3CX hacked - Fax Extension 88

Discussion in '3CX Phone System - General' started by Andy Schmidt, Sep 29, 2010.

Thread Status:
Not open for further replies.
  1. Andy Schmidt

    Andy Schmidt New Member

    Apr 3, 2008
    Likes Received:

    Wow, it's been two years since I had to work on 3CX - so the version is outdated: 5.1.4510.0. But, we all have "real" jobs to do, so why fix something that's not broken, right?

    Well - it broke:
    Starting Saturday, people have been hacking into 3CX to make overseas phone calls using our POTS lines. Our phone company alerted us turned off international service. I quickly checked the log Saturday night and saw that the calls came from an extension "88" that shows up nowhere on the extension status screens.
    Eventually, I called our 3CX system from home, asked for that mysterious extension 88 - and got a FAX tone!?

    With that clue, I found "88" defined in the "fax" section of the general settings (wow, talk about hiding things well). I disabled the 3CX fax service in Windows and figured that would take care of it (we don't have any fax lines or fax service through 3CX anyway). Yesterday, we re-enabled international outcalling at the phone company and last night, the problem started AGAIN, although the fax service is disabled. When I know try to transfer to extension 88, the transfer will fail.

    I've since observed one of these calls and it shows up on one of our outgoing POTS lines as being connected to extension 88.
    So - with the fax service being disabled, how do they STILL manage to use extension 88 to place outbound calls - and how do they get IN in the FIRST place? How do I "kill" that unused extension 88 FOR GOOD? And what's the attack vector here?

    I'm attaching a few log snippets in hope that this will shed some light. What stands out is:

    - the IP address that shows in the logs are and .5 - but our network does NOT use the 192.168.1.x internal address space and our border router will not accept packets from that address range. Besides - it's non-routable. I have tried to use ARP and NETSTAT to see what Ethernet ID those IP addresses are - but I've yet to ever see any sockets to/from 192.168.1.x?

    - the log file has lines such as :
    13:58:03.063|.\VExtMgr.cpp(75)|Log2|DataBase|FaxCfg::updateContact:[CM504008]: Fax Service: registered as sip:88@ with contact sip:88@<br>
    13:58:03.125|.\VExtMgr.cpp(75)|Log2|DataBase|FaxCfg::updateContact:[CM504008]: Fax Service: registered as sip:88@ with contact sip:88@<br>
    Why is the fax service still active and logging entries - and how can anyone change the "contact" ?

    My immediate concern is - how to I get the unneeded Fax support turned off COMPLETELY and disable extension 88 ABSOLUTELY?

    Best Regards,

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. abc123

    abc123 Active Member

    Nov 9, 2009
    Likes Received:
    There has been a spate of hacks lately and 3cx were very quick off the mark to provide a security fix.

    V9 has anti hacking in it and V9 SP2 has secure passwords in it (not the old default of the extn #).

    I would recommend upgrading immediately. If you cannot (no upgrade insurance) then go through and change the default passwords of all extensions including the fax (under fax settings).
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mfm

    mfm Active Member

    Mar 4, 2010
    Likes Received:

    Sip servers worldwide are under attack, you are one of the unlucky that go hacked. ABC has pointed you in right direction but I would like to add a document that you should read trough:

    It not new but a lot of users have missed it.

    V9 Has added anti hacking features to avoid users brute force attacking your passwords.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.