• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Fax (888) used from hackers

Status
Not open for further replies.

Ben C

Joined
Oct 14, 2014
Messages
71
Reaction score
0
Hi
My 3CX system (V14 SP3) got hacked and calls were made on behalf of "Fax (888)". Even thought I have 'Outbound Rules' to block some are codes and country codes, still hackers were able to bypass it.

This is the first time for me and I would like to hear your experience or advice on how to make sure this doesn't happen again.

How can i find out the way the system was hacked...

Thank you
Ben
 
Really old versions of 3CX had the FAX extension 888 with a password of 888. Check under FAX" "888" that the password is a good password. I believe when upgrading 3CX from the older version the upgrade process was putting in better passwords but always best to check.
 
It would be interesting to see the 3CX log of one of these calls to determine how they did it. Did they actually register as a valid extension?
 
lifeline said:
Really old versions of 3CX had the FAX extension 888 with a password of 888. Check under FAX" "888" that the password is a good password. I believe when upgrading 3CX from the older version the upgrade process was putting in better passwords but always best to check.

Lifeline is correct, on clean installs of V11 and V12 (up to SP3 I think) systems, the default SIP password for ext 888 was indeed 888, so if you backed up from one of those versions and restored on newer versions the password was maintained.

On clean installs though of newer versions, the password is not also random in the same manner as the normal extension passwords are.
 
Thank you for the replies.
I did a fresh install of v14 but restored from v12.
Indeed extension 888 had 888 as 'Auth. ID' and blank password. I changed both of them and no more registration as 888. I feel embarrassed for not doing this before but I didn't think this could be weak point of the system. Is there any other system extension that can be used as backdoor?
I even stopped the 'Fax Service' as we don't use it. Does stopping the 'Fax service' prevent 888 from registering?

I see attempts to register as extension extension 999, is that possible? 999 by default is used for connecting to mailbox, is it possible to register as normal extension?

Thank you
 
I think stopping the FAX Service does not block someone from registering to the FAX Extension, but now that you have randomized the password you should be safe.

As for other extensions, you cannot register against anything else apart from normal extensions and FAX extensions, so any attempts to register against the VMail extension will have no effect.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,635
Messages
748,994
Members
144,754
Latest member
deanhbs
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.