Flashphoner vulnerability issues?

Discussion in 'Web Call Server 5' started by Lee, Feb 12, 2020.

  1. Lee

    Lee New Member

    Hello:

    My flashphoner server was hacked yesterday. This server has only flashphoner and java installed. It's a dedicated server only for this purpose.
    Somehow, today appeared a bitcoin malware minerating on it. Would like to know if you have some security best practices to apply.
    Of course they deleted all logs from server, but all data was intact.
    How did they access the server, since I don't have any website (port: 80) on it or other service?
    Can the Demo page access the root server?
    My configuration: Centos 7 with java 1.8 with all patches installed.

    Thanks
  2. Max

    Max Administrator Staff Member

    Good day.
    They probably scanned all system ports. If you have disabled firewall, it can be a problem
    No, WCS just throws an exception to server logs if it cannot recognize packet received. All the media ports are just inactive until websocket session to 8443 is established. So WCS can be DDOSed at worst, but cannot be penetrated.

    To secure WCS server, you should do the following:
    1. Change default password for WCS web interface admin user to stronger password
    2. If you do not use example applications such as Player by direct links https://wcs:8444/client2/examples/demo/streaming/player/player.html, disable demo user via CLI
    Code:
    update user -a false demo
    or by database.yml file editing (requires restart)
    Code:
      demo: {username: demo, password: fe01ce2a7fbac8fafaed7c982a04e229, active: false}
    
    3. Enable and set up firewalld with a typical WCS ports range
    Code:
    yum -y install firewalld
    systemctl start firewalld
    firewall-cmd --permanent --zone=public --add-port=8888/tcp
    firewall-cmd --permanent --zone=public --add-port=8443/tcp
    firewall-cmd --permanent --zone=public --add-port=1935/tcp
    firewall-cmd --permanent --zone=public --add-port=1935/udp
    firewall-cmd --permanent --zone=public --add-port=554/tcp
    firewall-cmd --permanent --zone=public --add-port=8080/tcp
    firewall-cmd --permanent --zone=public --add-port=8081/tcp
    firewall-cmd --permanent --zone=public --add-port=8084/tcp
    firewall-cmd --permanent --zone=public --add-port=8082/tcp
    firewall-cmd --permanent --zone=public --add-port=8445/tcp
    firewall-cmd --permanent --zone=public --add-port=8444/tcp
    firewall-cmd --permanent --zone=public --add-port=34001-35000/tcp
    firewall-cmd --permanent --zone=public --add-port=30000-33000/udp
    firewall-cmd --permanent --zone=public --add-port=30000-33000/tcp
    firewall-cmd --reload
    
    or set up iptables
    Code:
    #!/bin/bash
    #
    export IPT="iptables"
    
    # External server interface
    export WAN=eth0
    
    # Clean all the chains
    $IPT -F
    $IPT -F -t nat
    $IPT -F -t mangle
    $IPT -X
    $IPT -t nat -X
    $IPT -t mangle -X
    
    # Set default policies
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    
    # Allow local loopback traffic
    $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
    $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
    
    # Allow outgoing connections
    $IPT -A OUTPUT -o $WAN -j ACCEPT
    
    # Set up established connections rules
    $IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Drop invalid packets
    $IPT -A INPUT -m state --state INVALID -j DROP
    $IPT -A FORWARD -m state --state INVALID -j DROP
    
    $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
    
    # Allow ping
    $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    
    # SSH
    $IPT -A INPUT -p tcp --dport 22 -j ACCEPT
    # DNS
    #$IPT -A INPUT -i $WAN -p udp --dport 53 -j ACCEPT
    # NTP
    #$IPT -A INPUT -i $WAN -p udp --dport 123 -j ACCEPT
    
    # WCS specific ports
    $IPT -A INPUT -p tcp --dport 8888 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8443 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 1935 -j ACCEPT
    $IPT -A INPUT -p udp --dport 1935 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 554 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8081 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8084 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8082 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8445 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8444 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 34001:35000 -j ACCEPT
    $IPT -A INPUT -p udp --dport 30000:33000 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 30000:33000 -j ACCEPT
    
    $IPT -A INPUT -j DROP
    $IPT -A FORWARD -j DROP
    
    # Save the rules to file
    /sbin/iptables-save  > /etc/sysconfig/iptables
    

Share This Page