For several months we have noticed a high number of attacks on Vicidial hacked servers that come to us day by day requesting our help regarding their servers security. In the past we have seen many different types of attacks to Vicidial, and multiple times per day and every day a new hack exploit appears as we saw this time: We see everyday automated bots searching for exploits on Vicidial installations, they are targeting customers making calls to the United States, so you are on their target!
If your server is not connected to the internet there is not a way they can find you so there is nothing to worry about, if in your case the computer acting as server is connected to the internet then you are in danger and if your web interface is open to the public by any means you are in potential risk.
How was my Vicidial hacked?
Normally the hackers are accessing from the Vicidial web interface the admin uses to login, we will discuss on another article how they are accessing the Vicidial hacked servers, just not to spread the info to more of the bad guys.
The attackers are harvesting the login information using a bot that searches for exploits on your Vicidial server, from this point they can easily get access to the shell login, administrator users and VoIP SIP accounts, all of this information can be read through different exploits based on the version, year and configuration of your Vicidial installation, however be aware that even installations done today are at risk.
One of their bots is sent to try to setup a connection via IRC to a control server. The attackers repeat this behaviour several hours per day everyday exploiting Vicidial hacked system making phone calls to expensive destinations if possible. They use your Vicidial hacked server to redirect their traffic from there and deliver spam to the public.
In this case the attackers are not using the typical Brute Force method to steal your Vicidial password, what they are doing now will read all your information clear and fast in seconds! Looking at the way the break-ins are going, the tools they use are programmed for the task, there is more to come!
This are the instructions left by the Vicidial support team, they promised it will help you secure your Vicidial server if you follow them to the step:
The first holes were already fixed by the Vicidial Group, who was the first to get this information, but that does not guarantee that the hackers will not find the one or other hole that still has to be plugged. I don’t think this is the last we have heard about this!
If your system is accesible from the internet we suggest you check the following steps:
- If possible avoid internet access TO any Vicidial System.
- Restrict acces to trusted IPs or IP Ranges
- Update ViciDial to lastest trunk version via SVN!
- Delete .txt files in webserver directories and deny access to these files via apache config.
- If Vtiger is not used delete it or at least move it out of the webserver tree, if it is used limit acces to localnetwork, maybe use a VPN, apply security patches!
- If PhpMyadmin is not used delete it or at least move it out of the webserver tree, if it is used limit acces to localnetwork, maybe use a VPN, apply security patches!
- Install Fail2ban including asterisk patches and config
- RIGHT AFTER THAT: set new Passwords for alll users with shell access, Databases, SIP Accounts, etc! Even if they did not get in yet, they could have skimmed your Login Data!
Quote from a automated hacker tool:
The file agc/manager_send.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru() function.
A valid username, password and session are needed to access the injection point, fortunately Vicidial has two built-in accounts with default passwords and the manager_send.php file has a SQL injection vulnerability that can be used to bypass the session check as long as at least one session has been created at some point in time.
In case there isn’t any valid session, the user can provide astGUIcient credentials in order to create one.
The results of the injected command are returned as part of the response from the web server.
Affected versions include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well.
The default credentials used by Vicidial are VDCL and VDAD.
Article referenced from the official Vicidial support team: http://support.vicidial.de/mobile.php?page=hacked&subp=&show=&lang=en
Our free support is online and ready to help from 9am to 5pm EST, contact us via chat support on www.switch2voip.us #vicidialhelp