I think I've been hacked

One of my VOIP providers noticed that I had some suspicious behavior, so I started looking.
My PBX had 4 firewall entries accepting all activity from 4 Amazon IPs. I banned them.

I then looked at my OpenWRT router. I'm running 18.06.2, r7676-cddd7b4c77 on a Netgear Nighthawk R7800.

If I look at my firewall settings and port forwards, I have a number of settings directing certain ports to my PBX.

On the OpenWRT router, running the command iptables -nL shows accept all for everything (0.0.0.0/0, and the firewall rules don't show up at all.

Am I missing something, or is my system compromised?

Andrew

1 Like

I'd advise to install from scratch and be sure!

And keep upgrading to the latest OpenWrt version.

2 Likes

Once you reinstall, you should consider installing and using banIP. There are a number of lists that will block a lot of the malicious hosts out there. It's not a catch-all, but it would probably boost your security somewhat.

Did you originally open any ports on your firewall? I'm curious as to how this could have happened as such a hack would imply total compromise of your router in some way. The ability to insert firewall rules requires root shell access.

Although you've been running an outdated OpenWrt version with known security issues, it's rather doubtful that the OpenWrt router was the initial attack vector for your compromise, your port-forwards (and the systems behind those ports) pose a much higher attack surface (maybe the router was then taken over from the inside). So starting fresh on all systems, with up to date software and very careful considerations which services need to be allowed to the outside is the prime concern.

2 Likes

As closure, I wasn't hacked. I was in a panic over the IPs in my PBX being wide open. It turns out they are from a 'trusted provider' of the PBX software, and while I wasn't using them, there were SIP trunks set up to 'automagically' appear if enabled.

If nothing else, this caused me to update my router and software; while I would likely (never) have done it, I would have preferred to not start the project at 1AM - tired and in a panic are a bad combination.

Andrew

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.