Help deciphering possible hack or virus

Discussion in '3CX Phone System - General' started by PCTurnkey, Jul 8, 2013.

Thread Status:
Not open for further replies.
  1. PCTurnkey

    Joined:
    Mar 26, 2012
    Messages:
    31
    Likes Received:
    0
    We've recently gotten a bill from the phone company that says that one of our lines made hundreds of international calls to the tune of $1200 in charges. We haven't, as the office isn't open at this time. I'm thinking something has been compromised in the system and would like some help in deciphering the log and possible solutions.

    Here is an excerpt from the log with the Turks & Caicos number it was dialing (along with Barbados and Quebec):

    1,20130519151818.302,00000BD5EE15128F_112,400,16492329800,400,16492329800,1
    3,20130519151818.302,00000BD5EE15128F_112,400,,400,,1
    3,20130519151818.334,00000BD5EE15128F_112,10008,16492329800,10008,16492329800,1
    2,20130519151823.471,00000BD5EE15128F_112,400,10008,400,16492329800,1
    4,20130519151855.575,00000BD5EE15128F_112,400,,400,,1
    4,20130519151855.579,00000BD5EE15128F_112,10008,,16492329800,,1
    6,20130519151855.968,00000BD5EE15128F_112,,,,,
    1,20130519151820.876,00000BD5EE151CA1_113,400,16492310023,400,16492310023,1
    3,20130519151820.876,00000BD5EE151CA1_113,400,,400,,1
    3,20130519151820.932,00000BD5EE151CA1_113,10006,16492310023,10006,16492310023,1
    2,20130519151826.015,00000BD5EE151CA1_113,400,10006,400,16492310023,1
    4,20130519151858.065,00000BD5EE151CA1_113,400,,400,,1
    4,20130519151858.067,00000BD5EE151CA1_113,10006,,16492310023,,1
    6,20130519151858.598,00000BD5EE151CA1_113,,,,,
    1,20130519151824.683,00000BD5EE152B7B_114,400,17672759160,400,17672759160,1
    3,20130519151824.683,00000BD5EE152B7B_114,400,,400,,1
    3,20130519151824.735,00000BD5EE152B7B_114,10007,17672759160,10007,17672759160,1
    2,20130519151829.768,00000BD5EE152B7B_114,400,10007,400,17672759160,1
    4,20130519151901.851,00000BD5EE152B7B_114,400,,400,,1
    4,20130519151901.853,00000BD5EE152B7B_114,10007,,17672759160,,1
    6,20130519151902.230,00000BD5EE152B7B_114,,,,,


    System info: we are using 3CX v10, but are going to upgrade soon
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,757
    Likes Received:
    286
    There must be some associated 3Cx logs showing the calls being placed. Is that extension 112 placing the calls?

    Do you have complex passwords on all extensions? Not something easily guessed.
    Do you have the option to NOT allow registration from outside the PBX on each extension?

    Unless a call is coming in on a trunk, and call forwarding has been deliberately set-up to allow the caller access to dialtone, then most security features , if set correctly, should prevent this from happening. Callers can place outside calls via the Voicemail menu, but that again, requires the VM PIN. If that has been compromised, then it should be changed.

    If you could isolate a call from the 3CX log, and post it,it would be a lot more helpful as it should show exactly what device placed the calls.

    You might also think about making it a bit more difficult to place international calls. One way is by implementing a "unique" prefix for international numbers. In place of 011XXXXXXXXXXX or, 9011XXXXXXXXXXXXX, require that callers dial 556342011XXXXXXXX. Whatever prefix you choose can then be stripped off in the outbound rules. A hacker will try the most obvious number combination, they would never guess if you added a five or six digit prefix. this could be implemented quickly until you have tracked down the source of the calls. you could also block calls to specific area/or country codes if people in your office never, or rarely call them. A prefix could be implemented to allow access to these "high value" numbers, and given out on a need to know basis.

    If calls are always to specific area codes, and no one in your office normally calls those, just block them in the outbound rules.
     
  3. ppickens

    Joined:
    Jun 19, 2013
    Messages:
    26
    Likes Received:
    11
    Also if you only select the countries that your employees would need from the settings -> security -> allowed country codes option. If the calls that were made to countries that your employees would never need to call this would be an easy solution.
     
Thread Status:
Not open for further replies.