Freepbx hacked, making unauthorized calls, All circuits are busy

Got a freepbx 14 box that is setup with remote phones for 4 remote locations. Awhile back we discovered that there were toll fraud calls being made from the system which racked up a substantial bill. We were able to block the calls to the 712, etc area codes and that seemed to stop it, but were unable to find and remove the unauthorized users from the pbx. :frowning:
Now today, they can’t make calls most the time, when they try to make an outbound call, they get an All circuits are busy message. I increased the Maximum channels from 10 up to 50 and was able to make outbound calls then.
I did some digging and running “core show channels count” shows varying numbers of channels and calls. Right now it’s showing 0 active channels and 0 active calls, earlier it was up to 10 active channels and 5 active calls. It’s showing 181 calls processed in the last hour and 15min since I restarted it. I talked to one of the fellows onsite and he said there’s no way they made that many calls in that time frame.

Under Asterisk Info>Peers the extensions are registered from the correct ips.

So I need to figure out where the calls are being made too, and how they got into the system.

You don’t need to register to make an outgoing call, and you can make outgoing calls with the credentials that were used to register another device, without losing that registration.

Ok, that makes sense. How do I figure out which extension(s) is compromised if that’s the case? It’s a mix of Sangoma S500 / S505 / S705 phones and snom and yealink cordless. The Sangoma phones are provisioned with portal redirection and a mix of http / https provisioning protocol.

Truthfully, it might be prudent start over. It can be difficult to determine how compromised a box is.

That wouldn’t be all bad, esp since it’s version 14. But it’s a fairly complex build and would take quite a bit of work to rebuild from scratch. At this point, I’m more interested in tracking down where the calls are coming from and how to prevent that in the future. Otherwise I could rebuild it and have the same problem.

sngrep would provide insight.

Look at the network traffic, the CDRs and the Asterisk logs, turn on SIP debug. Is your PBX exposed to the Public? If the customer IPs are static, lockdown the firewall.

I’m somewhat familiar with sngrep but can you give me more details on what I’m looking for? Register, Invite, Subscribe?

You’re looking for the IP address that doesn’t belong, that is giving back OK and ACK.

So I did some more digging and it looks like there aren’t any fraud calls. There is a Trunk Dial failed to CONGESTION HANGUPCAUSE: 38 failing through to other trunks but it doesn’t failover. Here are more logs all circuits are busy - FreePBX Pastebin
The carrier is Voip Innovations. Here are the sip settings host=
Am I correct that asterisk does not access them in order? Because the ip is a secondary ip and at the end of the list. Why is it not using the first one, ?

This is invalid. The host setting in chan_sip takes one IP not a string like that. You need to have a chan_sip peer/trunk per IP.

It would be useful to see the 100 lines or so before line 1 of the paste, but assuming that the call setup did something similar to line 21, you probably sent an invalid caller ID (the extension number) so VI rejected the call.

If you can install a current FreePBX and migrate the settings, use a pjsip trunk for VI. It’s trivial to specify multiple server addresses with Match (Permit).

I have about 25 lines before that
Tried to setup the VoipInnovations module but it gives a firewall status Fail
I added the ips to Intrustion detection and trusted but no change.
This is hosted on freepbxhosting so there’s not supposed to be any firewall in front of it.

Is there any reason I can’t just setup a pjsip trunk on the existing install? And does the Match (Permit) try the ips in the order listed?

Match / permit is only used inbound, so the order is irrelevant.

There MUST be a firewall in front of the PBX, whether freepbxhosting is providing it or the PBX itself is using the responsive firewall.

Under Reports > Asterisk Info > Peers are there any unrecognized registrations?

How are your remote phones connected? SIP with TLS 1.2+ or VPN?

VI have a Fraud Detection add-on - $50 for 50,000 minutes is the starting plan.

Finally, consider that the dial-plan itself might be hacked. We experienced this a few months back. Investigation showed redirects via Conferences and something else, I forget now. After installing a suggested update, which I should not have missed, problem has not recurred.

I’ve had this and it sucks. fwconsole validate to see if there is anything “extra” in your system. Change all of your extension passwords. Toll fraud is sometimes calls to know numbers. I setup a trunk called “Blocked” and an outbound route called “Blocked” and for the dial patterns I put those numbers in…so if someone dials them it trys to use the blocked trunk which has nothing in it. The Blocked trunk has nothing in it so it can’t connect a call. You can also configure the notifications to send you an email if anyone is trying to make those calls.

I’ve ran validate and it’s clean. And we do have a Blocked trunk setup. Found the problem had to do with trunk configuration. Got it updated and it’s working now.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.