Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Fax (888) used from hackers

Discussion in '3CX Phone System - General' started by Ben C, Mar 4, 2016.

Thread Status:
Not open for further replies.
  1. Ben C

    Joined:
    Oct 14, 2014
    Messages:
    71
    Likes Received:
    0
    Hi
    My 3CX system (V14 SP3) got hacked and calls were made on behalf of "Fax (888)". Even thought I have 'Outbound Rules' to block some are codes and country codes, still hackers were able to bypass it.

    This is the first time for me and I would like to hear your experience or advice on how to make sure this doesn't happen again.

    How can i find out the way the system was hacked...

    Thank you
    Ben
     
  2. CentrexJ

    CentrexJ Member

    Joined:
    May 5, 2009
    Messages:
    458
    Likes Received:
    75
    Really old versions of 3CX had the FAX extension 888 with a password of 888. Check under FAX" "888" that the password is a good password. I believe when upgrading 3CX from the older version the upgrade process was putting in better passwords but always best to check.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,119
    Likes Received:
    330
    It would be interesting to see the 3CX log of one of these calls to determine how they did it. Did they actually register as a valid extension?
     
  4. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,380
    Likes Received:
    84
    Lifeline is correct, on clean installs of V11 and V12 (up to SP3 I think) systems, the default SIP password for ext 888 was indeed 888, so if you backed up from one of those versions and restored on newer versions the password was maintained.

    On clean installs though of newer versions, the password is not also random in the same manner as the normal extension passwords are.
     
  5. Ben C

    Joined:
    Oct 14, 2014
    Messages:
    71
    Likes Received:
    0
    Thank you for the replies.
    I did a fresh install of v14 but restored from v12.
    Indeed extension 888 had 888 as 'Auth. ID' and blank password. I changed both of them and no more registration as 888. I feel embarrassed for not doing this before but I didn't think this could be weak point of the system. Is there any other system extension that can be used as backdoor?
    I even stopped the 'Fax Service' as we don't use it. Does stopping the 'Fax service' prevent 888 from registering?

    I see attempts to register as extension extension 999, is that possible? 999 by default is used for connecting to mailbox, is it possible to register as normal extension?

    Thank you
     
  6. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,380
    Likes Received:
    84
    I think stopping the FAX Service does not block someone from registering to the FAX Extension, but now that you have randomized the password you should be safe.

    As for other extensions, you cannot register against anything else apart from normal extensions and FAX extensions, so any attempts to register against the VMail extension will have no effect.
     
Thread Status:
Not open for further replies.