Jump to content

Recommended Posts

Posted

Hello Everyone,

 

obviously someone has hacked a PBX of our customers. There are a lot of fraud long-distance calls in the call history. Fortunately the damage isn't very much, as the Trunk is Prepaid. But now I'm really worry, because the Hacker didn't hacked the trunk account directly. He came into the pbx in a way I cannot understand. The attached call history tells me there were made calls from an extension called test (asterisk) but we do not have such an extension. There are a lot of calls to almost the same number 00442073479999 during the whole night. Searching this number by Google results in being a popular number for fraud. For my point of view I can only imagine, that the hacker logged into administrator account of the pbx, created a extension and made those calls and delete the extension afterwards. But this seems to be implausible.

 

So my questions are: Does the PBX have a backdoor (pre-programmed extension) a hacker could use? Unfortunately I only have this call history and no other information. Is there a log-file telling me all sucessful and failed login attempts? Does the blacklist apply only on failed SIP-Registrations or also on failed Web-Login?

 

As an emergency procedure we set all Dial plans to PIN Enabled (except those calls which are covered by flat-rate, which are the most calls).

post-2076-0-25308300-1296423063_thumb.png

Posted

obviously someone has hacked a PBX of our customers. There are a lot of fraud long-distance calls in the call history. Fortunately the damage isn't very much, as the Trunk is Prepaid. But now I'm really worry, because the Hacker didn't hacked the trunk account directly. He came into the pbx in a way I cannot understand. The attached call history tells me there were made calls from an extension called test (asterisk) but we do not have such an extension. There are a lot of calls to almost the same number 00442073479999 during the whole night. Searching this number by Google results in being a popular number for fraud. For my point of view I can only imagine, that the hacker logged into administrator account of the pbx, created a extension and made those calls and delete the extension afterwards. But this seems to be implausible.

 

Check your trunks. If you don't have an outbound proxy set, the PBX will accept calls on such a trunk. This is called "ENUM" and it is hard to tell the difference between an ENUM call and fraud.

 

I would also turn logging to the file system on, so that you can get more information about the caller.

 

So my questions are: Does the PBX have a backdoor (pre-programmed extension) a hacker could use? Unfortunately I only have this call history and no other information. Is there a log-file telling me all sucessful and failed login attempts? Does the blacklist apply only on failed SIP-Registrations or also on failed Web-Login?

 

There is no backdoor.

 

As an emergency procedure we set all Dial plans to PIN Enabled (except those calls which are covered by flat-rate, which are the most calls).

 

That will block it, but is very inconvenient. I would try to find the root cause instead.

Posted

Check your trunks. If you don't have an outbound proxy set, the PBX will accept calls on such a trunk. This is called "ENUM" and it is hard to tell the difference between an ENUM call and fraud.

Thank you for your reply. Is the outbound proxy the one you told about? It was already set, so the question is still what about this strange 'asterisk' extension in the call history?

 

 

Trunk 23 in domain localhost

Name: Bellsip

Type: register

To: sip

RegPass: ********

Direction:

Disabled: false

Global: false

Display: Bellsip

RegAccount: ******

RegRegistrar: bellsip.com

RegKeep:

RegUser: ******

Icid:

Require:

OutboundProxy: proxy.bellsip.com

Ani: *********

DialExtension: 00

Prefix:

Trusted: false

AcceptRedirect: false

RfcRtp: false

Analog: false

SendEmail: true

UseUuid: false

Ring180: false

Failover: never

Privacy: false

Glob:

RequestTimeout:

Codecs:

CodecLock: true

Expires: 3600

FromUser: 00

Tel: true

TranscodeDtmf: false

AssociatedAddresses: 00

InterOffice: false

DialPlan:

Colines:

DialogPermission:

Posted

The trunk that you see in the CDR history is probably where the call has been redirected to. Do you have other trunks? You dont have to post them here; just check if they all have the outbound proxy set (or explicity list the IP addresses at the bottom).

 

Also, do you have any warning signs when you list the accounts? Then you might have an account that has no password set, which would also be a security problem.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...