System Under Attack

Discussion in '3CX Phone System - General' started by Scythe99, Mar 14, 2012.

Thread Status:
Not open for further replies.
  1. Scythe99

    Joined:
    Sep 1, 2011
    Messages:
    7
    Likes Received:
    2
    Hi there.

    It seems that my 3CX installation is under attack from someone who is using some sort of script to attempt to gain access. The strange thing about it, is that it appears this person is spoofing my IP. So when the anti-hacking kicks in, it blacklists my own IP. At this point I am unable to receive inbound calls. Outgoing calls work correctly. Here's a portion of the log that shows what is going on.


    15:44:58.384 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-2514959332 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    15:44:58.384 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-829376292 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    15:44:58.368 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-4293184482 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    15:44:58.368 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-4253346333 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    15:44:58.352 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-575972610 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    15:44:58.352 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-1479031369 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
    15:44:58.352 [CM102001]: Authentication failed for SipReq: REGISTER 66.214.183.82 tid=-544558582 cseq=REGISTER contact=123@1.1.1.1 / 2 from(wire); Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings


    Any idea what I can do to stop this attack? Right now I only have a consumer firewall on a Netgear router. I've tried blocking all incoming IPs, and the attacks still happen. Obviously I am missing something. Any help would be greatly appreciated!

    Thank you.
     
  2. mylove4life

    mylove4life New Member

    Joined:
    Jan 7, 2010
    Messages:
    165
    Likes Received:
    0
    The 3cx system will block it in time, best thing to do is turn off all remote extensions from within 3cx and use strong passwords.
     
  3. Scythe99

    Joined:
    Sep 1, 2011
    Messages:
    7
    Likes Received:
    2
    What do you mean by, "The 3cx system will block it in time" ? Right now I am unable to receive any calls until the attack stops. All 3cx is doing is placing a temp 30 minute ban on my own IP address. The 30 minutes expire, the system lets 25 more attempts through, and then we repeat.

    I have all extensions set as local extensions that cannot be used from outside the network.
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,587
    Likes Received:
    253
    Report it to your ISP, ask them to investigate and block the hacker. You are probably not their only customer with a VoIP PBX that has been scanned and attacked by the same "person".

    If you don't have a fixed IP, then disconnect your router/modem (overnight?) from the net and hope you pick up a new IP when you re-connect.

    If you do have a fixed IP then, if feasible, get a new one from your ISP when you complain to them about the attack.

    Investigate a new router with more advanced IP screening/firewall capabilities.
     
  5. KerryG

    KerryG Active Member

    Joined:
    Jun 19, 2009
    Messages:
    960
    Likes Received:
    0
    66.214.183.82 is your ip address?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.