Possible security breach

Discussion in '3CX Phone System - General' started by inteq, Nov 28, 2016.

Thread Status:
Not open for further replies.
  1. inteq

    Joined:
    Jan 8, 2013
    Messages:
    42
    Likes Received:
    0
    Hello,

    I have a 3CX 15 install with a weird entry log today.

    Call from [External_Mobile-Number_Redacted] to [International_Swiss_Number_Redacted] has been rejected by the 3CX Country Blocking Feature [0041]. Reason: 0041XX.... contains Prefix 0041. Calls to 0041 are not allowed by system.

    The same External_Mobile-Number_Redacted dialed in today and spoke with an internal extension. The call was recorded and it ended without the caller pressing any numbers on keypad.
    So the question is how could an external call dial out to an international number?
    Is there any chance the logged number might be wrong in logs and instead of External_Mobile-Number_Redacted there should have been an internal extension number?
    Searching call logs I see no calls to International_Swiss_Number_Redacted from any number or extension, including from External_Mobile-Number_Redacted, the number reported as trying to call a blocked international prefix.
    Anyone else noticed such entries in logs?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,567
    Likes Received:
    246
    Were there actual numbers shown? If so, did you try reaching the mobile number to see if there is any relationship with your company, or employees? Does the log show where the incoming call was originally directed, there must be more to the log (trail of that call) than just the one line.
     
  3. inteq

    Joined:
    Jan 8, 2013
    Messages:
    42
    Likes Received:
    0
    I redacted the numbers. The warning displays the numbers.
    As I specified, [External_Mobile-Number_Redacted] called in the same day and spoke with an internal extension.
    [External_Mobile-Number_Redacted] is not affiliated with the firm. It is a client.

    There is nothing more in logs that I can find about [International_Swiss_Number_Redacted], as I specified.
    No calls from or to the number.

    For some reason, the attached image is blurry. Once saved and viewed, it is crisp.
     

    Attached Files:

    • 3cx.png
      3cx.png
      File size:
      14.8 KB
      Views:
      107
  4. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    0
    Is it possible you enabled/allow outbound calls from the voicemail menu? Typically it is off.

    VMDIALOUTENABLED = 0
     
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,567
    Likes Received:
    246
    Or.... the extension that the call was originally directed to, had call forwarding, or ring my mobile, set up to go to an incorrect number.
     
  6. inteq

    Joined:
    Jan 8, 2013
    Messages:
    42
    Likes Received:
    0
    Thank you for the suggestions.

    Voicemail for all extensions is OFF. Double checked again today to be sure.
    VMDIALOUTENABLED is 0
    All extensions have a rule that if a call is not answered in 20 seconds, the call is redirected to the user's mobile.
    Checked all mobile numbers and all are set correctly. None of them with a Swiss code.

    The only thing I can think of now is:
    External number calls in. Extension does not pick up in 20 seconds and the call is redirected to the user's mobile number. One of the users has his/hers own mobile number redirected to this Swiss number.
    The reported block time matches the time the external mobile number called in and actually spoke with an extension.
    Will check this tomorrow with each users and get back.But, even if this checks out to be true, why no record in logs?
    I would think all call have to be logged, blocked or not.
     
  7. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,567
    Likes Received:
    246
    If this were the case, then the Swiss number would not be seen by 3CX as the Mobile provider is doing the forwarding (and billing for that call, if applicable).
     
  8. inteq

    Joined:
    Jan 8, 2013
    Messages:
    42
    Likes Received:
    0
    Indeed leejor, I understand that the Swiss number cannot possibly appear in logs in case the extension's mobile number is also redirected to it (did not start the check yet. too early in the morning to call people), but, at the time the international call is reported as blocked, no outgoing call is logged.
    Not even an internal call or a call to a mobile phone belonging to the firm. Or to anything at all.
    This was actually my question regarding as to why nothing appears in logs.
     
  9. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    645
    Likes Received:
    1
    Hi there,
    Can you please check if you have any DID with short patterns (with * followed by 1,2, or 3 digits)?
    This sounds unrelated but actually is...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. inteq

    Joined:
    Jan 8, 2013
    Messages:
    42
    Likes Received:
    0
    Indeed, I have 28 DIDs with 3 digits but not starting with *
     
  11. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,567
    Likes Received:
    246
    The hack attempts that I see in the logs usually fall into one of two types. A registration attempt, where they pick random extension numbers then try to guess the password (probably hoping it is the same as the extension number), or a Direct SIP Call where they try to dial an international number (with various prefixes) in the hopes it will go through.

    Strong passwords, blacklist settings, and monitoring (receiving emails from 3CX) of hack attempts will generally prevent these from being more than an annoyance. Call forwarding, or (possibly) other settings instigated by less than vigilant employees could possibly allow calls to pass through, but they can usually be traced back to the extension that caused the problem, and steps taken so that there is less chance it happens again.
     
Thread Status:
Not open for further replies.