Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Hacked ! ** NOTE: ALWAYS UPGRADE TO LATEST SP ASAP

Discussion in '3CX Phone System - General' started by Ricambi America, Jun 30, 2010.

Thread Status:
Not open for further replies.
  1. Ricambi America

    Joined:
    Nov 10, 2007
    Messages:
    61
    Likes Received:
    0
    This morning, I noticed that the BLF lamp for my extension was illuminated at multiple phones throughout the office today -- but I certainly wasn't on the phone. I rebooted my phone , but the lights on the other phones never went off. I rebooted our proxy server, but the lights never went off.

    Then, I went into the admin console and saw 4 outgoing calls, all from my extension. What the heck? I restarted all 3CX services. Within 30 seconds of the services restarting, the multiple calls began again. About this time, my partner got a call on another line that he transferred immediately to me. It was our SIP provider Vonage. They noted that our account was likely being hacked and we had (in the space of 1 hour) ran up charges of nearly $100 to Nigeria, the Central African Republic, and Guatemala.

    We sell Ferrari, Maserati, and Lamborghini parts around the world -- but I know we have hardly any customers in those countries -- so clearly, something was whacked. As the Vonage rep said, it was clearly a hack into 3CX and the perp was using our a softphone to mimic my extension and place the fraudulent calls. Immediately, I stopped all 3CX servcies and changed the passwords for each of our registered extensions. I then changed the password for the whole 3CX admin console. When services restarted, the calls were gone -- and have not reappeared.

    Moral of the story? CHANGE PASSWORDS, and don't use a password that is the same as the extension number. (Oh, the other moral of the story? Vonage customer service waived all charges and absolutely gets a HUGE thumbs up in my opinion for catching it so quickly and proactively calling us).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. carolinainnovative

    Joined:
    May 4, 2009
    Messages:
    369
    Likes Received:
    6
    Re: Hacked !

    Yet another cautionary tale...

    That makes - three this week?

    3cx - please make extension sip creds NOT DEFAULT TO EXTENSION FOR USERNAME AND PASSWORD - or at the very least - BY DEFAULT generate a secure password. I suggested a button to do this - but perhaps it would be best just to - by default - generate a long, random password unique to the extension - or at least make this an option we can turn on/off.

    For you, my friend - some other suggestions -

    1) Good outbound rules to restrict int'l dialing to certain extensions or perhaps certain countries to where you do ship parts
    2) Good firewall rules to restrict 5060 & RTP to specific IP blocks
    3) If you are using remote extensions, consider using 3cx Tunnel (NOT ideal, I know)

    Good luck!
     
  3. Ricambi America

    Joined:
    Nov 10, 2007
    Messages:
    61
    Likes Received:
    0
    Re: Hacked !

    How many digits can the password be? All numeric, I presume?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. carolinainnovative

    Joined:
    May 4, 2009
    Messages:
    369
    Likes Received:
    6
    Re: Hacked !

    SIP passwords in 3cx can be anything - numeric, caps, symbols, etc. The only one I can think of that is restricted to digits is the mailbox PIN. I do not know what length restriction it puts on it, but my exts have 10-character passwords and it takes them fine.
     
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,129
    Likes Received:
    330
    Re: Hacked !

    Maybe there needs to be an option, when creating an extension, a tick box, that states "Allow this extension to register from outside the local LAN". Then disallow any and all extension without this "ticked", from registering, when not on the local LAN. You should also be forced you to use something other than the extension number as a password, even if it is just a combination of a common word plus the extension number.

    I have added this to the Feature Request http://3cx.ideascale.com/ site so you can vote for it.
     
  6. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Re: Hacked !

    The most strange thing is that this problem posted three times at all, and it happen during last week...
    It is the very interesting correlation...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,129
    Likes Received:
    330
    Re: Hacked !

    Perhaps someone has recently discovered this forum and some of the 3CX log posts.
     
  8. jwnesbitt

    Joined:
    Sep 19, 2009
    Messages:
    48
    Likes Received:
    0
    Re: Hacked !

    Mine has just been hacked as well

    luckily i guess, i was on a prepay account, and only had 13 eur credit on my account left.
     
  9. KerryG

    KerryG Active Member

    Joined:
    Jun 19, 2009
    Messages:
    960
    Likes Received:
    0
    Re: Hacked !

    People have to take this stuff seriously. When that red box appears over your passwords to tell you that it isnt a good password, believe it. NEVER use the extension as the password, you are asking for trouble. Some good simple suggestions include:

    - The user's email address (easy to remember, no script is going to figure that out)
    - The MAC address of the phone itself (would be nice if the provisioning tool could do this automatically)
    - The DID number for that extension
    - The extension number repeated with some break character (e.g. 100@100@100@100)

    These attacks are very very simple SIP attack scripts and are not running any kind brute force password cracking, they simply try the extension number of the password and sometimes a few common things like 00000 12345. There are SO MANY vulnerable systems out there (virtually every Asterisk-based system allows for the extension number as the password too) that there is no need for the scripts to be very powerful so it actually takes very little for them to skip you and move to an easier target.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Re: Hacked !

    I agree with Kerry on this.

    We make sure our passwords are strong but there is nothing stopping the user changing them to a weak one again.

    I have put in a feature request to have a password policy option in the settings. Please vote here http://3cx.ideascale.com/a/dtd/Strong-password-enforcement-policy-option/74660-9854 so it will get implemented
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,559
    Likes Received:
    118
    Re: Hacked !

    We've added a special section in the PBX just for cases like this.

    In the Settings > Advanced > Anti-Hacking section.
    It would be best if each user tailored these settings depending on how madly secure he wants his system.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Re: Hacked !


    There have been a lot of cases lately where extensions have been hacked and the anti hacking wont prevent it because the passwords are the default - e.g. 100 for ext 100. While we change ours, users can put them back to anything and lots of them will change them to their (easy to remember) ext #. We have no way to enforce a password strength policy in 3cx and this is needed.

    It is all well and good having an anti hack measure, but that is based on failures and not strength of policy to begin with.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,222
    Likes Received:
    93
    Re: Hacked !

    where can you set the password of our ext in the myphone?

    You can change the pin, well when the user just puts there 100 due to he is lazy ask him to rec. his credit card details as Vbox message, a bit of common sense helps always. Well back to the normal world we live in.

    Yes there are users like this, and an admin can not run behind this and check every day.
    Have you seen this: http://www.3cx.com/forums/forum-locked-use-new-feature-request-system-16362.html
    Place it and Vote for it
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,559
    Likes Received:
    118
    Re: Hacked !

    Well we are open to suggestions regarding default password security.

    You can either discuss about them here and make a final post here: http://3cx.ideascale.com/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Re: Hacked !

    Hi Guys.

    Stefan: You can change the password now as there is an option in 3cx to show the Sip Authentication tab in Myphone.

    Leonidas: I have put that feature request in - my earlier post in this thread had the link.

    Thanks for your great work for a great product!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Geeg

    Joined:
    Jul 30, 2010
    Messages:
    5
    Likes Received:
    0
    Re: Hacked !

    Yup, change the passwords.

    I just set my 3cx up and only had it online for testing and someone hacked it and used all my prepay. I noticed it only because my account was set to automatically charge my card when it got low, lost about 12USD, guess it was a small price to pay.
     
  17. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,129
    Likes Received:
    330
    Re: Hacked !

    I have also put a suggestion in to restrict "outside" registration of extensions. http://3cx.ideascale.com/a/dtd/Allow-extension-to--register-remotely--option/74877-9854
     
  18. ZenMasta

    ZenMasta New Member

    Joined:
    Mar 10, 2010
    Messages:
    174
    Likes Received:
    0
    Re: Hacked !

    I understand that you need a password to authenticate your phone to the server (or something to that effect). But once you authenticate why would a user need to know the password?

    Seems like if the phones are configured by an admin/it person once the phone is provisioned, why would they need the password?
     
  19. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Re: Hacked !

    In which case, why would 3cx put that ability in the system? Because everyone works and uses the system differently. The option is available for users to change the password and so if you provide the option we should also provide the policy enforcement.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. bmcosier

    Joined:
    Sep 4, 2010
    Messages:
    4
    Likes Received:
    0
    Re: Hacked !

    Just been hacked over the last few days - have updtated to new security patch V9 SP2. Watch out - check your passwords are secure as there may be someone out there targeting you.

    Ben
     
Thread Status:
Not open for further replies.