shows:
>
> sendmail TCP localhost.localdomain:smtp (LISTEN)
>
> and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's?
>
> I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread.
>
> Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller.
>
> I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though.
>
> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
> Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev?
>
> No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from the install script.
>
> I do not believe that this is a Redhat/Centos problem, because they DO NOT ship system users with passwords in /etc/shadow. Or any user with a password in /etc/shadow except for the password one sets for root during install, and the password for the first user during install.
>
> Since SipXecs install creates these users, and thereby creates the security issue, part of the user creation should deny those users access to ssh in the sshd_config. That's the only part of this scenario that isn't secure. I will be happy to submit a bug, etc...
>
> As it happens, I'm not the first person to be hacked because of this: http://www.mail-archive.com/sipx-***@list.sipfoundry.org/msg04471.html And it's highly likely that many people have been bitten by this, and no one knew what the cause was.
>
> This serves as a warning to ALL SipXecs 4.4.x users:
>
> 1. If you have SipXecs 4.4.x
> 2. You still have the PlcmSIp and lvp2890 users, with unchanged password (which you would by default, not knowing they had been added to your server)
> 3. Anyone has SSH port access to the server
> 4. Then you are wide open
>
> I don't care how one solves the issue, we have 3 solutions so far:
>
> 1. Disable or heavily restrict all ssh access to the machine
> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
> 3. AllowTcpForwarding no in /etc/ssh/sshd_config
>
> I prefer method 2 because I don't want to remove a useful tool in my arsenal (ssh port forwarding), and I don't want to change the default passwords (because of provision stock phones). But I HIGHLY suggest everyone takes a quick look at their settings, because I bet a lot of people are susceptible to this. Thanks.
>
> ~Noah
>
> On Nov 16, 2012, at 5:37 PM, Tony Graziano <***@myitdepartment.net<mailto:***@myitdepartment.net>>
> wrote:
>
> You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.
>
> I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change...
>
> add in /etc/ssh/sshd_config by default:
>
> AllowTcpForwarding no
> DenyUsers PlcmSpIp
>
>
>
>
> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
> Shall I make a screencast to explain?
>
> ~Noah
>
> On Nov 16, 2012, at 5:20 PM, Noah Mehl <***@tritonlimited.com<mailto:***@tritonlimited.com>> wrote:
>
> Gerald.
>
> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding.
>
> ~Noah
>
> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>> wrote:
>
> On 11/16/2012 1:57 PM, Noah Mehl wrote:
> Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run locally on the remote machine. This exploit gives the remote machine access to port 25 on the SipXecs box even if all other ports are blocked. This could be used for any port that is blocked by firewall, ids, etc, if the remote machine has ssh access to the sipxecs box.
>
> ~Noah
> Do you understand that if your sipx smtp server is only running on localhost that you will not be able to connect to it via telnet/ssh/whatever?
>
>
>
> --
> Regards
> --------------------------------------
> Gerald Drouillard
> Technology Architect
> Drouillard & Associates, Inc.
> http://www.Drouillard.biz<http://www.drouillard.biz/>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
> <http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
> Fax: 434.465.6833
> ~~~~~~~~~~~~~~~~~~
> Linked-In Profile:
> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
> Ask about our Internet Fax services!
> ~~~~~~~~~~~~~~~~~~
>
> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
> [http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
>
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: ***@voice.myitdepartment.net<mailto:***@voice.myitdepartment.net>
>
> Helpdesk Customers: http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/>
> Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
>
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Gerald Drouillard

2012-11-16 22:37:49 UTC

Permalink

On 11/16/2012 5:24 PM, Noah Mehl wrote:
> Shall I make a screencast to explain?
>
No. You cannot cannot to a server port if there is nothing listening on
that port. Your sipx server smtp server should only be listening on
localhost:smtp
not *:smtp

Check the output of:
lsof -i | grep LISTEN

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz

Noah Mehl

2012-11-16 22:53:32 UTC

Permalink

Someone else can explain this! I'm tired of arguing.

~Noah

On Nov 16, 2012, at 5:40 PM, Gerald Drouillard <***@drouillard.ca<mailto:***@drouillard.ca>>
wrote:

On 11/16/2012 5:24 PM, Noah Mehl wrote:
Shall I make a screencast to explain?

No. You cannot cannot to a server port if there is nothing listening on that port. Your sipx server smtp server should only be listening on localhost:smtp
not *:smtp

Check the output of:
lsof -i | grep LISTEN

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz<http://www.drouillard.biz/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org<mailto:sipx-***@list.sipfoundry.org>
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Scanned for viruses and content by the Tranet Spam Sentinel service.

Todd Hodgen

2012-11-16 20:54:01 UTC

Permalink

Thanks for the confirmation Noah.

From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
Sent: Friday, November 16, 2012 9:52 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Hacked SipXecs 4.4

I can confirm that adding:

DenyUsers PlcmSpIp

to /etc/ssh/sshd_config solves this exploit.

I'm back to my original opinion that if this user is installed
automatically, without my intervention, then that line should be added to
the sshd_config.

~Noah

On Nov 16, 2012, at 12:46 PM, Noah Mehl <***@tritonlimited.com> wrote:

Tony,

I just figured out an exploit in 15 minutes with the help of Google
http://www.semicomplete.com/articles/ssh-security/:

$sudo ssh -vN -L25:localhost:25 ***@sipxecsip

$sudo ssh -vN -R25:localhost:25 ***@sipxecsip

$telnet localhost 25

Tell me if your ids stops that?

This works on a stock SipXecs 4.4.0 install.

~Noah

On Nov 16, 2012, at 11:46 AM, Tony Graziano <***@myitdepartment.net>

wrote:

The user doesn't have login via ssh. Ssh in and of itself is not protected
and it is exposed.

It is trivial to change the user password and/or delete it. We typically
don't expose ssh at all. You haven't provides any real evidence that a
dictionary attack didn't overwhelm the pam service either.

I don't share your opinion here. My firewall protects against all kinds of
ids stuff even if I had ssh open. Just because you have iptables running it
doesn't mean you are inherently secure at all.

Our firewalls sitting in front of sipx had ids rules running that would
protect anything behind it from a known attack against a well known service
like ssh. Ssh has lots of options which should be exercised according to
your security border device.

On Nov 16, 2012 11:36 AM, "Noah Mehl" <***@tritonlimited.com> wrote:

The only hardening required to solve this particular problem would be an
addition to the sshd config:

DenyUsers PlcmSpIp

I think this should be included in the default distribution of SipXecs isos
and/or packages (I've only ever used the iso) because this is something that
is specific to the distribution. That user, and its password and access,
are created by SipXecs, and that addition to the sshd config should be made
OOTB. Unless someone has a reason that PlcmSpIp should be able to have any
ssh access?

I'd really like some input from someone from eZuce, as this is an easy
solution and protects the entire community.

This was NOT a DDOS attack. This it that the PlcmSpIp user has a default
password of PlcmSpIp, and there's something about the default access of that
user that allow remote execution via SSH OOTB, and that IS a security issue.
You know why? Because as far as I know, no other default linux service
account is susceptible to this attack. Probably because linux system
accounts DON'T HAVE PASSWORDS! In other words, if you're creating service
users with default passwords, they probably should be denied from ssh OOTB.
This is also, not documented as far as I can tell...

~Noah

On Nov 16, 2012, at 11:26 AM, Tony Graziano <***@myitdepartment.net>
wrote:

It really sounds like you don't have a method to harden your server if you
are exposing it. Its entirely possible you were targeted with a ddos attack
that overwhelmed the Linux system. If you had properly crafted iptables
rules I and ssh protection mechanisms it would most likely not have
happened.

Any did or ddos can overwhelm system services to the point of failure this
allowing (by unavailability) internal logging or protection mechanisms. Put
the served behind a firewall and protect the vulnerable service (ssh) by
limiting the footprint. Backup the system, wipe and restore it in the event
a root kit was planted.

I don't think iptables was adequately configured. I don't think there is
anything inherently wrong with Sipx here either.

It is a phone system. It is up to you to protect and/or harden it. Any
vulnerabilities exposed are really Linux vulnerabilities and Linux is not
hack proof.

Good luck.

On Nov 16, 2012 10:07 AM, "Noah Mehl" <***@tritonlimited.com> wrote:

Todd,

The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP
address, which is part of AOL in Nevada I think. I actually have over 80
different public IP address entries in my log using that user to SSH to my
SipXecs box.

I understand that it's a phone system and not a firewall. However it's a
linux server, and IPtables is the best firewall in world, IMHO. I did have
SSH access open to the world, that was my choice. I have never been bitten
by this before. Either way, you should not be able to execute anything by
SSH'ing with the PlcmSpIp user, whether it's a public IP or not.

~Noah

On Nov 15, 2012, at 7:07 PM, Todd Hodgen <***@frontier.com> wrote:

> Here is a question I would have as well - 172.129.67.195 seems to be an
> address that is local to your network. Who has that IP address, why are
> they attempting to breach that server. If they are not a part of your
> network, how are they getting to that server from outside your network -
> there has to be an opening in a firewall somewhere that is allowing it.
>
> Remember, this is a phone system, not a firewall, not a router. It's a
> phone system with pretty standard authentication requirements, it's up to
> the administrator to keep others off of the network.
>
> -----Original Message-----
> From: sipx-users-***@list.sipfoundry.org
> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
> Sent: Thursday, November 15, 2012 10:04 AM
> To: Discussion list for users of sipXecs software
> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>
> To that point:
>
> Users logging in through sshd:
> PlcmSpIp:
> 172.129.67.195 (AC8143C3.ipt.aol.com <http://ac8143c3.ipt.aol.com/>
): 1 time
>
> That can't be good. I understand that PlcmSplp is a user for the Polycom
> provisioning. I have removed ssh access to the box from the world, but
how
> do I change the default password for that user? This seems like a big
> security risk, as every sipxecs install probably has this user with a
> default password?
>
> ~Noah
>
> On Nov 15, 2012, at 12:41 PM, Todd Hodgen <***@frontier.com> wrote:
>
>> Look at var/spool/mail/root There is a report you can find in there
> that
>> shows system activity. Look for entries below ---------------------
>> pam_unix Begin ------------------------ and I think you will find the
>> source of your aggravation.
>>
>> -----Original Message-----
>> From: sipx-users-***@list.sipfoundry.org
>> [mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Noah Mehl
>> Sent: Thursday, November 15, 2012 6:29 AM
>> To: Discussion list for users of sipXecs software
>> Subject: Re: [sipx-users] Hacked SipXecs 4.4
>>
>> I am seeing more spam in my mail queue. I have iptables installed,
>> and here are my rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain RH-Firewall-1-INPUT (2 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere icmp any
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere udp dpt:ipp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere state NEW
tcp
>> dpt:pcsync-https
>> ACCEPT tcp -- anywhere anywhere state NEW
tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW
tcp
>> dpt:xmpp-client
>> ACCEPT tcp -- anywhere anywhere state NEW
tcp
>> dpt:5223
>> ACCEPT all -- 192.168.0.0/16 anywhere
>> ACCEPT udp -- anywhere anywhere state NEW
udp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
tcp
>> dpt:sip
>> ACCEPT tcp -- anywhere anywhere state NEW
tcp
>> dpt:sip-tls
>> ACCEPT udp -- sip02.gafachi.com <http://sip02.gafachi.com/>
anywhere state NEW udp
>> dpts:sip:5080
>> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW
udp
>> dpts:sip:5080
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> As far as I can tell, no one should be able to use port 25 from the
world.
>> Also, sendmail is only configured to allow relay from localhost:
>>
>> [***@sipx1 ~]# cat /etc/mail/access
>> # Check the /usr/share/doc/sendmail/README.cf file for a description #
>> of the format of this file. (search for access_db in that file) # The
>> /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package.
>> #
>> # by default we allow relaying from localhost...
>> Connect:localhost.localdomain RELAY
>> Connect:localhost RELAY
>> Connect:127.0.0.1 RELAY
>>
>> Can someone please help me figure out where this spam is coming from?
>> Thanks.
>>
>> ~Noah
>>
>> On Oct 13, 2012, at 10:17 AM, Noah Mehl <***@tritonlimited.com> wrote:
>>
>>> I did not change the configuration of anything related to the
>>> PlcmSpIp
>> user. It does however make me feel better that it is related to the
>> vsftpd service and the polycom phones.
>>>
>>>> From /etc/passwd:
>>>
>>> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:
>>> /sbin/nologin
>>>
>>> So, that user cannot ssh to a shell. So I don't think it was that.
>>>
>>> ~Noah
>>>
>>> On Oct 12, 2012, at 9:05 AM, Tony Graziano
>>> <***@myitdepartment.net>
>> wrote:
>>>
>>>> ... more -- its a user that does not have login to the OS itself,
>>>> just vsftpd, which is restricted to certain commands and must
>>>> present a request for its mac address in order to get a configuration
> file.
>>>> It is not logging into linux unless someone changed the rights of
>>>> the user.
>>>>
>>>> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <***@ezuce.com>
> wrote:
>>>>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano
>>>>> <***@myitdepartment.net> wrote:
>>>>>> this is not a valid system user unless you have manually added it
>>>>>> to the system. I do think the logs would show more if access was
>>>>>> granted. Why are you exposing sshd to the outside world with an
>>>>>> acl or by protecting it at your firewall?
>>>>>>
>>>>>
>>>>> PlcmSpIp is the user used by polycom phones for fetching config
>>>>> from server
>>>>>
>>>>> George
>>>>> _______________________________________________
>>>>> sipx-users mailing list
>>>>> sipx-***@list.sipfoundry.org
>>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>>
>>>>
>>>>
>>>> --
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Tony Graziano, Manager
>>>> Telephone: 434.984.8430
>>>> sip: ***@voice.myitdepartment.net
>>>> Fax: 434.465.6833
>>>> ~~~~~~~~~~~~~~~~~~
>>>> Linked-In Profile:
>>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
>>>> Ask about our Internet Fax services!
>>>> ~~~~~~~~~~~~~~~~~~
>>>>
>>>> Using or developing for sipXecs from SIPFoundry? Ask me about
>>>> sipX-CoLab
>> 2013!
>>>>
>>>> --
>>>> LAN/Telephony/Security and Control Systems Helpdesk:
>>>> Telephone: 434.984.8426
>>>> sip: ***@voice.myitdepartment.net
>>>>
>>>> Helpdesk Customers: http://myhelp.myitdepartment.net
<http://myhelp.myitdepartment.net/>
>>>> Blog: http://blog.myitdepartment.net <http://blog.myitdepartment.net/>
>>>> _______________________________________________
>>>> sipx-users mailing list
>>>> sipx-***@list.sipfoundry.org
>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>>
>>>
>>> Scanned for viruses and content by the Tranet Spam Sentinel service.
>>> _______________________________________________
>>> sipx-users mailing list
>>> sipx-***@list.sipfoundry.org
>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>>
>> _______________________________________________
>> sipx-users mailing list
>> sipx-***@list.sipfoundry.org
>> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/
>
> _______________________________________________
> sipx-users mailing list
> sipx-***@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users/

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
<http://myhelp.myitdepartment.net/>

Blog: http://blog.myitdepartment.net <http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
<http://myhelp.myitdepartment.net/>

Blog: http://blog.myitdepartment.net <http://blog.myitdepartment.net/>

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

--

Gerald Drouillard

2012-10-12 14:24:55 UTC

Permalink

On 10/11/2012 11:48 PM, Noah Mehl wrote:
> All,
>
> I just realized that my emails from my SipXecs 4.4 server were not being delivered. Upon further investigation, I found that my SipXecs VM had a sendmail queue with over 13000 messages in it. I'm trying to figure out how my machine was sending mail, and it doesn't look like the relay is open, but I found something curious:
>
> [***@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session opened"
> Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
> Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
> Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
> Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
> Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0)
>
> Those are what I think to be successful ssh logins with the user PlcmSplp. Is this user part of the SipXecs install?
>
In your /etc/ssh/sshd_config you should have at the very least:
PermitRootLogin no
AllowUsers yoursecretusername
MaxAuthTries 3

--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz