Hack thankuohoh generates a high volume of outgoing calls on an Elastix switch which can cause a high cost in line billing.
The hack takes advantage of a vulnerability in the Elastix A2billing package (effect with elastix 2.x and old Freepbx version). When reviewing the call reports will appear something similar as the image:
1/ This hack can be detected by reviewing the file /etc/asterisk/extensions_custom.conf and find the following lines:
[thanku-outcall]; thankuohoh
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); thankuohoh
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); thankuohoh
exten => _.,n,Set(_NODEST=); thankuohoh
exten => _.,n,Macro(dialout-trunk,2,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,3,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,4,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,5,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,6,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,7,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,8,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,9,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(outisbusy,); thankuohoh
-Once the malicious code was removed, it is recommended to apply a security layer in the portal’s web access as indicated in the following:
2/ Configure Apache in Elastix to request user and password when accessing the web portal
The following will show how to configure Apache in Elastix to request user and password every time someone tries to enter the web portal.
This is convenient on an Elastix switch since it adds an extra layer of security and prevents it from being scanned or indexed and that can take advantage of some vulnerability that has the html code.
-To begin with the configuration, enter the console of the server and type the following:
vi /etc/pam.d/su
-Once we enter the file, we uncomment the line “auth required pam_wheel.so use_uid” and record when exiting as it appears in the image:
– We create the user that will be used to validate the entrance to the web page. For this step we created a User Wheel and its name would be “adminportal”. In console type the following:
adduser -G wheel -m -s /bin/bash adminportal
-We configure the password:
passwd adminportal
-We execute the following command line to edit the file:
vi /etc/httpd/conf.d/elastix.conf
-Localizamos the line “RewriteRule (. *) Https: //% {HTTP_HOST}% {REQUEST_URI}” and we add the following code:
AuthType Basic
AuthName "Acceso restringido"
AuthUserFile /usr/local/apache/wwwpasswd
Require user elastix adminportal
-We should stay as shown in the following image, and record:
– We added the user to apache authentication and configured his password by executing the following lines:
mkdir /usr/local/apache
htpasswd -c /usr/local/apache/wwwpasswd adminportal
– Finally, we restart the Apache service so that the changes are applied:
service httpd restart
-With this, we can already try to enter the door of Elastix and ask us for password only when entering the site.
3/ Moving/Deleting A2billing and VtigerCrm in /var/www/html
For more information, you can access the following link:
Http://bugs.elastix.org/view.php?id=2169
I hope this guide is useful to you. (Source from Internet of miguelmuzquiz)