Nosbig.net

Yesterday afternoon, my girlfriend discovered a particularly large volume of voicemails on her phone, after having cleaned out her mail box just 36 hours prior.  She listened to several blank voicemails, as well as one from someone who wanted us to return their call…

I began investigating by looking into the metadata for the voicemails which were left; all were from unusual phone numbers outside of our area code.  My next trip was to the CDR records and my provider’s call history.  These sources showed that over 1000 phone calls were attempted to be connected through our phone system to various communities around the country.  Two patterns emerged while looking at the details of the calls:

• The calls were being generated in a non-sequential pattern; clearly an unscrupulous telemarketer was war-dialing to South Carolina, Michigan, and Virginia.
• All of the outbound calls were originating with my girlfriend’s CallerID.

So, I knew what was going on, but I had yet to determine to how this incident occured.  Further digging revealed that the Linksys ATA being used internally was lagging significantly and intermittently.  It was a moment of epiphany; I understood where the problem was, and I could take action to address it.

Several years ago, I installed an Asterisk server to provide home phone service with a company that provided an IAX trunk.  At the time, all we were using softphones to make and receive calls.  Over time, I upgraded to a Cisco 7940 for myself and an analog cordless phone on a Linksys ATA for my girlfriend.  At the time I installed the ATA, I had not used a significant amount of security of the SIP peer registration, as the network was firewalled from the Internet.

Fast forward to 5 months ago…  I obtained a business phone service through a major provider using SIP.  Due to their configuration, I was required to open the SIP and RTP ports to the general Internet and forward them to my Asterisk server.

Now, we return to the present time.  Several days ago, this telemarketer scanned my router, found open SIP ports, and began to issue a brute-force attack against my Asterisk server.  The telemarketer scanned every possible 3 and 4 digit peer name, was able to find the Linksys ATA’s peer name, and was quickly able to brute-force the password.  With this information, the telemarketer was able to register as that peer and make calls outbound, according to the dialplan configured for my girlfriend.  My Cisco’s peer was not impersonated, but it would not be likely to be responsible for outbound calling due to the unique dialplan I am using.

With the understandng of what has happened, I could work to correct and block the means by which this telemarketer was using my phone system and service:

1. I unloaded chan_iax.so to remove the possibility of additional phone calls being made.
2. I then enabled a moderate amount of security, particularly a random password for each of my SIP devices.
3. Next, I modified my firewall configuration to drop all packets through my router which contained the IP address from which the attack came.
4. I then re-enabled the IAX phone service by reloading the chan_iax.so module.

After the initial security containment, I turned my focus to handling the inbound phone calls being returned based upon the messages left with the various victims around the country.  I recorded an announcement indicating what had happened and that the compromise was taken care of.  Finally, I crafted the dialplan to play this announcement to every caller not from a local phone number.

Overall, this breach was not as extensive as it could have been, but it does illustrate that security must be vigilantly monitored and maintained.  My complacency in the security of my network ultimately led to this incident.  Fortunately, it does not seem to have led to any major financial loss to any party, including myself.

I am rather diasppointed that the last few months show no entries. I have not written a great deal, but there was a point where my web host lost the entire server, and my most recent backup of the database did not include those couple of entries.

A few weeks ago, my website was down for a couple of days. Little known to me, the hard drive in the the server on which I was hosted on went bad. To give my hosting provider credit, my service was back within 24 hours. However, the website was lost; no backups were available to be loaded. Fortunately, I had an almost complete backup of my posts, except for a few of my latest posts. So, I will try to get back into the swing of things. First on the list is to update my blogging software to the latest version.

I have finally tweaked everything into the exact places I want everything. A quick change to the sidebar template fixed the links, allowing them to be broken down by category. I also changed the order of the items in the sidebar; I wanted the calendar near the top and the design to not be so top-heavy.

The calendar was also a relatively simple, yet obscure fix. In order to allow the calendar to be centered, I needed to add a text-align: center; attribute to the stylesheet. What I didn’t realize is that the attribute needed to be added for the <table>, <th>, and <td> tags. Once this change was in place, the calendar behaved properly.

Thanks to all who have made compliments about my site. I really like the change, and I was hoping at least a few readers would, too.

Over the last couple of days, I have worked a great deal to work out issues with the modifications I have made to the Connections theme that I have mentioned before and had displayed on the site since I began work on the modifications.

The header image is a photo taken by a friend of mine, Sarah. She has the full versions of this and many other great nature photos at her Deviant Art profile.

I would like feedback as to the colors and the layout. I think it flows pretty well, but the sidebar might need to be adjusted. Feel free to leave comments or send email if you find it difficult to read.

If anyone knows why the CSS for this theme will not center the calendar, please send me a tip or hint.

In addition to the change in the layout of my site, I got bored with the default look of the website, so I went searching for new themes. I found this theme on the WordPress Theme Competition Blog on Alex King’s website. I enjoy the look a great deal, but there are a few tweaks that I am working on. As soon as they are done, they will be uploaded and made permanent.

I was sick of seeing the front page look miserably out of date, and I obviously have issues manually updating my site. Therefore, I have decided to condense “Adventures in Linux” and “Antics” into a single blog and place all static content into WordPress to allow easier management of the whole site.

As all three of you reading my blog can tell, I have upgraded to the newest version of Wordpress, version 1.5. It has a new template and some new features, including integrated comment spam filtering. Let’s hope this new system keeps the spam in check.

Well, I have been away for quite a while. I just got my domain turned back on, since I got my Christmas check from work. It’s good to be back, and I really hope to be able to blog more often.

I know I haven’t been very good at keeping up here, but life has been quite hectic. However, I have noticed a great deal of comment spam, so until further notice, I will be turning on moderation of all comments.