• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Hacked ! ** NOTE: ALWAYS UPGRADE TO LATEST SP ASAP

Status
Not open for further replies.

Ricambi America

Joined
Nov 10, 2007
Messages
60
Reaction score
0
This morning, I noticed that the BLF lamp for my extension was illuminated at multiple phones throughout the office today -- but I certainly wasn't on the phone. I rebooted my phone , but the lights on the other phones never went off. I rebooted our proxy server, but the lights never went off.

Then, I went into the admin console and saw 4 outgoing calls, all from my extension. What the heck? I restarted all 3CX services. Within 30 seconds of the services restarting, the multiple calls began again. About this time, my partner got a call on another line that he transferred immediately to me. It was our SIP provider Vonage. They noted that our account was likely being hacked and we had (in the space of 1 hour) ran up charges of nearly $100 to Nigeria, the Central African Republic, and Guatemala.

We sell Ferrari, Maserati, and Lamborghini parts around the world -- but I know we have hardly any customers in those countries -- so clearly, something was whacked. As the Vonage rep said, it was clearly a hack into 3CX and the perp was using our a softphone to mimic my extension and place the fraudulent calls. Immediately, I stopped all 3CX servcies and changed the passwords for each of our registered extensions. I then changed the password for the whole 3CX admin console. When services restarted, the calls were gone -- and have not reappeared.

Moral of the story? CHANGE PASSWORDS, and don't use a password that is the same as the extension number. (Oh, the other moral of the story? Vonage customer service waived all charges and absolutely gets a HUGE thumbs up in my opinion for catching it so quickly and proactively calling us).
 
Re: Hacked !

Yet another cautionary tale...

That makes - three this week?

3cx - please make extension sip creds NOT DEFAULT TO EXTENSION FOR USERNAME AND PASSWORD - or at the very least - BY DEFAULT generate a secure password. I suggested a button to do this - but perhaps it would be best just to - by default - generate a long, random password unique to the extension - or at least make this an option we can turn on/off.

For you, my friend - some other suggestions -

1) Good outbound rules to restrict int'l dialing to certain extensions or perhaps certain countries to where you do ship parts
2) Good firewall rules to restrict 5060 & RTP to specific IP blocks
3) If you are using remote extensions, consider using 3cx Tunnel (NOT ideal, I know)

Good luck!
 
Re: Hacked !

How many digits can the password be? All numeric, I presume?
 
Re: Hacked !

SIP passwords in 3cx can be anything - numeric, caps, symbols, etc. The only one I can think of that is restricted to digits is the mailbox PIN. I do not know what length restriction it puts on it, but my exts have 10-character passwords and it takes them fine.
 
Re: Hacked !

Maybe there needs to be an option, when creating an extension, a tick box, that states "Allow this extension to register from outside the local LAN". Then disallow any and all extension without this "ticked", from registering, when not on the local LAN. You should also be forced you to use something other than the extension number as a password, even if it is just a combination of a common word plus the extension number.

I have added this to the Feature Request http://3cx.ideascale.com/ site so you can vote for it.
 
Re: Hacked !

The most strange thing is that this problem posted three times at all, and it happen during last week...
It is the very interesting correlation...
 
Re: Hacked !

Perhaps someone has recently discovered this forum and some of the 3CX log posts.
 
Re: Hacked !

Mine has just been hacked as well

luckily i guess, i was on a prepay account, and only had 13 eur credit on my account left.
 
Re: Hacked !

People have to take this stuff seriously. When that red box appears over your passwords to tell you that it isnt a good password, believe it. NEVER use the extension as the password, you are asking for trouble. Some good simple suggestions include:

- The user's email address (easy to remember, no script is going to figure that out)
- The MAC address of the phone itself (would be nice if the provisioning tool could do this automatically)
- The DID number for that extension
- The extension number repeated with some break character (e.g. 100@100@100@100)

These attacks are very very simple SIP attack scripts and are not running any kind brute force password cracking, they simply try the extension number of the password and sometimes a few common things like 00000 12345. There are SO MANY vulnerable systems out there (virtually every Asterisk-based system allows for the extension number as the password too) that there is no need for the scripts to be very powerful so it actually takes very little for them to skip you and move to an easier target.
 
Re: Hacked !

I agree with Kerry on this.

We make sure our passwords are strong but there is nothing stopping the user changing them to a weak one again.

I have put in a feature request to have a password policy option in the settings. Please vote here http://3cx.ideascale.com/a/dtd/Strong-password-enforcement-policy-option/74660-9854 so it will get implemented
 
Re: Hacked !

We've added a special section in the PBX just for cases like this.

In the Settings > Advanced > Anti-Hacking section.
It would be best if each user tailored these settings depending on how madly secure he wants his system.
 
Re: Hacked !

LeonidasG said:
We've added a special section in the PBX just for cases like this.

In the Settings > Advanced > Anti-Hacking section.
It would be best if each user tailored these settings depending on how madly secure he wants his system.


There have been a lot of cases lately where extensions have been hacked and the anti hacking wont prevent it because the passwords are the default - e.g. 100 for ext 100. While we change ours, users can put them back to anything and lots of them will change them to their (easy to remember) ext #. We have no way to enforce a password strength policy in 3cx and this is needed.

It is all well and good having an anti hack measure, but that is based on failures and not strength of policy to begin with.
 
Re: Hacked !

where can you set the password of our ext in the myphone?

You can change the pin, well when the user just puts there 100 due to he is lazy ask him to rec. his credit card details as Vbox message, a bit of common sense helps always. Well back to the normal world we live in.

Yes there are users like this, and an admin can not run behind this and check every day.
Have you seen this: http://www.3cx.com/forums/forum-locked-use-new-feature-request-system-16362.html
Place it and Vote for it
 
Re: Hacked !

Well we are open to suggestions regarding default password security.

You can either discuss about them here and make a final post here: http://3cx.ideascale.com/
 
Re: Hacked !

StefanW said:
where can you set the password of our ext in the myphone?

You can change the pin, well when the user just puts there 100 due to he is lazy ask him to rec. his credit card details as Vbox message, a bit of common sense helps always. Well back to the normal world we live in.

Yes there are users like this, and an admin can not run behind this and check every day.
Have you seen this: http://www.3cx.com/forums/forum-locked-use-new-feature-request-system-16362.html
Place it and Vote for it
LeonidasG said:
Well we are open to suggestions regarding default password security.

You can either discuss about them here and make a final post here: http://3cx.ideascale.com/

Hi Guys.

Stefan: You can change the password now as there is an option in 3cx to show the Sip Authentication tab in Myphone.

Leonidas: I have put that feature request in - my earlier post in this thread had the link.

Thanks for your great work for a great product!
 
Re: Hacked !

Yup, change the passwords.

I just set my 3cx up and only had it online for testing and someone hacked it and used all my prepay. I noticed it only because my account was set to automatically charge my card when it got low, lost about 12USD, guess it was a small price to pay.
 
Re: Hacked !

I have also put a suggestion in to restrict "outside" registration of extensions. http://3cx.ideascale.com/a/dtd/Allow-extension-to--register-remotely--option/74877-9854
 
Re: Hacked !

I understand that you need a password to authenticate your phone to the server (or something to that effect). But once you authenticate why would a user need to know the password?

Seems like if the phones are configured by an admin/it person once the phone is provisioned, why would they need the password?
 
Re: Hacked !

ZenMasta said:
I understand that you need a password to authenticate your phone to the server (or something to that effect). But once you authenticate why would a user need to know the password?

Seems like if the phones are configured by an admin/it person once the phone is provisioned, why would they need the password?

In which case, why would 3cx put that ability in the system? Because everyone works and uses the system differently. The option is available for users to change the password and so if you provide the option we should also provide the policy enforcement.
 
Re: Hacked !

Just been hacked over the last few days - have updtated to new security patch V9 SP2. Watch out - check your passwords are secure as there may be someone out there targeting you.

Ben
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Members Online Now

Forum statistics

Threads
141,622
Messages
748,858
Members
144,735
Latest member
Hammad.k
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.