Re: Possible system-compromise?

Discussion in '3CX Phone System - General' started by newTo3CX, Jul 26, 2012.

Thread Status:
Not open for further replies.
  1. newTo3CX

    Joined:
    Jul 23, 2012
    Messages:
    6
    Likes Received:
    0
    I have not checked our landline bill (twin POTS lines), but let me restart this thread with additional info gathered today.

    I said the phones kept resetting their BLF fields. But two of them mysteriously reset, halfway, so to speak. Two other extensions were completely reset, all BLFs said the same extension number as the phone. The only change occurring before this happened, but not in close proximity really, like a couple weeks, was going from pure digital via WAN cable connection to a Grandstream GXW-4104 FXO gateway. The gateway has the WAN light lit, not the LAN light, but from the instructions it is suppose to use the WAN port to communicate over the switch to the PBX. I, without reading instructions would assume going out on a landline it would use the LAN port to stay local, but I followed the 3CX instructions.

    Now, the 5th extension, the final one, is a Handytone 286 FXS converter providing ability to use two cordless DECT phones. I bring this up because I am wondering about all devices on the network, the FXO gateway, the Handytone converters, and the 4 Cisco 504Gs, do the phones themselves provide a path for a hacker to get into the PC or to make calls if the admin interfaces were left at factory settings for passwords? I had forgot about the possibility of the phones being entrances for malicious activity.

    One thing which doesn't make sense are some of the logs. I have one on a thumb drive here, later when I work I will grab the other one I documented which seems far stranger.

    What is being shown is a very beginning log after the V11 install on the same network as the other 3CX machine. I simply have 1 extension entered, no trunks or anything tied in, just a bare minimal install and I was wondering if you could have a look and tell me of the lines I circle are normal or if anything odd is there. I would appreciate it. Thank you.
     

    Attached Files:

  2. newTo3CX

    Joined:
    Jul 23, 2012
    Messages:
    6
    Likes Received:
    0
    This was going to be a post under this thread: http://www.3cx.com/forums/strange-things-happening-once-setup-30261.html

    I accidentally started a new thread instead of merging.
     
  3. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    I see a couple of things -

    1. The license failing, not sure why; is this a free version?
    2. STUN requests, not really an issue, but do you need it turned on? If you have a fixed IP and pass the firewall tests, then chances are good that you do not need. If all connections are local and only using the GXW, then you really have no need.

    The other messages are OK, merely startup messages. The fax will change to =fax, once a fax is actually connected and communicating.

    How you describe having the GXW connected is correct and I assume that you have trunks that are succesfully registered and working. The LAN port is more of a convenience port such that you can hook up devices on the other side much like you can with the usual array of IP phones.

    As far as hackers are concerned, not likely with regard to the phones and gateways themselves. You most likely do not have the ports arranged such that the web interfaces for same are open through the router. If anyone is going to get in, it will be through your router and network and using the ports you have open for RDP, the 3CX management console/provisioning and HTTP/S and or other applications that may be about. Just ensure that you have decent passwords in-play and then change them occassionally and partiuclarly so if you have others who know them and may no longer be associated to you or to your businsess.

    Finally, I would suggest that you edit the posts to hide portions of your IP address and particularly the public IP. This just becomes an invitation.
     
  4. newTo3CX

    Joined:
    Jul 23, 2012
    Messages:
    6
    Likes Received:
    0
    I have to say lol, because our public IP is not shown in that photo. I have no idea who the hecks IP that is. I browsed the whole photo and not once is our true, xx.xx.xx.xx IP in there. The 199.192.xxxxxx is not ours, thats another reason I am saying what the heck.

    Let me get back on here soon within a couple hours with more data. I have to take a drive to the shop.

    I am running V11, we have a paid license for V10 on the main server. As I said, this is just a fresh format and AV/FW svr that I wanted to set the system up with flawlessly using V11, and we may drop the V10 and just go to free 11. We really haven't used the accessories in the app having paid vs free that I can recall.

    The biggest thing I want to point out. The gateway had one FXO line on port 1. This was to be the main line, and then we had a second line added. When I plugged that line into port #2, it was merely unused. Well the other day, my coworker says he called his cell and it's coming up line #2 on his caller id. So I used every phone and called my own, all came up the fax line ID. I was like, "this can't be right". I unplug the fax line (POTS line port #2 @ GW) and non of the phones will then call out. Now get this, that line isn't even a registered trunk yet! The only trunk registered is the number of line/gw port #1, with 3 outbound rules created + a 3-digit 911 emergency rule, but under the dropdown in each outbound rule for available paths, there is only 1 trunk/port option, line #1. So how is our system calling out on a gateway trunk line not even setup in 3CX, and when that line is unplugged, why will it say no available route?

    I think my best bet is to VLAN encapsulate the 3CX network, away from the other devices, so I can still remote in from the PC, but completely swipe V10, and start with a clean GW reset, and 3CX install. Along with factory reset all phones. Is it possible the main server has been proxy routed, somehow someway, since that honestly is not close to our WAN IP it's showing?

    I will remember to rid STUN also.
     
  5. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    Here is what I see - the local instance of 3CX is running on 192.168.1.250. The 199.192.206.228 is a rmote STUN server. 50.83.83.15 is the one I am uncertain of. The 216 IP is also STUN.

    The GXW issue is a set-up issue and will depend upon how you established either manually or with the template. When you plug the POTS line into an available port, the GXW will detect it. Do not confuse ports and trunks. The trunk for all intents is the GXW. The ports are the lines connected to the GXW. The GXW default programming usually assumes that all ports are in-play and not knowing the detail of how it was really provisioned is the issue. The GXW will generally use a round robbin approach to pick a line. You have no control over it other than to physically disconnect the PSTN, or explicitly state in the dial string which port or line you want. So, when you make a call as currently configured, it appears that the GXW is finding an available line and using that line...which is what you would want it to do. If line were busy, you would want the device to find another available line. If line one were not connected, you would hope that it would look at the others and see if connected and if availble and if so, make the call.

    I think that when you established the outbound rule, you are more likely given one option and that is the name you gave the Gateway, not the port (example "10000, 100001, etc.). if you were successful in making the GXW look like mutiple trunks, then I could see your earlier.

    This too is not a hacking issue and setting up a VLAN is more than likely an added overhead and maintenance issue than a resolution. Of coure, I have no way to gauge the level of traffic, but VLAN'ing for 1 GXW, 1 HT, 4 SPA seems like way overkill to me.
     
  6. newTo3CX

    Joined:
    Jul 23, 2012
    Messages:
    6
    Likes Received:
    0
    Ok OK, that 50.xxxxxx is the external IP, we should remove them from posts, but there is no way to edit? I hadn't seen it before as I scanned over it looking to block it out the first time in the photo, but was in a hurry. Thanks a lot for clearing this issue up. A combination of late night changes along the way has lead to a goofy config. Last night I worked on rebuilding the new clean version. One thing I do for security is stealth the ports but we have no services that use WAN port forwards now accept internet, unless we decide to link up two offices with the remote tunnel.

    My professor told me always use vLANs for security. He's the admin of a large hospital with tunnel to another hospital near, and was the lead at designing their new network I toured and saw explained, so I tend to take his advice as golden. If I have a unsecured wifi like we are thinking about doing for customers to have net (poor cell reception area), then I really need a VLAN, for separating the business LAN from the AP WLAN, right?
     
  7. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    If you intend to implement a guest wi-fi, then yes, putting the guest on a vlan is a good measure. It will isolate them from being able to access the resources on your internal/private network.
     
  8. newTo3CX

    Joined:
    Jul 23, 2012
    Messages:
    6
    Likes Received:
    0
    ok we have a paid v10.

    Don't really use the added features. Can the 1 year key work on v11?
     
  9. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    Depends on when you bought v10 and if the first year free upgrade insurnace is still effective or if you have already purchased the second year upgrade insurance .if the insurance is till in-force, then you can upgrade without issue using your existing license. Just follow the blog instructions on backup, resote, etc.
     
Thread Status:
Not open for further replies.