Hacked System

I have several FreePBX systems depolyed but have recently had the same system hacked twice. I don’t believe they are using my administrative login to do this. The first time they just opened up international calling and made calls to Mexico. I changed the administrative password as well as blocked them on a service level. It was hacked again and changes had been made to the extension custom config. I’m trying to figure out how they are getting in.

Sorry to hear this. Just out of interest - I presume your FreePBX instance is outside of your firewall or NAT or has port forwarding?
My instance is behind my NAT and I’m hoping I’m safe so long as that stays the same…

Where did you change this password and where did you block them at the service level?

What does that custom code like?

I use some port forwarding, non standard ports on both the administrative and phone side. I had changed the GUI password that I had set on the install. It is behind a cheap router Linksys and nat. I am a white label sip trunking provider so their service is through me. I usually make sure that International is turned off at the trunk level. I had missed that here. It wasn’t a lot of international but enough to throw up a flag.

This look familiar?

1 Like

I deleted the code but it was some kind of forwarding code. It was trying to take every call and forward out of the system.

Yes that does look familiar

So you only changed the GUI password? Did you not change the SSH access to the box? There are more ways than just the GUI to get into your box.

To Blaze, that is correct. I want to make sure I get them all changed. I read a old post on changing the amportal but it concluded that it is not necessary. I also made sure I know how to change the root which I will do.

OK what security measures do you have in place currently?

If you only change passwords you can’t be sure you won’t be hacked again.

How about restricting GUI and SSH access to your PBX to only trusted IP addresses, i.e. only the IP addresses you will be logging in from.

I don’t have any other security other then the linksys firewall. I’m looking for any recommendations. I initially was setting up a vpn between 2 microtik routers and for some reason could not get it to work. I now have to edgewater routers that I am going to set up the vpn on and get rid of some of the port forwarding.

I read the post that Igaetz pointed to. This looks exactly like what happened. Is there anyway that Endpoint Manager might have a way to be exploited? This is the only system I have Endpoint on.

They only thing you have as security measures for your ITSP network setup is an old Linksys router?!

No. The EPM just creates files that is it. It doesn’t do anything special that would make things exploited. The only thing that would be “open” is the HTTP/S and TFTP ports for pulling the configuration files to the phone.

Unfortunately unless you can provide some sort of details from with the box such as logs and other activity tracking there is no way for us to really know how they got in and what they exploited on the system. Nor is there anything to say they couldn’t have gotten into other systems before your router either. Have you checked them?

You are seriously going to need to re-evaluate your setup if you’re going to continue being an ITSP of some form. Otherwise you’ve just got your ass hanging in the wind for any one to take.

I am looking for suggestions if you have any.

To avayax. Thank you, I will do this.
Thank you,

How are you setup now? Hard to suggest how to change things when we don’t know what is in place to change? First I can say that linksys needs to be beating with a bat and replaced with a real firewall/router. Mikrotik is the good choice for this.

Did you have any 3rd party programs on your system like FOP2 or Asternic CDR?

I do not have any 3rd party programs on this.