cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1507
Views
0
Helpful
11
Replies
Highlighted
Beginner

PBX behind asa got hacked

Hi,

We have a costumer who has an asterix PBX behind an ASA i configured, the PBX i did not configure, we have several customers with the same setup. Today we have noticed that there PBX got hacked and was making calls to very expensive phone extensions. The guy who configured the PBX is saying that its the ASA who got hacked. In my opinion it is not the ASA that got hacked but i think there is something going on on the internal network.

They from th PBX says when he scans the IP of the customer who got hacked he sees port 5060 sip is open. but in the ASA ther is no port forwarding on that port, how is this possible?

I also scanned it myself and it says port 5060 is open, which is weird because there is no port forwarding on port 5060.

Can anyone explain to me why this happens?

thanks in advance

Everyone's tags (5)
11 REPLIES 11
Cisco Employee

PBX behind asa got hacked

Bart,

ASA should not open UDP/5060 or TCP/5060 because it's not runnint any service on it's own (by default).

I just checked with ASA 9.0 fresh out of the box with webvpn configured:

./nmap -sU 10.48.66.96

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-11-14 13:38 CET

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Nmap scan report for 10.48.66.96

Host is up (0.00041s latency).

All 1000 scanned ports on 10.48.66.96 are open|filtered

MAC Address: 50:3D:E5:9D:84:8A (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 21.19 seconds

Similarly for TCP

./nmap -sS 10.48.66.96

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-11-14 13:42 CET

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Nmap scan report for 10.48.66.96

Host is up (0.00040s latency).

Not shown: 998 filtered ports

PORT     STATE SERVICE

443/tcp  open  https

8443/tcp open  https-alt

MAC Address: 50:3D:E5:9D:84:8A (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 4.84 seconds

How are they verifying that the port is open? It might seem this was in case NAT is configured.

Plus, even IF ASA got hacked (remote access obtained) it's not very likely it could be used as entry point for attack.

Open up a TAC case, allow us to verify what's going on on the ASA.

M.

Beginner

Re: PBX behind asa got hacked

Hi Marcin,

I did the same scans as you did, this are my results.

./nmap -sU x.x.x.210

Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-14 13:49 West-Europa (standaardtijd)

Nmap scan report for d57df1d2.static.xx.nl (x.x.x.210)

Host is up (0.020s latency).

All 1000 scanned ports on d57df1d2.static.xxxx.nl (x.x.x.210) are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds

./nmap -sS x.x.x.210

Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-14 13:56 West-Europa (standaardtijd)

Nmap scan report for d57df1d2.static.xx.nl (x.x.x.210)

Host is up (0.014s latency).

Not shown: 998 filtered ports

PORT    STATE SERVICE

25/tcp  open  smtp

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 21.97 seconds

From this ouput i think i am save to say that its not open right?

If you need more information i can post a config so u can check it for any misconfigurations? although i am now quite sure that its not the ASA that is causing the problem.

Also he said he was scanning with some SIP scanner and got this output;

./svmap.py x.x.x.210

| SIP Device           | User Agent          | Fingerprint |

------------------------------------------------------------

| x.x.x.210:5060 | FPBX-2.8.1(1.8.7.0) | disabled    |

thanks in advande

Cisco Employee

PBX behind asa got hacked

Bart,

Please obfuscate that IP address (just in case).

What you've shown is no response on any the ports scanned (however some services will not reply unless you get a propely crafted message) . That being said ASA (with sip inspection enabled) WILL allocate dynamically and on demand ports. Which could lead to the port being seen as open although multiple dependencies exists.

Also on ASA you can do "show asp table socket" to list open/used sockets by applience itself (unlike passthrough traffic).

To me it looks like it's NOT related to ASA itslef being "hacked" (you cannot install services on ASA).

You can try doing:

show xlate global IP_ADD_RE_SS

or show xlate | i IP_ADD_RE_SS

to verify if that IP/PORT has any xlates associated.

M.

Beginner

Re: PBX behind asa got hacked

hi,

I captured the output when he did a port scan on port 5060, and i got this log message in the ASA

show asp table socket

SSL       0003d6cf  10.192.7.1:443              0.0.0.0:*               LISTEN

TCP       00febd1f  10.192.7.1:23               0.0.0.0:*               LISTEN

TCP       02187728  10.192.7.1:23               10.192.7.10:25786       ESTAB

SSL       024567f8  10.192.7.1:443              10.192.7.10:25975       ESTAB

SSL       0248b568  10.192.7.1:443              10.192.7.10:25981       ESTAB

When i did the xlate command i didnt see any global Xlates. I'm getting a feeling that its a bug in the ASA. Also the guy who configured the PBX keeps telling the port is open when it is obviously not.

This i getting a bit weird.

Thanks alot for your help so far! hope you can help me solve this problem.

Thanks

Beginner

Re: PBX behind asa got hacked

in the xlate table i did found this,

UDP PAT from inside:10.192.7.20/5060 to outside:x.x.x.210/5060 flags ri id

le 0:00:35 timeout 1:00:00

Dont know if this is usefull?

Cisco Employee

Re: PBX behind asa got hacked

Bart,

This is perfect example of a dynamic translation that host 10.192.7.20 allocated to itself.

From outside's perspective this will show as a port "open" on firewall while in essence it's on the inside.

M.

Beginner

Re: PBX behind asa got hacked

Hi,

He stopped the asterix server and then he didnt find an open port. As soon as he started it again, he did find the port 5060. So the ASA is forwarding the traffic to the asterix server. I really dont get it because there is no rule anywhere that says, to forward port 5060 to the asterix server.

Do u have anymore ideas?

Cisco Employee

Re: PBX behind asa got hacked

You indicated yourself it's a dynamic rule.

I guess you have PAT for that host? most likely PAT + SIP inspections are creating this when that host is initiating traffic to the outside - watch the syslogs on informational level.

Beginner

Re: PBX behind asa got hacked

But is het possible they could have hacked the SIP through the ASA? With this i mean could they have scanned the IP and then hacked the session with the SIP srver through the ASA?

Cisco Employee

Re: PBX behind asa got hacked

Bart,

Without SIP inspection on, yes it's possible that this xlate could have been used to connect to server, if your security policy allows that.

If SIP inspection is on we do inspect the SIP payload, up to a certain point of course.

I find it unlikely, but technically possible.

M.

Beginner

Re: PBX behind asa got hacked

Ok SIP inspection is on so that cant be the problem. So i have 2 scenarios now of what can be the problem, what do you think is more likely?

1, what the asterisk guy thinks, they have scanned the IP and found that SIP was open. They tried the phone extensions with passwords and they have found them. So they could register the phone to the Asterisk server and make the calls.

2, what i think, they downloaded some kind of trojan and a hacker has access to their network and also can register phones and then make the calls.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here