Great Office - Hummig KG Posted January 30, 2011 Report Posted January 30, 2011 Hello Everyone, obviously someone has hacked a PBX of our customers. There are a lot of fraud long-distance calls in the call history. Fortunately the damage isn't very much, as the Trunk is Prepaid. But now I'm really worry, because the Hacker didn't hacked the trunk account directly. He came into the pbx in a way I cannot understand. The attached call history tells me there were made calls from an extension called test (asterisk) but we do not have such an extension. There are a lot of calls to almost the same number 00442073479999 during the whole night. Searching this number by Google results in being a popular number for fraud. For my point of view I can only imagine, that the hacker logged into administrator account of the pbx, created a extension and made those calls and delete the extension afterwards. But this seems to be implausible. So my questions are: Does the PBX have a backdoor (pre-programmed extension) a hacker could use? Unfortunately I only have this call history and no other information. Is there a log-file telling me all sucessful and failed login attempts? Does the blacklist apply only on failed SIP-Registrations or also on failed Web-Login? As an emergency procedure we set all Dial plans to PIN Enabled (except those calls which are covered by flat-rate, which are the most calls). Quote
Vodia PBX Posted January 31, 2011 Report Posted January 31, 2011 obviously someone has hacked a PBX of our customers. There are a lot of fraud long-distance calls in the call history. Fortunately the damage isn't very much, as the Trunk is Prepaid. But now I'm really worry, because the Hacker didn't hacked the trunk account directly. He came into the pbx in a way I cannot understand. The attached call history tells me there were made calls from an extension called test (asterisk) but we do not have such an extension. There are a lot of calls to almost the same number 00442073479999 during the whole night. Searching this number by Google results in being a popular number for fraud. For my point of view I can only imagine, that the hacker logged into administrator account of the pbx, created a extension and made those calls and delete the extension afterwards. But this seems to be implausible. Check your trunks. If you don't have an outbound proxy set, the PBX will accept calls on such a trunk. This is called "ENUM" and it is hard to tell the difference between an ENUM call and fraud. I would also turn logging to the file system on, so that you can get more information about the caller. So my questions are: Does the PBX have a backdoor (pre-programmed extension) a hacker could use? Unfortunately I only have this call history and no other information. Is there a log-file telling me all sucessful and failed login attempts? Does the blacklist apply only on failed SIP-Registrations or also on failed Web-Login? There is no backdoor. As an emergency procedure we set all Dial plans to PIN Enabled (except those calls which are covered by flat-rate, which are the most calls). That will block it, but is very inconvenient. I would try to find the root cause instead. Quote
Great Office - Hummig KG Posted January 31, 2011 Author Report Posted January 31, 2011 Check your trunks. If you don't have an outbound proxy set, the PBX will accept calls on such a trunk. This is called "ENUM" and it is hard to tell the difference between an ENUM call and fraud. Thank you for your reply. Is the outbound proxy the one you told about? It was already set, so the question is still what about this strange 'asterisk' extension in the call history? Trunk 23 in domain localhost Name: Bellsip Type: register To: sip RegPass: ******** Direction: Disabled: false Global: false Display: Bellsip RegAccount: ****** RegRegistrar: bellsip.com RegKeep: RegUser: ****** Icid: Require: OutboundProxy: proxy.bellsip.com Ani: ********* DialExtension: 00 Prefix: Trusted: false AcceptRedirect: false RfcRtp: false Analog: false SendEmail: true UseUuid: false Ring180: false Failover: never Privacy: false Glob: RequestTimeout: Codecs: CodecLock: true Expires: 3600 FromUser: 00 Tel: true TranscodeDtmf: false AssociatedAddresses: 00 InterOffice: false DialPlan: Colines: DialogPermission: Quote
Vodia PBX Posted January 31, 2011 Report Posted January 31, 2011 The trunk that you see in the CDR history is probably where the call has been redirected to. Do you have other trunks? You dont have to post them here; just check if they all have the outbound proxy set (or explicity list the IP addresses at the bottom). Also, do you have any warning signs when you list the accounts? Then you might have an account that has no password set, which would also be a security problem. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.