Been hacked... is my theory correct

Discussion in '3CX Phone System - General' started by smallpaul, Oct 27, 2011.

Thread Status:
Not open for further replies.
  1. smallpaul

    Joined:
    Oct 27, 2011
    Messages:
    2
    Likes Received:
    0
    Discovered yesterday that someone had "hacked" my 3CX and started to make calls. We caught it reasonably quickly, and then only racked up $150 of charges.

    So, I had committed the unforgivable sin of not changing the default password for the extensions, so they easily guessed what they were! However, I had thought that I would be safe because the server is behind a NAT router, and there are no port forwarding rules setup on the router to the server. I was rather confused as to how they had managed to connect to the 3CX. My theory is that because the 3CX had talked to a STUN server, and also registered with an external VOIP provider, it had "punched" a hole in the firewall for these services, and therefore if someone managed to find the external port that the NAT router had assigned to deliver the UDP packets back to the 3CX, an external client would be able to logon to the 3CX server. Is this a correct assumption?

    I have now changed the passwords for the extensions to be a lot more secure, and also changed some of the anti-hacking settings on 3CX to blacklist an IP after 3 failed logins.... and also ticked the box on the extensions to only allow logins from the LAN. Hopefully that will stop them!

    Are there any ways of protecting at the NAT router level? As a port needs to be opened for return traffic from an external SIP provider, is there a way of only allowing this traffic, and not from anyone else? I am presuming that the NAT is a "full cone NAT", rather than restricted (address) cone NAT. The router is a Netgear DGN1000 router if that is any help!

    Thanks
    Paul
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    When I suggested this feature, I had hoped that the system default would have been "checked" for all extensions and only unchecked , on as as needed basis. When I upgraded from Ver 9 to 10, I found all extensions were allowed to register remotely as the default, not good, security wise.

    Some routers are obviously better at being able to select specific IP's for forwarding, and, if you do happen to have external extensions, that use various (changing) external IP's, then it becomes extremely difficult.

    I've noticed that many hackers will give up after a while of not getting anywhere. A couple in particular will try direct SIP calls to a range of numbers in the UK using different prefixes.

    Making sure that they don't "get their foot in the door" through complicated passwords,extended time-outs for failed authentications, etc., is mandatory.
     
  3. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    What is your 3cx version ?
    If 10, you may disable registration for all extensions outside of LAN, which will improve significantly your security.
    If you need external extensions, better use 3cx tunnel (or other VPN tunnel by other means) and keep also disabled registration outside of LAN.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. smallpaul

    Joined:
    Oct 27, 2011
    Messages:
    2
    Likes Received:
    0
    I don't require external registration, so have turned on the register only from LAN option (am on v10).

    What came as the biggest surprise was that anyone could even get to the 3CX server, as I hadn't setup any port forwarding to it etc... I guess I should have thought sooner that because the 3CX was setup to talk to STUN, and also register with a couple of VOIP providers, it would have opened up ports in the router to get traffic back to it..... I didn't, and that has cost a lot!!

    Having done some more research, the netgear router actually sent the STUN request from port 5060 on the internet side of the router, so there wasn't really any clever port scanning going on to find the server, just trying the IP address and the default port, and hey presto!

    I guess this should be a warning to people! Even if you think you are safe because you are behind a NAT router, you may well not be, because if your 3CX is behing the router, and has connected to something on the internet, it is quite possible that anyone will be able to find a route to your 3CX.... so, make sure you have the security right on the software, and don't rely on your router to protect you!
     
  5. efounco

    efounco New Member

    Joined:
    Sep 28, 2011
    Messages:
    148
    Likes Received:
    4
    Not only should you change your generated/default passwords, you should also be using a firewall that's capable of limiting incoming/outgoing connections from and to a specified IP address. This allows you to lock down all TCP traffic sent and received through a specific port/range to a single address on the WAN. I use a FreeBSD based solution called pfSense. You might check into it...
     
  6. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Have you enabled also your Windows firewall ?
    If you still experiencing problems try using a hardware firewall device, or router with built-in firewall in front of your 3cx. Obviously your current router is not protecting you.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cgallery

    Joined:
    Dec 6, 2010
    Messages:
    40
    Likes Received:
    0
    It would surprise me greatly if a hacker could use the connection your server creates to a stun server and a SIP trunker to make an incoming connection.

    If that was possible, wouldn't be just as possible to find computers that make connections via port 80 and then push a virus to them?
     
  8. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    You should pay extreme attention to network security issues (and not only you). I recently found a very good book on the topic: Hacking Exposed (revision 6) by Stuart McClure and others. I recommend buying and reading it.

    3CX PhoneSystem (Version 10) is one of the best protected IP PBXs on the market. Asterisk PBXs tends to be the most vulnerable ones, probably the international hacker attacks are mainly focused towards Asterisk. More of 50% of Asterisks installations are soon or later hacked, at least what I receive as complains. The main reason for this is lack of security or investment in such security and the fact few developers thought for protection of their PBXs.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. whitewhite

    Joined:
    Jul 11, 2011
    Messages:
    20
    Likes Received:
    0
    Hi,

    I do agree to the installation of firewall (software or hardware) as I also experienced the hacking before.

    BTW, eagle2, as you mentioned on your reply about the use of 3cx tunnel, do you mean that if we are using the 3cx tunnel, we can check on the disallow use of extension outside the LAN and keep disable any registration outside the LAN? I noticed that there is new feature added on andriod app

    White
     
  10. cgallery

    Joined:
    Dec 6, 2010
    Messages:
    40
    Likes Received:
    0
    Let's look at this rationally.

    There are four methods of hacking that I'm aware of:

    (1) Identifying security holes in software. That may, for instance, involve identifying a buffer that can be overflowed, causing unexpected (but desired by the hacker) results. Or finding back doors used by developers. There is little that we, as users, can do about this, other than report our suspicions. But quite frankly, once a security hole like this is identified, we're all wide open. This board would be flooded with complaints of system hacking, not one or two threads.

    (2) Password cracking. This isn't as easy as some people seem to think. An eight character alpha-numeric password takes about 100 years to crack, if 1,000 GPS (Guesses Per Second) are allowed. Obviously, 3CX isn't going to tolerate 1,000 GPS.

    (3) Password harvesting/weak passwords. This is where I see most of the action. Some people use weak account/password combinations, like 100/password. I've done it myself, for testing purposes. Leaving it in place, however, is an invitation to hackers. Most people know not to use weak passwords these days. Not everyone, though. There was a thread her in the last few months from someone that acknowledged using a week combination, which resulted in hackers dialing and a SIP trunkers account drained of some $$$.

    As of late, I've been seeing more password harvesting viruses. When your machine is infected, these password harvesters grab every account/password combination they can find on your machine. Email/web/ftp, etc. I would NOT be surprised if they can grab passwords from common softphone applications. The harvested password list is transmitted to the hacker. If they find you're using the same password for several applications, I wouldn't be surprised if they tried that password coming at you with extension 100 on port 5160. It would be an obvious thing to try.

    Do NOT confused #2 with #3, this is a fatal mistake. If you assume someone hacked your password via brute-force, then you will not take the proper measures from preventing this in the future. The proper measure is simply changing all important passwords when you realize your machine has been infected. This requires using a known-clean machine to change all your extension passwords, your router/rdp/telnet/email/ftp/web passwords, etc. If you get infected again, you have to change your passwords, again. There is no shortcut here. And don't use the same password for everything.

    What I've discovered on the security side of my network business boils down to this...

    I've seen a bunch of people get nailed by a harvesting virus. None of these users realize how it happened. They assume the hacker used brute-force methods or has identified a security vulnerability.

    If that were the case, however, then none of the banking sites, none of the financial sites, none of the online ordering sites, would be safe. Those sites typically simply require a login name and strong password. The security measures in place are similar to 3CX (blacklisting an IP after repeated fails).

    Furthermore, these users that had the harvesting virus rarely even realize that the virus may still be on their machine. It may be running as a rootkit, undetectable by any antivirus application. The only sure-fired way to get the machine clean again is to either pull the hard drive and examine it from another Windows machine, or to wipe/reload. And if you don't know what you're looking for, then the wipe/reload is the only way to go.

    Am I missing something? I supposed there are routers out there where someone can gain access to an open port and "jump-in" as if they're the remote connection. But again, if that was widely possible, we'd all be doomed. Anytime someone logged into their stock broker's site, the same thing would happen. Right?
     
  11. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Using 3CX tunnel means using the extension inside the LAN (usually you will see address like 127.0.0.1:some_port) in the Phone menu, containing the addresses from which the phones have registered. This means you should keep disallowed registration of extension outside of LAN. 3CX tunnel (and 3CX proxy server) generally solves only NAT issues and is not adding any security. If possible use tunnels with higher security between sites (e.g. IPsec, etc.).

    ---

    Regarding post by cgallery about possible attack ways, this seems correct, but I'm not sure this is explicit. My opinion is 3CX is protecting itself in more ways, as analyzes attacks on layer 7 (application level). The latest threats include distributed attacks, meaning low-intensity attacks, so this is not recognized as brute-force attack, as it comes from multiple infected computers and also other possibilities. Search Internet for articles on the topic.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    I can't comment on the authors theory.

    However, in the last week I have noticed that the attacks have become a DAILY occurrence. SO FAR no one has actually penetrated my PBX.

    The first wave of attacks was to register phones to my system, but right from the start I had strong passwords and now I have remote registrations switched off. However, the current attacks appear to be aimed at making SIP calls.

    Not sure how this second approach works but I keep getting entries on my long file as follows:

    [CM500002] Unidentified incoming call. Review INVITE and adjust source identification.......

    There are IP addresses included in the full message and I would like to blacklist the IP sending the request. However, how do I know the IP to block?

    Thanks in advance
    Iain
     
  13. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    You may include all strange addresses into the black-list of 3CX.
    Make sure this is not including your VoIP provider addresses and also known remote extensions.

    You may check the location of a suspicious IP address by performing IP lookup in sites like: http://whatismyip.com, etc.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    A while ago I found that hackers were trying (probing) to make direct SIP calls to various international numbers using different prefixes...9011, +011, +00, 900, etc. They would do about 10 or so in a row then give up for a day or two, all came from the same IP (one IP each set), which could be put on the blacklist. Lately, each one, in the sequence, is coming from a completely different IP.
     
  15. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Hi Leejor,

    may be sharing some comments on hacker strategies will be useful to prevent attacks.


    Some sources on network security describe new hacker tactics like distributed attacks. These attacks may be carried out by many infected computers (so called bots) all over the world. The aim is not to recognize the attack as brute-force or denial-of-service one or coming from one specific address or region (e.g. China). Some computers search for open ports (not only SIP 5060), others try to crack passwords (dictionary attacks, etc.). The strategy is not to notice the traffic, if you are not performing detailed analysis.

    My suggestion is you should always try to analyze the type of attack (when reported by 3cx) and to block permanently not only the address which the attack came from, but the whole network (/24 or even /16 mask). I also apply this blacklist to all 3CX installations (customers) I have (once it happened somewhere, it will come to other locations just in few days from the same or close IP addresses).

    Observing different dialing patterns generally means you are already hacked (PBX to be able to log this) or attempts for direct SIP calls to external destinations (like bridge operation).

    Good strategy is to create a while-list (permitted access-list in your router) for your VoIP provider(s) -- few permanent addresses and to prohibit registration of external extensions. If this is necessary -- always use a tunnel (with highest affordable security level) or if you know the address of remote extension is permanent -- add it to the while-list in router.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    So far (knock on wood), they haven't been able to get anywhere on my system. I have been blocking a range of IP's in the past, but now that each individual direct SIP call attempt, in the group of 10 or so that show up at one time,is different, that sort of goes out the window. there is absolutely no commonality in the IP addresses.
    I do use a remote extension that can register from various IP's so blocking all but my providers is not going to work for me. All other extensions do not allow remote registration and my passwords are very secure. I also disable the fax server as i don't use it. I recall seeing someone report having a hack using the fax server number, not sure if that is still an issue or not.
    I have been forcing my public IP to change by altering the MAC of my router, otherwise I end up keeping the same one for half a year or more. That stops the attempts for about a month. They obviously "probe" public IP's in some sort of sequence probably looking for some sort of response on port 5060.
     
  17. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    First step is to block regions on the firewall (better to ask ISP to do it).
    Next step is to ask ISP to investigate activity of the hosts which are located in the trusted regions.
    It will make two right things:
    1. Owner of the host which is used as a "zombie" will be notified about problem.
    2. The real "clowns", who try to get pastime by shattering peace and quiet of other people, will be able to get a better "pastime" by speaking with competent persons.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    Trying to get your ISP to help out with something like this is all well and good if you are a large business customer. If you spend a lot of money with your ISP each month, then they probably want to keep your business and will generally go out of their way to try to solve this issue, especially if you have a fixed public IP. However, if you are a very small business user, or a residential customer, then you are probably on your own as far as the firewall/security goes.
     
  19. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    If ISP does not provide service, then try to search for another service provider.
    "Greediness" and "Absence" is out of the scope...

    My suggestions are fairly clear, isn't it? ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    I used to check every hack attempt to find out where it was coming from. I don't really bother now as the attacks are to frequent to check each one in turn.

    However, people seem to assume that systems have been taken over by some virus/bot of whatever and I'm not dissing this theory.

    But when I checked EACH AND EVERY ATTACK came from either a hosting company (server farm) or a cloud company!

    Now this make sense to me because of the bandwidth these companies must have to run their business and that they are very cheap compared to setting up your own infrastructure which may be confiscated!

    A little bit of research later and I also discovered one hosting company hosted a site called EliteCrystalHackers! This speaks volumes to me....

    I also tried reporting this as a crime - Police E-crime unit in London (if someone stood outside your front door with a bunch of keys trying each one in turn to get in, wouldn't you call the police?). What a waste of time that was, given a crime number and NO follow up.

    In summary, yes 3CX please keep helping us defend against hackers with as many tools as possible. Perhaps the next step could involve no response on port 5060 until an extension successfully registers. The port will then just appear as a dead port when scanned and the hacker will move on!
    Iain
     
Thread Status:
Not open for further replies.