Got a freepbx 14 box that is setup with remote phones for 4 remote locations. Awhile back we discovered that there were toll fraud calls being made from the system which racked up a substantial bill. We were able to block the calls to the 712, etc area codes and that seemed to stop it, but were unable to find and remove the unauthorized users from the pbx.
Now today, they canāt make calls most the time, when they try to make an outbound call, they get an All circuits are busy message. I increased the Maximum channels from 10 up to 50 and was able to make outbound calls then.
I did some digging and running ācore show channels countā shows varying numbers of channels and calls. Right now itās showing 0 active channels and 0 active calls, earlier it was up to 10 active channels and 5 active calls. Itās showing 181 calls processed in the last hour and 15min since I restarted it. I talked to one of the fellows onsite and he said thereās no way they made that many calls in that time frame.
Under Asterisk Info>Peers the extensions are registered from the correct ips.
So I need to figure out where the calls are being made too, and how they got into the system.
You donāt need to register to make an outgoing call, and you can make outgoing calls with the credentials that were used to register another device, without losing that registration.
Ok, that makes sense. How do I figure out which extension(s) is compromised if thatās the case? Itās a mix of Sangoma S500 / S505 / S705 phones and snom and yealink cordless. The Sangoma phones are provisioned with portal redirection and a mix of http / https provisioning protocol.
That wouldnāt be all bad, esp since itās version 14. But itās a fairly complex build and would take quite a bit of work to rebuild from scratch. At this point, Iām more interested in tracking down where the calls are coming from and how to prevent that in the future. Otherwise I could rebuild it and have the same problem.
Look at the network traffic, the CDRs and the Asterisk logs, turn on SIP debug. Is your PBX exposed to the Public? If the customer IPs are static, lockdown the firewall.
So I did some more digging and it looks like there arenāt any fraud calls. There is a Trunk Dial failed to CONGESTION HANGUPCAUSE: 38 failing through to other trunks but it doesnāt failover. Here are more logs all circuits are busy - FreePBX Pastebin
The carrier is Voip Innovations. Here are the sip settings host=64.136.174.30&64.136.174.31&64.136.174.35&64.136.174.20&209.166.154.70&209.166.128.200&64.136.173.22
Am I correct that asterisk does not access them in order? Because the 64.136.173.22 ip is a secondary ip and at the end of the list. Why is it not using the first one, 64.136.174.30 ?
It would be useful to see the 100 lines or so before line 1 of the paste, but assuming that the call setup did something similar to line 21, you probably sent an invalid caller ID (the extension number) so VI rejected the call.
If you can install a current FreePBX and migrate the settings, use a pjsip trunk for VI. Itās trivial to specify multiple server addresses with Match (Permit).
I have about 25 lines before that https://pastebin.freepbx.org/view/96f3088b
Tried to setup the VoipInnovations module but it gives a firewall status Fail
I added the ips to Intrustion detection and trusted but no change.
This is hosted on freepbxhosting so thereās not supposed to be any firewall in front of it.
There MUST be a firewall in front of the PBX, whether freepbxhosting is providing it or the PBX itself is using the responsive firewall.
Under Reports > Asterisk Info > Peers are there any unrecognized registrations?
How are your remote phones connected? SIP with TLS 1.2+ or VPN?
VI have a Fraud Detection add-on - $50 for 50,000 minutes is the starting plan.
Finally, consider that the dial-plan itself might be hacked. We experienced this a few months back. Investigation showed redirects via Conferences and something else, I forget now. After installing a suggested update, which I should not have missed, problem has not recurred.
Iāve had this and it sucks. fwconsole validate to see if there is anything āextraā in your system. Change all of your extension passwords. Toll fraud is sometimes calls to know numbers. I setup a trunk called āBlockedā and an outbound route called āBlockedā and for the dial patterns I put those numbers inā¦so if someone dials them it trys to use the blocked trunk which has nothing in it. The Blocked trunk has nothing in it so it canāt connect a call. You can also configure the notifications to send you an email if anyone is trying to make those calls.
Iāve ran validate and itās clean. And we do have a Blocked trunk setup. Found the problem had to do with trunk configuration. Got it updated and itās working now.
