Help with toll fraud issue

I recently had someone exploit our freepbx to make international calls, lots of them, and also tons of LD calls… they all originated from our (2) conference room phones, which are yealink CP960’s . I don’t think anything is wrong with the units themselves, but how would this hacking have occured? I have the passwords and secrets auto generated, yet somehow both of these extensions were exploited.

The records in the CDR are as shown above… is there something I am missing?

I changed the secrets on these 2 extensions, but want to make sure this can’t happen again.

You need to determine what IP was registered to the extension credentials at the time of the calls. Registrations will be logged in /var/log/asterisk/full* and will be a different string depending if they are chan_sip or pjsip extensions.

sounds like you have weak passwords or firewall not setup right. I have never seen this issue and we have 1000’s of pbxs

Autogenerated. No upper case letters. No special characters. The same length for every password. Need to lock down your firewall a bit. Lots of posts here about security.
Future versions of freepbx ideally should include special characters and uppercase.

We are using autogenerated passwords… they were pretty long and complex… I changed them on those 2 exploited users just to be sure… but it worries me

unfortunately these log files grew so quickly they were already purged of those dates

This topic was automatically closed 31 hours after the last reply. New replies are no longer allowed.