Attempt to hack system??

Discussion in '3CX Phone System - General' started by gschwab, May 9, 2012.

Thread Status:
Not open for further replies.
  1. gschwab

    gschwab New Member

    Joined:
    Mar 21, 2012
    Messages:
    131
    Likes Received:
    0
    Found this in the event log this morning

    SIP request (REGISTER) from 188.161.99.40 was rejected. Reason: Block WAN requests is ON.
    Message:
    REGISTER sip:mypublicIP:5060 SIP/2.0
    Via: SIP/2.0/UDP 188.161.99.40:11909;branch=z9hG4bK-d87543-651058391-1--d87543-;rport=11909
    Max-Forwards: 70
    Contact: <sip:101@188.161.99.40:11909>
    To: "119.119.58.162"<sip:101@mypublicIP>
    From: "119.119.58.162"<sip:101@mypublicIP>;tag=f664c113
    Call-ID: a2140b263c568a03
    CSeq: 2 REGISTER
    Expires: 3600
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
    Proxy-Authorization: Digest username="101",realm="3CXPhoneSystem",nonce="414d535c05ba288973:5f867419ef0f7222c35fa9bec56aa5a0",uri="sip:mypublicIP:5060",response="250ef94b00c401495d2dbc5a9542df38",algorithm=MD5
    User-Agent: eyeBeam release 3006o stamp 17551
    Content-Length: 0

    SIP request (REGISTER) from 188.161.99.40 was rejected. Reason: Block WAN requests is ON.
    Message:
    REGISTER sip:mypublicIP:5060 SIP/2.0
    Via: SIP/2.0/UDP 188.161.99.40:11909;branch=z9hG4bK-d87543-85988343-1--d87543-;rport=11909
    Max-Forwards: 70
    Contact: <sip:500@188.161.99.40:11909>
    To: "119.119.58.162"<sip:500@mypublicIP>
    From: "119.119.58.162"<sip:500@mypublicIP>;tag=92754e25
    Call-ID: cf356f1f0c06f94a
    CSeq: 2 REGISTER
    Expires: 3600
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
    Proxy-Authorization: Digest username="500",realm="3CXPhoneSystem",nonce="414d535c05ba287f04:1828739493a2d460ea0352f57f5ca377",uri="sip:mypublicIP:5060",response="125ad6be78f0bc04f3921f9f58289c4b",algorithm=MD5
    User-Agent: eyeBeam release 3006o stamp 17551
    Content-Length: 0

    I assume this can be ignored as the request was rejected or should I be taking steps to secure the system?

    Thanks, George
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. mylove4life

    mylove4life New Member

    Joined:
    Jan 7, 2010
    Messages:
    165
    Likes Received:
    0
    As long as you have the lastest updates and have strong passwords you will be ok... I would also go into the lines and turn off the phones from not being able to connect from the internet.
     
  3. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,870
    Likes Received:
    304
    It actually look like this is the case already.

    Some one was attempting to register extension 101 and 500. Usually, if that happens to me, I see a log showing it rejected because the credentials don't match. Did you do a search to see who the requesting IP, goes to?
     
  4. gschwab

    gschwab New Member

    Joined:
    Mar 21, 2012
    Messages:
    131
    Likes Received:
    0
    Yes, I got this from ARIN
    NetRange
    188.0.0.0 - 188.255.255.255
    CIDR
    188.0.0.0/8
    Name
    188-RIPE
    Handle
    NET-188-0-0-0-1
    Parent
    Net Type
    Allocated to RIPE NCC
    Origin AS

    Organization
    RIPE Network Coordination Centre (RIPE)
    Registration Date
    Last Updated
    2004-03-16
    Comments

    These addresses have been further assigned to users in
    the RIPE NCC region. Contact information can be found in
    the RIPE database at http://www.ripe.net/whois
    RESTful Link
    http://whois.arin.net/rest/net/NET-188-0-0-0-1
    See Also
    Related organization's POC records.
    See Also
    Related delegations.
    Organization
    Name
    RIPE Network Coordination Centre
    Handle
    RIPE
    Street
    P.O. Box 10096
    City
    Amsterdam
    State/Province
    Postal Code
    1001EB
    Country
    NL
    Registration Date
    Last Updated
    2011-09-24
    Comments
    RESTful Link
    http://whois.arin.net/rest/org/RIPE
    Referral Server
    whois://whois.ripe.net:43
    Function
    Point of Contact
    Tech
    RNO29-ARIN (RNO29-ARIN)
    Admin
    RNO29-ARIN (RNO29-ARIN)
    Abuse
    RNO29-ARIN (RNO29-ARIN)

    And this from IP Address.com
    http://www.ip-adress.com/ip_tracer/188.161.99.40

    188.161.99.40 IP address location & more:
    IP address [?]:
    188.161.99.40 [Copy] [Whois] [Reverse IP]
    IP country code:
    PS
    IP address country:
    Palestinian Territory
    IP address state:
    n/a
    IP address city:
    Gaza
    IP address latitude:
    31.5000
    IP address longitude:
    34.4667
    ISP of this IP [?]:
    Palestine Telecommunications Company (PALTEL)
    Organization:
    Palestine Telecommunications Company (PALTEL)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,870
    Likes Received:
    304
    In many cases, when you do an IP lookup, you will find an email (abuse?) to file a complaint against an IP. I'm, not entirely convinced that this does a lot of good, in all cases, but it's worth a try, especially if it continues from the same address or one in the same range (managed by the same company).

    You can always look into using the IP Blacklist in 3CX to block a specific IP or a range . Most hackers will give up and move on after a number of failed attempts.
     
  6. KerryG

    KerryG Active Member

    Joined:
    Jun 19, 2009
    Messages:
    960
    Likes Received:
    0
    You will probably NEVER have a "hacker" try to gain access to your system. However, any machine on the internet for even a short amount of time is almost certainly going to be attacked by numerous scripts that are floating around. They will try very basic steps to gain access like using ext 100 / password 100, and other common passwords (1234,0000,password,etc).

    The typical script works as follows:

    Test port 5060 for connection
    - If no connection - move to next IP
    On successful connection attempt common registration pairs
    - Repeat until successful registration, connection blocked, or script finishes

    If you have V10, the automatic blacklisting feature will kill this attempts very quickly so long as you have strong passwords that the scripts can't guess on the first few attempts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. active5

    Joined:
    Jun 28, 2011
    Messages:
    72
    Likes Received:
    0
    Any organization with a static IP(s) will eventually see hacking attempts, with SIP being an immediate beneficial revenue stream for the hacker. From my experience any connection will see attempts within the first 30 days or less. It's usually much sooner than later.

    A useful method is to just blacklist the entire known IP block after a hack attempt. I'm not planning on traveling to Gaza, Kenya, South Africa, Ukraine, etc. and connecting remotely or using a VOIP provider from those regions, so why do I need those ISP addresses connecting to my system? I've minimized attempts to nearly zero by using this method instead of using individual IP addresses.

    You can also have your Voip provider and/or PSTN vendor block international calling if you don't require it. You should also be able to limit the allowed country list from your provider. As an example you may only need to make calls to Spain, your provider may be able to allow international calling to Spain and block everything else.

    I haven't played around with the new features of V11 yet, but in V10 your outbound rules could also be used to limit how international calling is handled. You can also disallow outside calls during non-office hours as an additional security measure, no one in my office needs to call for a pizza at 2am. If there is anyone working late, they can use their cell phone!

    Basically you need to set up a layered approach to prevent hacking that works with the particular business requirements of each installation. Starting with your router/firewall, following with your 3CX PBX security measures, your outbound and office hours rules and ending with your Voip/PSTN providers when possible.

    One more tip, extension numbers and length, 3 digit extension like 100 and 101 are high targets. Try using 4 or 5 digit extensions if possible and avoid using simple extension numbering like 100, 1000, etc.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.