Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Attacks or not ?

Discussion in '3CX Phone System - General' started by levbe, Oct 18, 2010.

Thread Status:
Not open for further replies.
  1. levbe

    Joined:
    Apr 27, 2008
    Messages:
    33
    Likes Received:
    3
    Hello,

    I'm using 3CX v9 with SP2.
    This morning, i've noticed thoses lines in log files.
    Does it means that my phone system was attacked ?
    Thanks
    Lev


    08:26:23.279 Blacklisted (Too many failed auth)IP = 67.205.90.20; Failed auth: 25; unauth: 116; auth: 25
    08:26:23.279 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1505396524 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.263 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-150798600 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.247 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-2665340687 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.232 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1821966503 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.216 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-3865690134 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.200 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-2307544179 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.185 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-376281062 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.185 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1518486423 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.169 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-3564151160 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.154 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-3069678744 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.138 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-3736116092 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.122 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-2957646105 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.107 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-2880991338 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.107 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-324942702 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.091 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-3853783282 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.075 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1893633217 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.060 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-3939765604 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.044 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1702196915 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.029 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1988637767 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.013 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-4039294787 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:23.013 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-2528766620 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:22.997 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1249591727 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:22.982 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1355944602 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:22.966 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-482631483 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    08:26:22.810 [CM102001]: Authentication failed for SipReq: REGISTER 10.10.2.50 tid=-1970449143 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. TotallyVoIP

    Joined:
    Jul 2, 2010
    Messages:
    77
    Likes Received:
    0
    I'm no expert on this subject, but it could be, or it could be a device you/someone has configured and then changed the password etc somewhere.

    The key to understanding it is the IP addresses and if they relate to devices on your internal network, or if they are external (and not part of your extended network/remote setup).

    So are IP 67.205.90.20 & 10.10.2.50 & 1.1.1.1 yours and do any of them "truely" relate to extension 123?

    If they are you own, then you need to correct the password/authentication info, but they will be locked for a time period (look in settings/advanved/anti-hijack for the actual time) - by default I think it was 30mins, but we've changed our settings.

    I hope this helps
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. danoh

    Joined:
    Aug 18, 2010
    Messages:
    56
    Likes Received:
    0
    http://www.whatismyip.com/tools/ip-whois-lookup.asp

    enter in 67.205.90.20 and press "whois lookup"

    If you don't know anyone who should be getting on your phone system from there, the answer is yes.
     
  4. alvise russo

    Joined:
    Oct 25, 2010
    Messages:
    1
    Likes Received:
    0
    Hello,
    quite the same succeded to me since i've done last upgrade of 3CX, starting from 15/10/2010.
    Alvise
     
  5. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    It looks like a good idea to use firewall to block IP ranges which are not located in trusted areas of the world...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    I have seen this a few times though from many different public ips.

    Either it is the same kid/group or it is a script being passed around an internet group (you can tell by the 10.10.2.x and the 123@1.1.1.1)

    Firstly they are running this to test if you have a pbx on the end and those ports are open. If so you will be moved to another script which will then try to determine your internal settings or if they can get a listener on your ip/pbx machine.

    Then they will use it to make calls if they succeed.

    First you need to make sure you have at least SP2 on there and preferably SP3.

    I strongly recommend a serious firewall. No one should be able to connect to an internal computer (whether a server, pc or a 3cx pc/server) from anywhere. Best practice is to lock that down to only those remote ips you need. If you have people who are mobile and maybe need to connect from multiple ip addresses remotely then we suggest using some type of vpn connection. Worse case scenario use non standard ports on the firewall for clients and then forward them to the correct port on 3cx (e.g use port 15060 on the firewall for remote clients and forward it to 5060 on the pbx). You should not be relying on the 3cx application nor the firewall on the 3cx pc to block traffic.

    We have products in this area that we can help with, so please contact us if you have questions or want advice or a product.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. levbe

    Joined:
    Apr 27, 2008
    Messages:
    33
    Likes Received:
    3
    I've updated to SP3 right now.
    I've a cisco router (with firewall) but some settings need to be updated for stronger security.
    Thanks for all answers.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.