Help with toll fraud issue

cbunting · October 9, 2019, 7:20pm

I recently had someone exploit our freepbx to make international calls, lots of them, and also tons of LD calls… they all originated from our (2) conference room phones, which are yealink CP960’s . I don’t think anything is wrong with the units themselves, but how would this hacking have occured? I have the passwords and secrets auto generated, yet somehow both of these extensions were exploited.

The records in the CDR are as shown above… is there something I am missing?

I changed the secrets on these 2 extensions, but want to make sure this can’t happen again.

lgaetz · October 9, 2019, 7:30pm

You need to determine what IP was registered to the extension credentials at the time of the calls. Registrations will be logged in /var/log/asterisk/full* and will be a different string depending if they are chan_sip or pjsip extensions.

sentinelace · October 10, 2019, 4:07am

sounds like you have weak passwords or firewall not setup right. I have never seen this issue and we have 1000’s of pbxs

partgenius · October 11, 2019, 5:07am

Autogenerated. No upper case letters. No special characters. The same length for every password. Need to lock down your firewall a bit. Lots of posts here about security.
Future versions of freepbx ideally should include special characters and uppercase.

jfinstrom · October 11, 2019, 2:12pm

https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

cbunting · October 11, 2019, 2:24pm

We are using autogenerated passwords… they were pretty long and complex… I changed them on those 2 exploited users just to be sure… but it worries me

cbunting · October 11, 2019, 2:25pm

unfortunately these log files grew so quickly they were already purged of those dates

system · October 12, 2019, 9:34pm

This topic was automatically closed 31 hours after the last reply. New replies are no longer allowed.