Call to other countries hacking?


(Step Phone) #1

Hello,
this night many calls were made in other countries (+44, +27) with our PBX.

I don’t know how this happened but this meant that our phone credit ran out.

Were there any other problems like this? Could it be hacking?

The caller set up an automatic “lottery” entry.

How can I prevent these types of attacks?

Thanks,

Step


#2

read the posts about port 5060 and anonymous calls.


#3

Toll fraud is unfortunately very common. You need to secure your system so only authorized users can connect, and also fix whatever problems allowed the fraudulent calls.

Look at your Asterisk logs to find out how the calls were made. By default, the system keeps one week of logs. They are in /var/log/asterisk

If the calls were made from an existing extension, possibilities include.

  1. Your provisioning system may be open to the world, with no encryption. Phone MAC addresses are easy for the attacker to guess.
  2. You used a very weak password (the extension number, 1234, etc.) and the attacker guessed it by brute force.
  3. The attacker may have captured traffic from e.g. a SIP app used over open Wi-Fi.
  4. The device may have been open on the internet with a weak admin password, so the attacker could access the device GUI.
  5. The PBX Admin GUI was open, with a weak password.

If a new extension was created, possibilities include:

  1. Admin GUI open with a weak password.

  2. Admin GUI open and system lacking security updates, allowing access without authentication.

In this case, you should reinstall the system from scratch, secure it, then reload configuration from a backup.

If the attacker called in from the PSTN and could call out from there:

  1. Call transfer features incorrectly enabled on incoming calls.
  2. Voicemail with weak password and outbound calling enabled.
  3. Errors in IVR, etc. permitting outbound calling.

If the attacker accessed the system via SIP and called without authentication:

  1. Anonymous calls / Guest calls enabled.
  2. Inbound Routes misconfigured to allow outbound calling.

#4

Just incase you didn’t know, the chances of being ‘hacked’ if not using UDP/5060 is vanishingly small

Please use sngrep to do a preliminary diagnosis