3CX system attack

Discussion in '3CX Phone System - General' started by enes.avdic, Jan 21, 2014.

Thread Status:
Not open for further replies.
  1. enes.avdic

    Joined:
    Mar 24, 2012
    Messages:
    12
    Likes Received:
    0
    I am having problems with attack on my 3CX system. What is exactly happening is that someone is getting into the system and placing calls to a number and draining money through the dialed number. The weird thing is that when I look at the call logs I do see what number is being called but the source is not an extension it is also an outside number. I can not see in the logs where the calls come from all I can see is the dialed attempts. Does anyone have any ideas regarding this? I am totally out of ideas and don't know what to do anymore.


    Thanks in advance to anyone who responds to my post :)
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,587
    Likes Received:
    253
    I've seen attack attempts on my system as well and 3CX has kept them at bay. Off hand I have to assume that you have not selected passwords that are secure enough, or someone with inside information is behind the attack.

    The first thing I would do is to add a prefix of several digits for employees that are required to make long distance calls, and perhaps restrict which areas/countries can be called if you are not in the business of calling everywhere.

    Not showing an originating extension in the logs seems a bit strange. Can you post some of the logs?

    X out part of your pubilc IP if it shows.
     
  3. enes.avdic

    Joined:
    Mar 24, 2012
    Messages:
    12
    Likes Received:
    0
    17:08:22.952|.\Line.cpp(352)|Log2||LineCfg::getInboundTarget:[CM503012]: Inbound specific hours w/o holidays rule (NA to BosnaTV) for 10001 forwards to DN:8003<br>
    17:08:23.021|.\CallCtrl.cpp(346)|Log2||CallCtrl::eek:nIncomingCall:[CM503001]: Call(4177): Incoming call from 3257545445@(Ln.10001@IPCOMM) to <sip:8003@xxx.xxx.xxx.xxx:5060><br>
    17:08:23.025|.\Line.cpp(1455)|Log2||Line::printEndpointInfo:[CM505003]: Provider:[IPCOMM] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] PBX contact: [sip:3129625248@xxx.xxx.xxx.xxx:5060]<br>
    17:08:23.027|.\CallCtrl.cpp(529)|Log3||CallCtrl::eek:nSelectRouteReq:[CM503010]: Making route(s) to <sip:8003@xxx.xxx.xxx.xxx:5060><br>
    17:08:23.028|.\CallCtrl.cpp(708)|Log2||CallCtrl::eek:nSelectRouteReq:[CM503004]: Call(4177): Route 1: Ext:Ext.8003@[Dev:sip:8003@127.0.0.1:40600;rinstance=da80dd5903d345de]<br>
    17:08:23.054|.\Target.cpp(441)|Log2||Target::makeOneInvite:[CM503025]: Call(4177): Calling Ext:Ext.8003@[Dev:sip:8003@127.0.0.1:40600;rinstance=da80dd5903d345de]<br>
    17:08:23.255|.\CallLeg.cpp(315)|Log3||CallLeg::eek:nAnswer:[CM503002]: Call(4177): Alerting sip:8003@127.0.0.1:40600;rinstance=da80dd5903d345de<br>
    17:08:23.255|.\Extension.cpp(1407)|Log3||Extension::printEndpointInfo:[CM505001]: Ext.8003: Device info: Device Identified: [Man: 3CX Ltd.;Mod: 3CX IVR;Rev: 1] Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [3CX IVR] PBX contact: [sip:8003@127.0.0.1:5060]<br>
    17:08:23.262|.\CallCtrl.cpp(885)|Log2||CallCtrl::eek:nLegConnected:[CM503007]: Call(4177): Device joined: sip:3129625248@xxx.xxx.xxx.xxx:5060<br>
    17:08:23.264|.\CallCtrl.cpp(885)|Log2||CallCtrl::eek:nLegConnected:[CM503007]: Call(4177): Device joined: sip:8003@127.0.0.1:40600;rinstance=da80dd5903d345de<br>
    17:08:27.633|.\SLServer.cpp(868)|Log2|MediaServer|MediaServerReporting::DTMFhandler:[MS211000] C:4177.1: xxx.xxx.xxx.xxx:37822 is delivering DTMF using RTP payload (RFC2833). In-Band DTMF tone detection is disabled for this call segment.<br>
    17:08:28.777|.\Line.cpp(1455)|Log2||Line::printEndpointInfo:[CM505003]: Provider:[IPCOMM] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] PBX contact: [sip:3129625248@xxx.xxx.xxx.xxx:5060]<br>
    17:08:28.777|.\CallCtrl.cpp(529)|Log3||CallCtrl::eek:nSelectRouteReq:[CM503010]: Making route(s) to <sip:1014@127.0.0.1:5060><br>
    17:08:28.778|.\CallCtrl.cpp(700)|Log2||CallCtrl::eek:nSelectRouteReq:[CM503017]: Call(4177): Target is not registered: Ext.1014<br>
    17:08:28.778|.\Call.cpp(1091)|Log2||Call::RouteFailed:[CM503016]: Call(4177): Attempt to reach <sip:1014@127.0.0.1:5060> failed. Reason: Not Registered<br>
    17:08:28.781|.\CallCtrl.cpp(840)|Log2||CallCtrl::eek:nRerouteReq:[CM503005]: Call(4177): Forwarding: VoIPline:37744913167@(Ln.10004@Skype Connect PolTV)@[Dev:sip:99051000122578@sip.skype.com:5060]<br>
    17:08:28.781|.\CallCtrl.cpp(840)|Log2||CallCtrl::eek:nRerouteReq:[CM503005]: Call(4177): Forwarding: VoIPline:7744913167@(Ln.10001@IPCOMM)@[Dev:sip:3129625248@xxx.xxx.xxx.xxx:5060]<br>
    17:08:28.895|.\Target.cpp(441)|Log2||Target::makeOneInvite:[CM503025]: Call(4177): Calling VoIPline:37744913167@(Ln.10004@Skype Connect PolTV)@[Dev:sip:99051000122578@sip.skype.com:5060]<br>
    17:08:29.891|.\CallLeg.cpp(326)|Log2||CallLeg::eek:nFailure:[CM503003]: Call(4177): Call to sip:37744913167@sip.skype.com:5060 has failed; Cause: 403 Forbidden; from IP:xxx.xxx.xxx.xxx:5060<br>
    17:08:29.959|.\Target.cpp(441)|Log2||Target::makeOneInvite:[CM503025]: Call(4177): Calling VoIPline:7744913167@(Ln.10001@IPCOMM)@[Dev:sip:3129625248@xxx.xxx.xxx.xxx:5060]<br>
    17:08:30.048|.\CallLeg.cpp(326)|Log2||CallLeg::eek:nFailure:[CM503003]: Call(4177): Call to sip:7744913167@xxx.xxx.xxx.xxx:5060 has failed; Cause: 404 Not Found; from IP:xxx.xxx.xxx.xxx:5060<br>
    17:08:30.048|.\Call.cpp(1091)|Log2||Call::RouteFailed:[CM503016]: Call(4177): Attempt to reach <sip:1014@127.0.0.1:5060> failed. Reason: Not Found<br>
    17:08:30.050|.\Line.cpp(1455)|Log2||Line::printEndpointInfo:[CM505003]: Provider:[IPCOMM] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] PBX contact: [sip:3129625248@xxx.xxx.xxx.xxx:5060]<br>
    17:08:35.649|.\Call.cpp(1396)|Log2||Call::Terminate:[CM503008]: Call(4177): Call is terminated<br>


    This is my log for one instance of the dumber being dialed. I might be reading the longs wrong. But when I check the call logs for the above 377 number I get that the source is an outside number and not an extension like it normally is. The red numbers are the numbers being called the purple number is what my call log gives me as the source.


    Do you have any more suggestions as to securing the system? I can't block countries because my company makes calls to all parts of the world and they are never the same countries.


    Thanks for taking a look at this :)
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,587
    Likes Received:
    253
    It appears to be a direct SIP call. there is an option to disallow Direct SIP calls unless you have a service that requires it being on. I have found that In most cases 3CX will reject those types of calls unless you have allowed the originating IP or URL.

    Is IPCOMM somehow associated with your installation? There appears to be a German company with that name but the URL showing in the logs is not complete. The 10001 looks like a 3CX trunk number. I'm not sure but i wonder if the call is coming in as if it originates from that trunk in 3CX.

    Going over the logs for these types of calls, do they seem to be dialling random numbers, or testing to see what they are able to dial?
     
  5. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Log says that:
    1. Extension 1014 was called through 8003(IVR?) (line IPCOMM forwards calls to 8003)
    2. Extension 1014 was not registered at that time
    3. Extension 1014 is configured to forward (Busy/Unregistered of available status?) calls to external number 7744913167"
    4. one of outbound rule(which processes calls from 1014) "prepends" 3 to the number requested by the extension. So number was sent as 37744913167 to Voip provider (Skype Connect PolTV).
    5. Call has failed (don't know why)
    6. Caller was disconnected.

    Have I guessed your configuration correctly?

    So, the caller did not make a call which was not approved. Simply, the extension 1014 is configured to forward calls to 7744913167 when extension is unreachable.

    Please check configuration of extension 1014. You should see that this extension forwards calls to the external number 7744913167 in some conditions (user status or Busy/Unregistered)
    Also, check outbound rules, you should see that one of the rules passes calls to "Skype Connect PolTV" and prepends 3 to the number.

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. enes.avdic

    Joined:
    Mar 24, 2012
    Messages:
    12
    Likes Received:
    0
    SY you were right on the money! I found a few extensions actually that were forwarded to outside numbers. But what I don't understand is how is that done if you do not have access to the management console?

    Also sorry for the late reply but I have been traveling the past week and didn't have time to reply.
     
  7. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,133
    Likes Received:
    211
    in v11 - MyPhone was the place where users could set what to do with their calls. I am sure this is the same in v12 with the Windows client. When I am away from the office during the day, I set my phone to AWAY Status which forwards to my Mobile Device.
    So - they are end user options.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.