this is what i saw.
SSH port forwarded to a freepbx box
Default user/pass for mysql/web/ssh
User created peers in mysql directly and then changed ssh pass
All peers that was on where 104/104 105/105 etc..
Sip anon yes..
That's the default install
You give a loaded gun to a guy that never used one, without instructions, he
will surely shoot himself before learning to put the safety on.
But ain't that the purpose of mass distributing a commercial (support part)
swiss army knife telecom platform ?
Why doesn't Freepbx come with FORCED password changes on install ?? i guess
150$ an hour support is better than no support at all right ?
There are also perl and python scanners out there that do :
Scan ranges of ips for sip, scan them for default ssh/sip user/passes.. and
create an asterisk sip.conf with these as well as the extensions for those.
All the wanna-be hacker has to do next is mass dial and use un-authorized
boxes... 99.5 % are all trixbox/freepbx etc
But hey .. 99% of all stats are made up
>>-----Original Message-----
>>From: [mailto:asterisk-biz-
>>] On Behalf Of John Todd
>>Sent: September-01-09 11:59 AM
>>To: Commercial and Business-Oriented Asterisk Discussion
>>Subject: Re: [asterisk-biz] Any installations in European Consulates or
>>Well, I think that's a bit far-fetched. Really, really far-fetched.
>>Random fishing expeditions for vendors of PBX platforms, which are
>>going to be on private networks, is inefficient to the point of zero
>>returns. There are so many other layers of security that have to be
>>penetrated before the concept of "Asterisk" is a security element that
>>is even considered... If you've seen embassy telecommunications
>>systems in any security-minded nation, you'd understand that vendor
>>identity for primary platform isn't a serious consideration.
>>On Sep 1, 2009, at 2:43 AM, C. Savinovich wrote:
>>> I would be so paranoid... what if they want that information to see
>>> what
>>> embassies can be hacked?
>>> CS
>>> -----Original Message-----
>>> From:
>>> [] On Behalf Of John Todd
>>> Sent: Tuesday, September 01, 2009 6:53 PM
>>> To: Commercial and Business-Oriented Asterisk Discussion
>>> Subject: [asterisk-biz] Any installations in European Consulates or
>>> Embassies?
>>> I've got a rather unusual request to discover if any European
>>> Consulates are
>>> running Asterisk as their PBX platform. For that matter, are there
>>> any
>>> embassies that could step forward? This is for a private query (by
>>> another
>>> consulate) and replies may be privately held if requested, other than
>>> informing the end user. Or they may be public, which would be
>>> preferred so
>>> we can get various government agencies on the list of reference-able
>>> sites.
>>> JT
>>John Todd
>>Digium, Inc. | Asterisk Open Source Community Director
>>445 Jan Davis Drive NW - Huntsville AL 35806 - USA
>>direct: +1-256-428-6083
>>--Bandwidth and Colocation Provided by
>>AstriCon 2009 - October 13 - 15 Phoenix, Arizona
>>Register Now:
>>asterisk-biz mailing list
>>To UNSUBSCRIBE or update options visit:
--Bandwidth and Colocation Provided by
AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now:
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
No comments:
Post a Comment