3cx Hacked

[stekicar]

I got an e-mail from Voip provider that someone was dialing numbers from my account. At first, I thought that somehow my Voip account was compomised. But then, looking further, I realised that someone was trying to attempt registering to my 3cx server from France (looking at IP addess) and also was trying to register to voip account. I do not know how that could have happened. Now, I blocked IP addresses that were trying to register to my server. I currently do not forward port 5060 on my router (I disabled it). I did this because I think this port was the only way someone could hacked the 3cx server. I still do not know how that could hack the server. Any thoughts?

 

[jpillow]

Yes this has been going on for atleast a month I've seen it attempting to hack my pbx and partners have noticed on other installs. You should ban the ip range your seeing attempting to access your pbx and continue to keep an eye as they will change ips.

 

[stekicar]

I already blocked IPs but it bothers me how they were able to hack 3cx. I wonder if it was because I did port forwarding for port 5060?

 

[leejor]

I got an e-mail from Voip provider that someone was dialing numbers from my account. At first, I thought that somehow my Voip account was compomised. But then, looking further, I realised that someone was trying to attempt registering to my 3cx server from France (looking at IP addess) and also was trying to register to voip account.

If your VoIP provider contacted you then they obviously saw something out of the ordinary happening. Were the calls in question originating from your 3CX install, or direct to them using your credentials?

I too have seen both registration attempts, and direct SIP call attempts, all being stopped by 3CX. I also have 3CX set to email me when this happens (another option available to you). 3CX will block an IP for a set time if there are "X" number of failed authentications. The "X" can be changed by you in the security settings, just as the length of time an IP is blocked.

Unless you are using easily guessed passwords, they should not be able to register and place calls.

Could you post some of the 3CX server logs logs showing the hackers placing calls?

If you receive incoming VoIP calls (or have remote extensions), then you will have to have port 5060 (or whatever port you have chosen to use), forwarded to the 3CX server.

 

[stekicar]

My mistake was to leave everything without strong passwords on extensions for too long. But I left it so I can easily test/debug the system. Now, I changed all passwords for every extension.
Although, 3cx was set to prevent calls to unauthorised countries, this is how intruder managed to make calls:

First, he tried to make simple call but he got blocked by 3cx:
################################
014/05/05 08:56:11.003|0012|Info(03)| Received event with ID: 12296 generated at: 5/5/2014 8:56:10 AM, written at: 5/5/2014 8:56:10 AM Message: Call from [100] to [9011441904899536] has been rejected by the 3CX Country Blocking Feature [01144].
Reason: 9011441904899536 contains Prefix 01144. Calls to 01144 are not allowed by system.
Resolution: To allow this call access the 3CX Management Console, Settings, Security, Allowed Country Codes and enable the country or continent that matches this prefix.
################################

Then he used this method to bypass limitation:

################################
2014/05/05 15:52:58.620|0008|Info(03)| SELECT value,kind FROM dnallocation
2014/05/05 15:52:58.635|0008|Info(03)| Parsing reposts file first
2014/05/05 15:52:58.637|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:52:58.638|0008|Info(03)| insert into callhistory3 (idcallhistory3, callid, duration, starttime,answertime,endtime, from_no, to_no, group_no, line_no, caller_display_name, is_answ, is_fail, is_compl, is_fromoutside, CallerID, DialedNumber, lastCallerID, lastDialedNumber, mediaType, rate, totalcost, billprefix, BillRateName, GrpAnswDetail, recfile, callchain)values (396,'00000BDCFEA81795_123','00:00:00','2014/5/5 3:52:19 PM',null,'2014/5/5 3:52:51 PM','100','918764672962','','10000','Glavna Linija',False,False,True,False,'100','918764672962','100','18764672962',1,0,0,'','','-2','',E';100;918764672962;10000;' );
2014/05/05 15:52:58.640|0008|Info(03)| insert into CallDetails (IdCallHistory2, DetailNum, ParentDetailNum, Dest_num, StartTime,Dur, AnswerTime, Status, Is_Compl, SpecDstType, is_tooutside, dest_dn, OtherParty,BillPrefix, BillRateName, BillRate, BillCost) values (396,1,0,'18764672962','2014/5/5 3:52:19 PM','00:00:31.4740000',null,5,True,0,True,'10000','100','','','0','0' );
2014/05/05 15:52:58.641|0008|Info(03)| select * from myphone_parsecall(396, interval '-240 minutes')
2014/05/05 15:52:58.644|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:53:58.649|0008|Info(03)| SELECT value,kind FROM dnallocation
2014/05/05 15:53:58.664|0008|Info(03)| Parsing reposts file first
2014/05/05 15:53:58.667|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:53:58.668|0008|Info(03)| insert into callhistory3 (idcallhistory3, callid, duration, starttime,answertime,endtime, from_no, to_no, group_no, line_no, caller_display_name, is_answ, is_fail, is_compl, is_fromoutside, CallerID, DialedNumber, lastCallerID, lastDialedNumber, mediaType, rate, totalcost, billprefix, BillRateName, GrpAnswDetail, recfile, callchain)values (397,'00000BDCFEA8BC61_124','00:00:00','2014/5/5 3:53:01 PM',null,'2014/5/5 3:53:42 PM','100','918764672962','','10000','Glavna Linija',False,False,True,False,'100','918764672962','100','18764672962',1,0,0,'','','-2','',E';100;918764672962;10000;' );
2014/05/05 15:53:58.669|0008|Info(03)| insert into CallDetails (IdCallHistory2, DetailNum, ParentDetailNum, Dest_num, StartTime,Dur, AnswerTime, Status, Is_Compl, SpecDstType, is_tooutside, dest_dn, OtherParty,BillPrefix, BillRateName, BillRate, BillCost) values (397,1,0,'18764672962','2014/5/5 3:53:01 PM','00:00:39.9790000',null,5,True,0,True,'10000','100','','','0','0' );
2014/05/05 15:53:58.670|0008|Info(03)| select * from myphone_parsecall(397, interval '-240 minutes')
2014/05/05 15:53:58.672|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:53:58.674|0008|Info(03)| insert into callhistory3 (idcallhistory3, callid, duration, starttime,answertime,endtime, from_no, to_no, group_no, line_no, caller_display_name, is_answ, is_fail, is_compl, is_fromoutside, CallerID, DialedNumber, lastCallerID, lastDialedNumber, mediaType, rate, totalcost, billprefix, BillRateName, GrpAnswDetail, recfile, callchain)values (398,'00000BDCFEA9603E_125','00:00:07.8950000','2014/5/5 3:53:43 PM','2014/5/5 3:53:50 PM','2014/5/5 3:53:58 PM','100','918764672551','','10000','Glavna Linija',True,False,True,False,'100','918764672551','100','18764672551',1,1,0.1278,'default','default','-2','',E';100;918764672551;10000;' );
2014/05/05 15:53:58.675|0008|Info(03)| insert into CallDetails (IdCallHistory2, DetailNum, ParentDetailNum, Dest_num, StartTime,Dur, AnswerTime, Status, Is_Compl, SpecDstType, is_tooutside, dest_dn, OtherParty,BillPrefix, BillRateName, BillRate, BillCost) values (398,1,0,'18764672551','2014/5/5 3:53:43 PM','00:00:07.6680000','2014/5/5 3:53:50 PM',6,True,0,True,'10000','100','default','default','1','0.1278' );
2014/05/05 15:53:58.676|0008|Info(03)| select * from myphone_parsecall(398, interval '-240 minutes')
2014/05/05 15:53:58.678|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:54:58.684|0008|Info(03)| SELECT value,kind FROM dnallocation
##########################################

I think, 3cx should take a look at this. They were using "insert into call history" to make these calls. Maybe, this is the main reason, why recently attacks on 3cx are intensified?

As for the forwarding 5060 port on my router, I disabled it, and everything works fine.

 

[stekicar]

The other thing bothers me is how fast they were able to find that my IP address uses 3cx. I think somehow they found a way to sneak into 3cx stun server and get IP addresses. I do not see any other way how to get IP addresses that uses 3cx. Does anyone know if 3cx stun servers were hacked as well?

One more thing. Without tunneling I am not able to connect on my 3cx server when I am out of my network. Even with 5060 port forwarded on my router. I do not understand how they managed to get register extension through 5060 port when I could not?

 

[jpillow]

You need to forward port 5090 to use 3cx tunnel, what are you using for voice SIP, PRI, or analog? Do you have remote workers? The reason I ask is not forwarding port 5060 will adversely affect SIP and remote workers.

 

[pstmg]

I had exately the same problem !!!

my 3cx server works fine, with port forwarding and fixed public ip. Also several remote extentions are being used. The problem was in one specific extention that was causing the problem. In that extention I had a router with a built-in voip client. This router accepted direct sip calls so from time to time the phone used to ring randomly. In it's LCD display used to show up: ASTERIK. All I did was change the router to another brand (better one this time) and the problem is solved..

What hackers used to do is, install Trixbox and run Sipvicious on it. They create a few tipical extentions like 100,101 and 123 and try to crack the extention passwords.

I've never had problems on the server side (3cx) just a few cases with remote users...

 

[eagle2]

One of last hacking trends is forwarding calls to expensive destinations on IP phones or VoIP adapters themselves. Thus the VoIP traffic for 3CX system is completely legal. The hackers are either calling the extension directly from outside and call is redirected to destinations like Nigeria, etc. or doing this internally (from infected computer to IP address of the phone).

Especially vulnerable to this exploit are Cisco SPA phones and adapters, especially if no strong admin and user passwords are used. The Cisco SPA devices can' be hacked easily also with fake firmware upgrade.