3cx Hacked ?

Discussion in '3CX Phone System - General' started by pstmg, Mar 6, 2014.

Thread Status:
Not open for further replies.
  1. pstmg

    Joined:
    Dec 9, 2012
    Messages:
    49
    Likes Received:
    0
    Hello all

    I've a 3cx server with some remote extensions. This server works under a fiber optic connection with fixed IP and correct port forwarding. These remote extensions are all outside the server lan. All work ok: they can call each other and place calls to PTSN. there is one remote extension that connects to 3cx server with a D-Link DVA-G3170i and from time to time the phone rings randomly. Today I saw the router logs and saw that someone is tring to hack the system and place long distance calls to a country called Sudan, due the 00 972 prefix.
    calls in 3CX are blocked to unfamiliar countries but the problem is that the remote phone still rings randomly. Is there any way I can fix this problem ?? The router firewall is activated.

    Attached I post an image of the router log

    Thanks
    PG
     

    Attached Files:

    • 3cx.JPG
      3cx.JPG
      File size:
      71 KB
      Views:
      1,539
  2. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    There are all kinds of folks out there just trying to hack into systems and make calls such as the one you experienced. A notorious program for doing so is called SIP Vicious which is actually a tool to test SIP security and all, but is being used by some to scan ports and look for openings. The attacks I have seen have been associated to extension 100 and have come in on port 5060.

    I am sure there are others out there as well. You simply need to ensure that passwords are strong, changed on occasion and that you have blacklisted countries to which you do not want calls made to and you might even try changing the standard SIP port to something else. This is not to say that a port scanner won't find it, but most of the time they seem to be looking for the "standard" 5060. I am not familiar with the device you showed, but if it has tools to help prevent you should review and make changes as you deem necessary to include doing the same on the 3CX side.
     
  3. pstmg

    Joined:
    Dec 9, 2012
    Messages:
    49
    Likes Received:
    0
    Thanks for your reply!! will try to change ports from standard to some others a more 'obscure' and see what happands. It's strange but this is the only extension that has this kind of complains

    Regards
    PG
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,754
    Likes Received:
    286
    There seems to be two different issues, or am I missing something? There is the hack attempt, and there is a remote extension ringing at random. The hacking attempt has been covered but I'm not sure if you are somehow associating the ringing with the hack attempt

    If the ringing extension is 100 (or another"common" extension number), then it may be a direct SIP call, or (if you don't see any 3CX logs of an outgoing call to the extension), some sort of issue with the set.

    Does the set show any caller ID after a call?

    There are three things to try, depending on how much you are willing to put into this. I would try the first one as it requires no expense or inconvenience and should stop a direct SIP call (if the set uses local port 5060).

    Change the local SIP port of the set.
    Swap out the set.
    Change the extension number at that location.

    With regards to changing the 5060 SIP port at the 3CX end to prevent hacking...This has come up in the forums before, without a definitive answer as to whether this will make any difference. Some scanner programmes probably target only 5060, as it is the most common VoIP port, but, I'm sure that there are many others that will find your port no matter what you change it to, So don't just rely on the port change.
     
  5. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    As I understood, this picture was taken from D-Link DVA-G3170i which is installed on the side of remote phone.
    I'm 100% sure that this call never passed through PBX and PBX never delivered it to this remote phone. Someone just has tried to trick your remote phone by sending SIP request directly to your D-link device.
    You can verify this sentence - You will not find this call neither in PBX logs nor in CallHistory report. It means that this call never passed though PBX.
    Even more... when PBX delivers call to the phone it ALWAYS set "To:" header as the extension number of the phone. So, 3CX is not hijacked. Someone just trying to bother your D-link device.
    It is time to find a way to configure remote D-Link DVA-G3170i (and the phone) to be more careful with SIP requests received from "public internet".

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. pstmg

    Joined:
    Dec 9, 2012
    Messages:
    49
    Likes Received:
    0
    First of all I would like to say that I am very satisfied with 3CX and I use it for more that 2 years now. It serves 2 sales companies perfectly.

    To better answer the questions here, I would like to inform that when a 'ghost' call cames in, the phone pops-up the number '100' or '101' and sometimes '1001'. He hear nothing from the remote side; The D-Link logs show exactly when the calls ware received and the from number. It is true that 3CX ALWAYS presents the caller name in the Phone LCD, except when this type of calls came in, so it isn't another extension calling.

    As you can see by the attached picture, this fellow still tried to hack the system. Most of calls came with the 'fail' sign becase the router didn't accept them due the (from) numbers I've blocked and also because 3CX has a rule to place outside calls

    So my next changes will be, Local Sip Port and Extension number. Hope this fixes the problem.
     

    Attached Files:

  7. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,754
    Likes Received:
    286
    It would appear that the "hacker" think he has found a PBX and is attempting to get a call to go through to particular number, which it never will (other than the annoyance of ringing the set). Some ATA's that I've worked with won't even respond to a direct SIP call unless it matches the particular extension number (even if the public IP and port is correct). There may some settings in the phone you are using that will cause it to ignore direct SIP calls, (those other than from the 3CX server).
     
  8. pstmg

    Joined:
    Dec 9, 2012
    Messages:
    49
    Likes Received:
    0
    well it appears that a single extension change solved the problem for now. Let's see what happands in the next hours if more drastic measures have to be done.
    This router (d-link) hasn't much specific configuration for voip because it's a generic internet router. So how can it be 'programed' to ignore direct sip calls ??
     
  9. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,754
    Likes Received:
    286
    Your router probably won't be able to do that, all it does is pass on anything directed to the correct port onto the IP of the device. If there are are options dealing with Direct SIP calls, then it would be in a VoIP phone, or ATA. As I said previously, it seemed (to me, from what I recall) that any incoming direct SIP call had to be a match for the extension number, before the phone would ring. This may not be the case with all devices, but the hackers are guessing randomly, so it is best not to make it too easy for them.
     
  10. pstmg

    Joined:
    Dec 9, 2012
    Messages:
    49
    Likes Received:
    0
    I can inform you that the phone doesn't ring randomly anymore like before and calls can be made/received in that extension. The downside is that someone that suffers from insomnias tried to hack the system last night and the night before, but the rules implemented in the router and in 3cx blocked him intentions

    Thank you for your help, it was much apreciated.


    Regards
    PG
     
Thread Status:
Not open for further replies.