Help: Phone system being compromised by dialing in

Discussion in '3CX Phone System - General' started by dchesnut, Jun 2, 2010.

Thread Status:
Not open for further replies.
  1. dchesnut

    Joined:
    Oct 29, 2009
    Messages:
    12
    Likes Received:
    0
    I'm having a problem where someone is dialing into our phone system and making unauthorized call and I can't figure out what I have configured wrong. From my investigation it doesn't look like they are breaking into a voice mail account but instead somehow dialing directly when they come in without leaving the number they are dialing. Any insight would be appreciated.

    Here is a log for one of the calls. You can see that they spent 30 minutes on the phone to who knows where....

    Code:
    15:25:15.972|.\Line.cpp(330)|Log2||LineCfg::getInboundTarget:[CM503012]: Inbound out-of-office hours rule (unnamed) for 10008 forwards to DN:801<br>
    15:25:15.972|.\CallCtrl.cpp(160)|Log2||CallCtrl::onIncomingCall:[CM503001]: Call(10129): Incoming call from 6316722489@(Ln.10008@SS-PRI-1) to <sip:801@100.23.1.14:5060><br>
    15:25:15.987|.\CallCtrl.cpp(445)|Log2||CallCtrl::onSelectRouteReq:[CM503004]: Call(10129): Route 1: Ext:Ext.801@[Dev:sip:801@127.0.0.1:40600;rinstance=8490613811777535]<br>
    15:25:16.034|.\Target.cpp(429)|Log2||Target::makeOneInvite:[CM503025]: Call(10129): Calling Ext:Ext.801@[Dev:sip:801@127.0.0.1:40600;rinstance=8490613811777535]<br>
    15:25:16.190|.\CallCtrl.cpp(566)|Log2||CallCtrl::onLegConnected:[CM503007]: Call(10129): Device joined: sip:10008@100.23.224.253:5060<br>
    15:25:16.190|.\CallCtrl.cpp(566)|Log2||CallCtrl::onLegConnected:[CM503007]: Call(10129): Device joined: sip:801@127.0.0.1:40600;rinstance=8490613811777535<br>
    15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::onSelectRouteReq:[CM503004]: Call(10129): Route 1: Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:10008@100.23.224.253:5060]<br>
    15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::onSelectRouteReq:[CM503004]: Call(10129): Route 2: PSTNline:00@(Ln.10000@Grandstream_GXW4108)@[Dev:sip:10000@100.23.224.252:5060;transport=udp,Dev:sip:10004@100.23.224.252:5068;transport=udp,Dev:sip:10005@100.23.224.252:5070;transport=udp,Dev:sip:10006@100.23.224.252:5072;transport=udp,Dev:sip:10007@100.23.224.252:5074;transport=udp,Dev:sip:10001@100.23.224.252:5062;transport=udp]<br>
    15:25:25.237|.\Target.cpp(429)|Log2||Target::makeOneInvite:[CM503025]: Call(10129): Calling Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:10008@100.23.224.253:5060]<br>
    15:25:25.440|.\CallCtrl.cpp(566)|Log2||CallCtrl::onLegConnected:[CM503007]: Call(10129): Device joined: sip:10008@100.23.224.253:5060<br>
    15:57:17.322|.\Call.cpp(981)|Log2||Call::Terminate:[CM503008]: Call(10129): Call is terminated
    My system is configured on an internal only machine that cannot get to the Internet so they must dial in on our business line that is connected via a PRI. I use a Patton Smartnode as my PRI connector and I also have some backup POTS lines coming in via a Grandstream GXW4108. As you can guess the patton is on port 10008 and the grandstream lines are on ports 10000 - 10007.

    Any ideas on what I have configured wrong or where I should look?

    Thanks again

    Dave Chesnut
     
  2. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,475
    Likes Received:
    94
    Can you call them and see what they want? Their number is indicated in the logs "6316722489"
    Try giving them a call and see what they want.

    Besides they cannot do anything by calling a digital receptionist.
    They can call your digital receptionist and only dial INTERNAL extensions, they are not allowed to call anything else.

    There's just 1 scenario where your security MAY be at risk and it's the following:

    1) Having not changed your users default passwords, so extension's 100 PIN is 100.
    2) Caller calls your digital receptionist, and calls 999 manually from there, he then enters your default Extension and PIN numbers and he can have access to your voice mail.
    Further on, if you have the option enabled in the PBX > Settings > General > Global Options > Enable Outgoing Calls through Voice Mail Menu, the person who got access to your Voice Mail would also have the ability to make international calls and charge you.

    So be sure to never leave default passwords in the PBX, it's the first thing every hacker will try to exploit in any kind of system.

    As long as those conditions are met you have nothing to worry about, he cannot do anything by calling your Digital Receptionist.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dchesnut

    Joined:
    Oct 29, 2009
    Messages:
    12
    Likes Received:
    0
    We have some sort of problem and I'm trying to track it down. The first thing I did was check out the passwords for all of our extensions and they were fine. None were set to the extension number and most were at least 4 numbers. The reason I started looking into this is we were alerted to a problem by the fraud department of our carrier (AT&T). Apparently over the weekend someone was making long calls to Cuba. The first thing I did was check the logs and I couldn't find any outgoing calls to Cuba or any other international number that I didn't recognize. I then started to look through the logs and I noticed a lot of incoming calls over the weekend that had the strange 00 transfer that I referenced. These calls were between 30 and 40 minutes long from a bunch of different cell phone numbers that just go to voice mail when called. I was unable to replicate the same logs by dialing in myself. The logs I get are a dial in then a transfer to 999 or other extension or a hang up.

    The part of the log that seems strange to me is this:

    15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::eek:nSelectRouteReq:[CM503004]: Call(10129): Route 1: Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:10008@100.23.224.253:5060]<br>
    15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::eek:nSelectRouteReq:[CM503004]: Call(10129): Route 2: PSTNline:00@(Ln.10000@Grandstream_GXW4108)@[Dev:sip:10000@100.23.224.252:5060;transport=udp,Dev:sip:10004@100.23.224.252:5068;transport=udp,Dev:sip:10005@100.23.224.252:5070;transport=udp,Dev:sip:10006@100.23.224.252:5072;transport=udp,Dev:sip:10007@100.23.224.252:5074;transport=udp,Dev:sip:10001@100.23.224.252:5062;transport=udp]<br>
    15:25:25.237|.\Target.cpp(429)|Log2||Target::makeOneInvite:[CM503025]: Call(10129): Calling Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:10008@100.23.224.253:5060]<br>
    15:25:25.440|.\CallCtrl.cpp(566)|Log2||CallCtrl::eek:nLegConnected:[CM503007]: Call(10129): Device joined: sip:10008@100.23.224.253:5060
    15:57:17.322|.\Call.cpp(981)|Log2||Call::Terminate:[CM503008]: Call(10129): Call is terminated


    Notice the Calling Unknown:00@ line. That's what caught my attention because the call doesn't end for about 30 minutes after that. I have a bunch of these in my logs.

    Here's what I looks like in the call history:
    1,20100530192515.972,bf021e3632225072,10008,801,6316722489,9770,1
    3,20100530192515.972,bf021e3632225072,10008,6316722489,6316722489,,1
    3,20100530192516.034,bf021e3632225072,801,,6316722489,801,1
    2,20100530192516.190,bf021e3632225072,10008,801,6316722489,801,1
    3,20100530192525.237,bf021e3632225072,10008,00,10008,00,1
    4,20100530192525.659,bf021e3632225072,801,,801,,1
    4,20100530195717.307,bf021e3632225072,10008,,6316722489,,1
    4,20100530195717.322,bf021e3632225072,10008,,00,,1
    6,20100530195717.416,bf021e3632225072,,,,,


    Thanks again.
    Dave
     
  4. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,475
    Likes Received:
    94
    This has me confused as well, it seems someone's calling in and connecting to 00 and remains connected with 00 for half an hour.

    To check yourself on what calls took place on the system, use the call reporter which can be found at: Start > Programs > 3CX Phonesystem > 3CX Call Reporter and Generate a Call Report and see what exactly is happening.

    Do you have anything in your system that could explain this 00 call? Do you have some sort of DID / Forwarding Rule / Enabled Outbound Calls through Voicemail somewhere that may give an external user the ability to make calls?
    Also i want to ask, what is the outbound rule for your Grandstream? Is it possibly 0 ?

    Could you send me a full system backup to lg@3cx.com so i can check this out please?

    Go to Start > Programs > 3CX Phonesystem > Backup and Restore > Click on "Backup Call History" create a backup and send it to my E-Mail please so i can check this out in more detail on what's going on.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,779
    Likes Received:
    286
    Are they somehow reaching an outside operator and having the calls placed that way? Can your provider tell you if these are direct dialled calls or collect/Person to Person?
     
  6. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,475
    Likes Received:
    94
    Hi,

    On your Grandstream 4108, do you have two stage dialing enabled? If you're not sure, i'd go in the settings and check just to be sure.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. dchesnut

    Joined:
    Oct 29, 2009
    Messages:
    12
    Likes Received:
    0
    Here is what I have set in the grandstream 4108.

    4. Wait for Dial-Tone(Y/N): N (default No for 2 stage dialing)
    5. Stage Method(1/2): 1 (default 2 - 2 stage dialing)

    Maybe Dial-Tone = N is the problem? Should I set it to yes?

    Also I have this set in the dial-plan :

    PSTN Outgoing calls: {x+}


    Should I set this to something like {xxx+}?

    Thanks for all the help.

    Dave
     
  8. dchesnut

    Joined:
    Oct 29, 2009
    Messages:
    12
    Likes Received:
    0
    I just figured it out!

    I had an outbound rule to strip off the 9 without specifying number length. So if you dialed 900 from our standard after hours greeting it gave you the ATT operator to dial what ever you wanted.

    Moral of the story. Make sure you specify number lengths in your outbound rules!

    Thanks everyone for your help and suggestions. 3CX is an awesome product and only keeps getting better!

    Dave.
     
Thread Status:
Not open for further replies.