I think I've been hacked.

Discussion in '3CX Phone System - General' started by dtle007, Nov 12, 2010.

Thread Status:
Not open for further replies.
  1. dtle007

    Joined:
    Nov 12, 2010
    Messages:
    4
    Likes Received:
    0
    Strangely, yesterday I ran out of balance for my international calls. I checked my logs and notice my main extension 100 had made about 20 calls in a span of 30 minutes running out my balance. Since it was yesterday I wasn't able to get any server logs.

    Then just now I received an email from my trunk provider that my credit card has been recharged for a new balance since it ran out. Note, I had just recharged it earlier this morning.

    I checked my logs and found that 17 new calls that sucked up my balance dry calling to "0023222272359", a destination in Sierra Leone Freetown. It was the same destination as yesterday. The other one being "0020106699703", a destination to Egypt Mobile.

    It seems my system has been compromise for Vishing as googling reveals.

    The calls are being made from an extension 100 which is the phone sitting right in front of me. It hasn't been used so I checked the 3cx logs immediately and found the following below.

    19:21:26.171 [CM503001]: Call(412): Incoming call from Ext.100 to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:21:07.171 [CM503008]: Call(411): Call is terminated

    19:21:07.156 [CM503008]: Call(411): Call is terminated

    19:20:53.218 [CM503008]: Call(409): Call is terminated

    19:20:53.218 [CM503008]: Call(409): Call is terminated

    19:19:37.671 [CM503007]: Call(411): Device joined: sip:17772706843@callcentric.com:5060

    19:19:37.656 [CM503007]: Call(411): Device joined: sip:100@41.153.195.162:59172;rinstance=8a377aff3da3d8d5

    19:19:37.281 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

    19:19:37.265 [CM503002]: Call(411): Alerting sip:17772706843@callcentric.com:5060

    19:19:34.734 [CM503004]: Call(411): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:17772706843@callcentric.com:5060]

    19:19:34.703 [CM503010]: Making route(s) to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:19:34.687 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

    19:19:34.671 [CM503001]: Call(411): Incoming call from Ext.100 to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:19:16.500 [CM503008]: Call(410): Call is terminated

    19:19:16.500 [CM503008]: Call(410): Call is terminated

    19:17:44.953 [CM503007]: Call(410): Device joined: sip:17772706843@callcentric.com:5060

    19:17:44.937 [CM503007]: Call(410): Device joined: sip:100@41.153.195.162:59172;rinstance=8a377aff3da3d8d5

    19:17:44.421 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

    19:17:44.406 [CM503002]: Call(410): Alerting sip:17772706843@callcentric.com:5060

    19:17:41.875 [CM503004]: Call(410): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:17772706843@callcentric.com:5060]

    19:17:41.843 [CM503010]: Making route(s) to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:17:41.828 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

    19:17:41.812 [CM503001]: Call(410): Incoming call from Ext.100 to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:17:24.859 [CM503008]: Call(408): Call is terminated

    19:17:24.828 [CM503008]: Call(408): Call is terminated

    19:17:24.796 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

    19:17:20.953 [CM503007]: Call(409): Device joined: sip:17772706843@callcentric.com:5060

    19:17:20.937 [CM503007]: Call(409): Device joined: sip:100@41.153.195.162:59172;rinstance=8a377aff3da3d8d5

    19:17:20.500 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

    19:17:20.484 [CM503002]: Call(409): Alerting sip:17772706843@callcentric.com:5060

    19:17:18.140 [CM503004]: Call(409): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:17772706843@callcentric.com:5060]

    19:17:18.109 [CM503010]: Making route(s) to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:17:18.093 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

    19:17:18.078 [CM503001]: Call(409): Incoming call from Ext.100 to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:17:08.468 [CM503007]: Call(408): Device joined: sip:17772706843@callcentric.com:5060

    19:17:08.453 [CM503007]: Call(408): Device joined: sip:100@41.153.195.162:59172;rinstance=8a377aff3da3d8d5

    19:17:07.984 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

    19:17:07.968 [CM503002]: Call(408): Alerting sip:17772706843@callcentric.com:5060

    19:17:05.703 [CM503004]: Call(408): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:17772706843@callcentric.com:5060]

    19:17:05.671 [CM503010]: Making route(s) to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:17:05.671 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

    19:17:05.640 [CM503001]: Call(408): Incoming call from Ext.100 to "0023222272359"<sip:0023222272359@192.168.1.70>

    19:17:05.640 [MS101003] C:408.1: Possible firewall problem. Address mapping failed on STUN server 75.101.138.128:3478 for local address ":9000"

    19:17:05.640 [MS201000] Use STUN server 'stun2.3cx.com:3478'

    19:17:05.640 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun.3cx.com:3478'

    19:17:05.515 [MS201000] Use STUN server 'stun.3cx.com:3478'

    19:17:05.515 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun2.3cx.com:3478'

    19:17:05.406 [MS201000] Use STUN server 'stun2.3cx.com:3478'

    19:17:05.375 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun.3cx.com:3478'

    19:16:50.125 [CM503008]: Call(407): Call is terminated

    19:16:50.125 [CM503008]: Call(407): Call is terminated

    19:16:40.078 [CM503008]: Call(406): Call is terminated

    19:16:40.078 [CM503008]: Call(406): Call is terminated

    19:10:16.718 [CM503007]: Call(407): Device joined: sip:17772706843@callcentric.com:5060

    19:10:16.703 [CM503007]: Call(407): Device joined: sip:100@41.153.195.162:59172;rinstance=8a377aff3da3d8d5



    First of all, I've block all outgoing international calls for now but can someone suggest me a simple solution to stop this? Perhaps turning off stun? Changing the port for stun? I had set it up for external extensions but our off site sales guy is gone and that feature is no longer needed. How can I easily stop this because I dont' want to bleed any more money for these SOBs.
     
  2. archie

    archie Well-Known Member
    3CX Support

    Joined:
    Aug 18, 2006
    Messages:
    1,299
    Likes Received:
    0
    First thing to do is to change password of Ext.100 from '100' to something less guessable. And do the same for other extensions. If you have V9 it will take care about everything else.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,367
    Likes Received:
    228
    One other suggestion, and this can help control costs incurred by not only hackers but employees as well...some VoIP providers allow you to set a maximum per minute rate. The majority of landline calls to countries I would call are under 5 US cents per minute, in most cases, half , or a third of that. If your provider has this limiting service, it might be worth taking advantage of it. Of course if you regularly place calls to mobile phones in many countries, this may be of no help as these rates can sometimes be many, many times the landline rate. Outbound rules can also be set up to block calls to certain (expensive) regions of the globe that you or employees would never call.
     
  4. dtle007

    Joined:
    Nov 12, 2010
    Messages:
    4
    Likes Received:
    0
    okay I will try the above suggestions.

    I tried removing a port from the firewall to stop the stun from working but I got back today and notice 3 more attempts at two different times. I will change the password and hopefully it will help them from connecting to my system remotely.

    Is there no way for me to disable whatever feature that enables remote extension since i don't need that anymore. Is that the stun server?
     
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,367
    Likes Received:
    228
    STUN is simply a tool that allows devices, 3CX included, to determine what sort of NAT they are dealing with. The device and a STUN server run some test, to put it in simple terms. Here is some reading on the subject if you want to go into it, it has a good flow chart diagram. http://en.wikipedia.org/wiki/Session_Traversal_Utilities_for_NAT

    Once someone has your IP address, until you change the passwords, you will be vulnerable. Once they can't get anymore free calls from you, they will move on to someone else.
     
  6. dtle007

    Joined:
    Nov 12, 2010
    Messages:
    4
    Likes Received:
    0
    Is there a way to see server activity logs from further back? I can only see from 3 hours back because 3cx keeps registering extensions over and over and it clears the activities fast.

    I want to see if there's been any attempts to register rogue extensions on my server. My call logs haven't shown any new calls trying to be made lately, which is encouraging but I just want to be sure, attempts are being denied and it's not just the hackers are lying in wait to try again. I still haven't turn on international calls for fears of my balance gettin drained overnight while i sleep.
     
  7. Fatboy40

    Fatboy40 New Member

    Joined:
    Aug 2, 2010
    Messages:
    170
    Likes Received:
    0
    C:\Documents and Settings\All Users\Application Data\3CX\Data\Logs\3CXPhoneSystem.log

    FYI if you're using Vista/7 then the path will be slightly different.

    Also if your logs are getting huge you may want to go to 'Management Console -> Advanced' and enable 'Keep backup of log files' so that you can build a up a history of logs (they roll over when they reach 2MB in size), whcih will then be stored at the above path under the 'Logs' folder with a date stamp on sub folders.
     
  8. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,367
    Likes Received:
    228
    Not yet, but i put it in as suggestion a while back. M
    ight be coming.

    You can set up your outbound rules to require a prefix, other than something guessable, for overseas calls. Something like...dial 5473327+011XXXXXXXXXXXX, then just strip the prefix and send only the required digits to your provider. At least you could still use the service without having to worry about others getting in and calling out.
     
  9. dtle007

    Joined:
    Nov 12, 2010
    Messages:
    4
    Likes Received:
    0
    That's very creative. You suggested this earlier but i didn't have a clue how to implement that suggestion until you provided this example. I was puzzled looking at the outbound setup screen wondering how i could limit outbound calls, but your example was very clear. THanks a lot.

    Since adding a non-default password our balance has been safe from being compromise. Thanks for all the help everyone.
     
  10. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,888
    Likes Received:
    190
    Ensure you always have the latest service pack installed. Service Pack 3 and 4 introduced many new security features.

    The most common reason for being hacked is a weak extension password. you can view all passwords from the management console and quickly ensure they are secure.....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. jjd

    jjd

    Joined:
    Jun 27, 2010
    Messages:
    3
    Likes Received:
    0
    Hi,

    I would ask yourself the question, how did this person get access to my pbx?

    1. Have they access to the server (rootkit/trojan)? (clean up)
    2. Do I have sip ports (ports 5060) open to outside world? ( close ports and limit to just sip provider or known ips)
    3. Is my sip tunnel proxy password too easy to guess. ( change password to something sensible)
    4. Do I have an internal machine on my network compromised? ( lockdown cleanup pcs/network)
    5. Are my extension passwords guessible ( make better passwords)
    6. Is my provider passwords easy to guess, remember it does not need to accessed from your site only.

    HTH
    Joe.
     
Thread Status:
Not open for further replies.