• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

I think I've been hacked.

Status
Not open for further replies.

dtle007

Joined
Nov 12, 2010
Messages
4
Reaction score
0
Strangely, yesterday I ran out of balance for my international calls. I checked my logs and notice my main extension 100 had made about 20 calls in a span of 30 minutes running out my balance. Since it was yesterday I wasn't able to get any server logs.

Then just now I received an email from my trunk provider that my credit card has been recharged for a new balance since it ran out. Note, I had just recharged it earlier this morning.

I checked my logs and found that 17 new calls that sucked up my balance dry calling to "0023222272359", a destination in Sierra Leone Freetown. It was the same destination as yesterday. The other one being "0020106699703", a destination to Egypt Mobile.

It seems my system has been compromise for Vishing as googling reveals.

The calls are being made from an extension 100 which is the phone sitting right in front of me. It hasn't been used so I checked the 3cx logs immediately and found the following below.

19:21:26.171 [CM503001]: Call(412): Incoming call from Ext.100 to "0023222272359"<sip:[email protected]>

19:21:07.171 [CM503008]: Call(411): Call is terminated

19:21:07.156 [CM503008]: Call(411): Call is terminated

19:20:53.218 [CM503008]: Call(409): Call is terminated

19:20:53.218 [CM503008]: Call(409): Call is terminated

19:19:37.671 [CM503007]: Call(411): Device joined: sip:[email protected]:5060

19:19:37.656 [CM503007]: Call(411): Device joined: sip:[email protected]:59172;rinstance=8a377aff3da3d8d5

19:19:37.281 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

19:19:37.265 [CM503002]: Call(411): Alerting sip:[email protected]:5060

19:19:34.734 [CM503004]: Call(411): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:[email protected]:5060]

19:19:34.703 [CM503010]: Making route(s) to "0023222272359"<sip:[email protected]>

19:19:34.687 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

19:19:34.671 [CM503001]: Call(411): Incoming call from Ext.100 to "0023222272359"<sip:[email protected]>

19:19:16.500 [CM503008]: Call(410): Call is terminated

19:19:16.500 [CM503008]: Call(410): Call is terminated

19:17:44.953 [CM503007]: Call(410): Device joined: sip:[email protected]:5060

19:17:44.937 [CM503007]: Call(410): Device joined: sip:[email protected]:59172;rinstance=8a377aff3da3d8d5

19:17:44.421 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

19:17:44.406 [CM503002]: Call(410): Alerting sip:[email protected]:5060

19:17:41.875 [CM503004]: Call(410): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:[email protected]:5060]

19:17:41.843 [CM503010]: Making route(s) to "0023222272359"<sip:[email protected]>

19:17:41.828 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

19:17:41.812 [CM503001]: Call(410): Incoming call from Ext.100 to "0023222272359"<sip:[email protected]>

19:17:24.859 [CM503008]: Call(408): Call is terminated

19:17:24.828 [CM503008]: Call(408): Call is terminated

19:17:24.796 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

19:17:20.953 [CM503007]: Call(409): Device joined: sip:[email protected]:5060

19:17:20.937 [CM503007]: Call(409): Device joined: sip:[email protected]:59172;rinstance=8a377aff3da3d8d5

19:17:20.500 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

19:17:20.484 [CM503002]: Call(409): Alerting sip:[email protected]:5060

19:17:18.140 [CM503004]: Call(409): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:[email protected]:5060]

19:17:18.109 [CM503010]: Making route(s) to "0023222272359"<sip:[email protected]>

19:17:18.093 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

19:17:18.078 [CM503001]: Call(409): Incoming call from Ext.100 to "0023222272359"<sip:[email protected]>

19:17:08.468 [CM503007]: Call(408): Device joined: sip:[email protected]:5060

19:17:08.453 [CM503007]: Call(408): Device joined: sip:[email protected]:59172;rinstance=8a377aff3da3d8d5

19:17:07.984 [CM505003]: Provider:[CallCentric] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [] Transport: [sip:192.168.1.70:5060]

19:17:07.968 [CM503002]: Call(408): Alerting sip:[email protected]:5060

19:17:05.703 [CM503004]: Call(408): Calling: VoIPline:0023222272359@(Ln.10002@CallCentric)@[Dev:sip:[email protected]:5060]

19:17:05.671 [CM503010]: Making route(s) to "0023222272359"<sip:[email protected]>

19:17:05.671 [CM505001]: Ext.100: Device info: Device Identified: [Man: Counterpath;Mod: eyeBeam;Rev: General] Capabilities:[reinvite, no-replaces, unable-no-sdp, recvonly] UserAgent: [eyeBeam release 1010f stamp 39239] Transport: [sip:192.168.1.70:5060]

19:17:05.640 [CM503001]: Call(408): Incoming call from Ext.100 to "0023222272359"<sip:[email protected]>

19:17:05.640 [MS101003] C:408.1: Possible firewall problem. Address mapping failed on STUN server 75.101.138.128:3478 for local address ":9000"

19:17:05.640 [MS201000] Use STUN server 'stun2.3cx.com:3478'

19:17:05.640 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun.3cx.com:3478'

19:17:05.515 [MS201000] Use STUN server 'stun.3cx.com:3478'

19:17:05.515 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun2.3cx.com:3478'

19:17:05.406 [MS201000] Use STUN server 'stun2.3cx.com:3478'

19:17:05.375 [MS101005] STUN request failed for ports 9000,9001 on STUN server 'stun.3cx.com:3478'

19:16:50.125 [CM503008]: Call(407): Call is terminated

19:16:50.125 [CM503008]: Call(407): Call is terminated

19:16:40.078 [CM503008]: Call(406): Call is terminated

19:16:40.078 [CM503008]: Call(406): Call is terminated

19:10:16.718 [CM503007]: Call(407): Device joined: sip:[email protected]:5060

19:10:16.703 [CM503007]: Call(407): Device joined: sip:[email protected]:59172;rinstance=8a377aff3da3d8d5



First of all, I've block all outgoing international calls for now but can someone suggest me a simple solution to stop this? Perhaps turning off stun? Changing the port for stun? I had set it up for external extensions but our off site sales guy is gone and that feature is no longer needed. How can I easily stop this because I dont' want to bleed any more money for these SOBs.
 
First thing to do is to change password of Ext.100 from '100' to something less guessable. And do the same for other extensions. If you have V9 it will take care about everything else.
 
One other suggestion, and this can help control costs incurred by not only hackers but employees as well...some VoIP providers allow you to set a maximum per minute rate. The majority of landline calls to countries I would call are under 5 US cents per minute, in most cases, half , or a third of that. If your provider has this limiting service, it might be worth taking advantage of it. Of course if you regularly place calls to mobile phones in many countries, this may be of no help as these rates can sometimes be many, many times the landline rate. Outbound rules can also be set up to block calls to certain (expensive) regions of the globe that you or employees would never call.
 
okay I will try the above suggestions.

I tried removing a port from the firewall to stop the stun from working but I got back today and notice 3 more attempts at two different times. I will change the password and hopefully it will help them from connecting to my system remotely.

Is there no way for me to disable whatever feature that enables remote extension since i don't need that anymore. Is that the stun server?
 
STUN is simply a tool that allows devices, 3CX included, to determine what sort of NAT they are dealing with. The device and a STUN server run some test, to put it in simple terms. Here is some reading on the subject if you want to go into it, it has a good flow chart diagram. http://en.wikipedia.org/wiki/Session_Traversal_Utilities_for_NAT

Once someone has your IP address, until you change the passwords, you will be vulnerable. Once they can't get anymore free calls from you, they will move on to someone else.
 
Is there a way to see server activity logs from further back? I can only see from 3 hours back because 3cx keeps registering extensions over and over and it clears the activities fast.

I want to see if there's been any attempts to register rogue extensions on my server. My call logs haven't shown any new calls trying to be made lately, which is encouraging but I just want to be sure, attempts are being denied and it's not just the hackers are lying in wait to try again. I still haven't turn on international calls for fears of my balance gettin drained overnight while i sleep.
 
C:\Documents and Settings\All Users\Application Data\3CX\Data\Logs\3CXPhoneSystem.log

FYI if you're using Vista/7 then the path will be slightly different.

Also if your logs are getting huge you may want to go to 'Management Console -> Advanced' and enable 'Keep backup of log files' so that you can build a up a history of logs (they roll over when they reach 2MB in size), whcih will then be stored at the above path under the 'Logs' folder with a date stamp on sub folders.
 
dtle007 said:
Is there no way for me to disable whatever feature that enables remote extension since i don't need that anymore.

Not yet, but i put it in as suggestion a while back. M
dtle007 said:
I still haven't turn on international calls for fears of my balance gettin drained overnight while i sleep.
ight be coming.

You can set up your outbound rules to require a prefix, other than something guessable, for overseas calls. Something like...dial 5473327+011XXXXXXXXXXXX, then just strip the prefix and send only the required digits to your provider. At least you could still use the service without having to worry about others getting in and calling out.
 
leejor said:
You can set up your outbound rules to require a prefix, other than something guessable, for overseas calls. Something like...dial 5473327+011XXXXXXXXXXXX, then just strip the prefix and send only the required digits to your provider. At least you could still use the service without having to worry about others getting in and calling out.

That's very creative. You suggested this earlier but i didn't have a clue how to implement that suggestion until you provided this example. I was puzzled looking at the outbound setup screen wondering how i could limit outbound calls, but your example was very clear. THanks a lot.

Since adding a non-default password our balance has been safe from being compromise. Thanks for all the help everyone.
 
Ensure you always have the latest service pack installed. Service Pack 3 and 4 introduced many new security features.

The most common reason for being hacked is a weak extension password. you can view all passwords from the management console and quickly ensure they are secure.....
 
Hi,

I would ask yourself the question, how did this person get access to my pbx?

1. Have they access to the server (rootkit/trojan)? (clean up)
2. Do I have sip ports (ports 5060) open to outside world? ( close ports and limit to just sip provider or known ips)
3. Is my sip tunnel proxy password too easy to guess. ( change password to something sensible)
4. Do I have an internal machine on my network compromised? ( lockdown cleanup pcs/network)
5. Are my extension passwords guessible ( make better passwords)
6. Is my provider passwords easy to guess, remember it does not need to accessed from your site only.

HTH
Joe.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,625
Messages
748,896
Members
144,739
Latest member
Ghisl1
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.