Unauthorised registrations

Discussion in '3CX Phone System - General' started by pierredp, Jun 28, 2010.

Thread Status:
Not open for further replies.
  1. pierredp

    Joined:
    Jun 28, 2010
    Messages:
    2
    Likes Received:
    0
    Greetings,

    I have the 3CX system up and running and it works great. The firewall had the ports 5060, 5090. 10000-10020 open. All worked well until I received an outrageous bill. First I thought the problem was with my provider, but after checking my call logs, I see that the PBX system has been compromised. Someone from the outside manage to register using one of the extensions and hundreds calls were made to Egypt and Palestine. If I change the password for the extension, and restart the services, the culprits re-register within seconds.

    How do they manage to register when the password is changed? In order to stop this, I have blocked those ports on the firewall, but now no longer receive incoming calls. Can anyone perhaps provide some advise?

    Many thanks,
    Pierre
     
  2. igor.snezhko

    igor.snezhko Active Member

    Joined:
    Jan 7, 2008
    Messages:
    663
    Likes Received:
    4
    http://www.3cx.com/forums/i-ve-been-stupid-system-hacked-15736.html

    Are you the same person? Bad conspiracy, really bad conspiracy :lol:
     
  3. carolinainnovative

    Joined:
    May 4, 2009
    Messages:
    369
    Likes Received:
    5
    If you change the password they should not be able to reregister.

    I suggest the following:
    1) change USERNAME as well for the extension.
    2) set outbound rules restricting certain international calls
    3) Set firewall rules to restrict access to port 5060 et al to ip addresses owned by your VOIP provider. if you contact them I'm sure they can send you their IPs

    Good luck!
     
  4. wzaatar

    Joined:
    Aug 1, 2007
    Messages:
    90
    Likes Received:
    0
    I believe points 1 and 2 are valid. Point 3 is not obvious if he has external extensions registering from dynamic locations.

    What would be nice is to have some extensions labeled as not accessible from the outside and some others accessible from the outside, but configured with a rule not be allowed to make calls.

    W.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. pierredp

    Joined:
    Jun 28, 2010
    Messages:
    2
    Likes Received:
    0
    LOL, no, not the same person - but I guess I got caught by the same thing, not realizing that the extensions can be accessed from the outside :-( The password was 1234, which would have been the second one they guessed. Strange thing though, after changing all the passwords to something way more complicated, they still appeared to be able to register.

    Thanks for the advice salter & wzaatar, I'll try to implement as you have suggested.

    If the firewall does not allow access to port 5060 and the RTP ports, can I somehow configure it to receive incoming calls using the stun server, or will I have to open those ports up?

    Thanks gain for the responses,
    Pierre
     
  6. archie

    archie Well-Known Member
    3CX Support

    Joined:
    Aug 18, 2006
    Messages:
    1,299
    Likes Received:
    0
    To disable access from outside it is enough to block 5060 (or what is specified as your SIP port) on your internet firewall.
    It is not possible to use STUN for hacking, as far as I know.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.