• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Help: Phone system being compromised by dialing in

Status
Not open for further replies.

dchesnut

Joined
Oct 29, 2009
Messages
12
Reaction score
0
I'm having a problem where someone is dialing into our phone system and making unauthorized call and I can't figure out what I have configured wrong. From my investigation it doesn't look like they are breaking into a voice mail account but instead somehow dialing directly when they come in without leaving the number they are dialing. Any insight would be appreciated.

Here is a log for one of the calls. You can see that they spent 30 minutes on the phone to who knows where....

Code:
15:25:15.972|.\Line.cpp(330)|Log2||LineCfg::getInboundTarget:[CM503012]: Inbound out-of-office hours rule (unnamed) for 10008 forwards to DN:801<br>
15:25:15.972|.\CallCtrl.cpp(160)|Log2||CallCtrl::onIncomingCall:[CM503001]: Call(10129): Incoming call from 6316722489@(Ln.10008@SS-PRI-1) to <sip:[email protected]:5060><br>
15:25:15.987|.\CallCtrl.cpp(445)|Log2||CallCtrl::onSelectRouteReq:[CM503004]: Call(10129): Route 1: Ext:Ext.801@[Dev:sip:[email protected]:40600;rinstance=8490613811777535]<br>
15:25:16.034|.\Target.cpp(429)|Log2||Target::makeOneInvite:[CM503025]: Call(10129): Calling Ext:Ext.801@[Dev:sip:[email protected]:40600;rinstance=8490613811777535]<br>
15:25:16.190|.\CallCtrl.cpp(566)|Log2||CallCtrl::onLegConnected:[CM503007]: Call(10129): Device joined: sip:[email protected]:5060<br>
15:25:16.190|.\CallCtrl.cpp(566)|Log2||CallCtrl::onLegConnected:[CM503007]: Call(10129): Device joined: sip:[email protected]:40600;rinstance=8490613811777535<br>
15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::onSelectRouteReq:[CM503004]: Call(10129): Route 1: Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:[email protected]:5060]<br>
15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::onSelectRouteReq:[CM503004]: Call(10129): Route 2: PSTNline:00@(Ln.10000@Grandstream_GXW4108)@[Dev:sip:[email protected]:5060;transport=udp,Dev:sip:[email protected]:5068;transport=udp,Dev:sip:[email protected]:5070;transport=udp,Dev:sip:[email protected]:5072;transport=udp,Dev:sip:[email protected]:5074;transport=udp,Dev:sip:[email protected]:5062;transport=udp]<br>
15:25:25.237|.\Target.cpp(429)|Log2||Target::makeOneInvite:[CM503025]: Call(10129): Calling Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:[email protected]:5060]<br>
15:25:25.440|.\CallCtrl.cpp(566)|Log2||CallCtrl::onLegConnected:[CM503007]: Call(10129): Device joined: sip:[email protected]:5060<br>
15:57:17.322|.\Call.cpp(981)|Log2||Call::Terminate:[CM503008]: Call(10129): Call is terminated

My system is configured on an internal only machine that cannot get to the Internet so they must dial in on our business line that is connected via a PRI. I use a Patton Smartnode as my PRI connector and I also have some backup POTS lines coming in via a Grandstream GXW4108. As you can guess the patton is on port 10008 and the grandstream lines are on ports 10000 - 10007.

Any ideas on what I have configured wrong or where I should look?

Thanks again

Dave Chesnut
 
Can you call them and see what they want? Their number is indicated in the logs "6316722489"
Try giving them a call and see what they want.

Besides they cannot do anything by calling a digital receptionist.
They can call your digital receptionist and only dial INTERNAL extensions, they are not allowed to call anything else.

There's just 1 scenario where your security MAY be at risk and it's the following:

1) Having not changed your users default passwords, so extension's 100 PIN is 100.
2) Caller calls your digital receptionist, and calls 999 manually from there, he then enters your default Extension and PIN numbers and he can have access to your voice mail.
Further on, if you have the option enabled in the PBX > Settings > General > Global Options > Enable Outgoing Calls through Voice Mail Menu, the person who got access to your Voice Mail would also have the ability to make international calls and charge you.

So be sure to never leave default passwords in the PBX, it's the first thing every hacker will try to exploit in any kind of system.

As long as those conditions are met you have nothing to worry about, he cannot do anything by calling your Digital Receptionist.
 
We have some sort of problem and I'm trying to track it down. The first thing I did was check out the passwords for all of our extensions and they were fine. None were set to the extension number and most were at least 4 numbers. The reason I started looking into this is we were alerted to a problem by the fraud department of our carrier (AT&T). Apparently over the weekend someone was making long calls to Cuba. The first thing I did was check the logs and I couldn't find any outgoing calls to Cuba or any other international number that I didn't recognize. I then started to look through the logs and I noticed a lot of incoming calls over the weekend that had the strange 00 transfer that I referenced. These calls were between 30 and 40 minutes long from a bunch of different cell phone numbers that just go to voice mail when called. I was unable to replicate the same logs by dialing in myself. The logs I get are a dial in then a transfer to 999 or other extension or a hang up.

The part of the log that seems strange to me is this:

15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::eek:nSelectRouteReq:[CM503004]: Call(10129): Route 1: Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:[email protected]:5060]<br>
15:25:25.175|.\CallCtrl.cpp(445)|Log2||CallCtrl::eek:nSelectRouteReq:[CM503004]: Call(10129): Route 2: PSTNline:00@(Ln.10000@Grandstream_GXW4108)@[Dev:sip:[email protected]:5060;transport=udp,Dev:sip:[email protected]:5068;transport=udp,Dev:sip:[email protected]:5070;transport=udp,Dev:sip:[email protected]:5072;transport=udp,Dev:sip:[email protected]:5074;transport=udp,Dev:sip:[email protected]:5062;transport=udp]<br>
15:25:25.237|.\Target.cpp(429)|Log2||Target::makeOneInvite:[CM503025]: Call(10129): Calling Unknown:00@(Ln.10008@SS-PRI-1)@[Dev:sip:[email protected]:5060]<br>
15:25:25.440|.\CallCtrl.cpp(566)|Log2||CallCtrl::eek:nLegConnected:[CM503007]: Call(10129): Device joined: sip:[email protected]:5060
15:57:17.322|.\Call.cpp(981)|Log2||Call::Terminate:[CM503008]: Call(10129): Call is terminated


Notice the Calling Unknown:00@ line. That's what caught my attention because the call doesn't end for about 30 minutes after that. I have a bunch of these in my logs.

Here's what I looks like in the call history:
1,20100530192515.972,bf021e3632225072,10008,801,6316722489,9770,1
3,20100530192515.972,bf021e3632225072,10008,6316722489,6316722489,,1
3,20100530192516.034,bf021e3632225072,801,,6316722489,801,1
2,20100530192516.190,bf021e3632225072,10008,801,6316722489,801,1
3,20100530192525.237,bf021e3632225072,10008,00,10008,00,1
4,20100530192525.659,bf021e3632225072,801,,801,,1
4,20100530195717.307,bf021e3632225072,10008,,6316722489,,1
4,20100530195717.322,bf021e3632225072,10008,,00,,1
6,20100530195717.416,bf021e3632225072,,,,,


Thanks again.
Dave
 
This has me confused as well, it seems someone's calling in and connecting to 00 and remains connected with 00 for half an hour.

To check yourself on what calls took place on the system, use the call reporter which can be found at: Start > Programs > 3CX Phonesystem > 3CX Call Reporter and Generate a Call Report and see what exactly is happening.

Do you have anything in your system that could explain this 00 call? Do you have some sort of DID / Forwarding Rule / Enabled Outbound Calls through Voicemail somewhere that may give an external user the ability to make calls?
Also i want to ask, what is the outbound rule for your Grandstream? Is it possibly 0 ?

Could you send me a full system backup to [email protected] so i can check this out please?

Go to Start > Programs > 3CX Phonesystem > Backup and Restore > Click on "Backup Call History" create a backup and send it to my E-Mail please so i can check this out in more detail on what's going on.
 
Are they somehow reaching an outside operator and having the calls placed that way? Can your provider tell you if these are direct dialled calls or collect/Person to Person?
 
Hi,

On your Grandstream 4108, do you have two stage dialing enabled? If you're not sure, i'd go in the settings and check just to be sure.
 
Here is what I have set in the grandstream 4108.

4. Wait for Dial-Tone(Y/N): N (default No for 2 stage dialing)
5. Stage Method(1/2): 1 (default 2 - 2 stage dialing)

Maybe Dial-Tone = N is the problem? Should I set it to yes?

Also I have this set in the dial-plan :

PSTN Outgoing calls: {x+}


Should I set this to something like {xxx+}?

Thanks for all the help.

Dave
 
I just figured it out!

I had an outbound rule to strip off the 9 without specifying number length. So if you dialed 900 from our standard after hours greeting it gave you the ATT operator to dial what ever you wanted.

Moral of the story. Make sure you specify number lengths in your outbound rules!

Thanks everyone for your help and suggestions. 3CX is an awesome product and only keeps getting better!

Dave.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,602
Messages
748,757
Members
144,714
Latest member
davide.luppi
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.