Helo, Someone broke into my freepbx phone system soemhow they guessed my 16 digit password. I do have ports open for when I’m traveling. They are all coming from the same 128 Ip address. Is there a way to fix this so when I travel I can still use my phone extension that I’m using my cellphone app to connect to?
You definitely want to keep your SIP ports closed to the internet and only open to say SIP providers or IP’s you know you can trust.
Might I recommend ringotel phone app? I’ve been using it and its goooood. https://ringotel.co/
I would change your password and close those ports. Then block that IP at your firewall.
To be honest I haven’t throught of using one on my phone. But I’m going to do that now. I changed all my passwords closed all my ports and i got a nice $4263.84 Phone bill from Verzion they are looking into it now.
I changed all my passwords, Closed out all my ports, Even changed my Ip address. I got a nice $4263.84 Phone bill from Verzion they are looking into it now and hopefully I don’t have to pay it.
Something else you should do is not allow any registrations unless they use your FQDN. That will stop most of these people.
With the caveate of not using the same domain as your web server, as that is quite possibly how they compromised the system and could know that domain by the http handshake scans of ip addresses prior to https.
hey dicko I don’t have the pbx on a hosted system it is locally to me only and I only use it myself no one else.
Apparently not quite ‘me only’
Have you investigated for ANY possible holes in your firewall(s) ?
Sorry Not thinking straight. I read that wrong LOL. I did look at my firewall logs and I didn’t see nothing wrong.
If they do it cleverly, you won’t , It’s not just your SIP ports that are vulnerable. However if you just use TLS against an obscure but legitimate certified URI , the driveby’s will also reduce dramatically wiyh time , The network of those 128 and possible more can be distilled to one line to the BGP Prefix of just one
whois -h whois.cymru.com ' -f -v a.b.c.d'
Well, I hope my sonicwall hold them out. It is upto date. However my freepbx server is running a older version. I never updated it. I been traveling that I never had the chance to do so and I forgot it.
I I were you, I would definitely look deeper into this. If your extensions really have strong passwords as you say, it’s hard to believe that someone guessed or brute-forced it. There must be some other way how this happened.
you could be right. I have no clue. My password was strong however Something else might got into it. I’m still looking through it all and I will update shortly.
Okay just an Update. This is all my fault. My firewall is good no hacks there that I can tell. However the pbx itself is a whole other story. The root password is strong But the Web interface password is not. I scrwed up I made it into a short password when I first programmed it for testing and I forgot to change it a long time ago, And sense It’s automatically logged in from my laptop I didn’t notice it. What I did notice was a new phone Extention that I never made.
I still need to here back from the guy who helped me to setup the sonicwall and see if he found anything.
Sorry to hear what happened. Mistakes happen. Always ensure you have some sort of call spend limit in place with the carrier as a last line of defence.
I called verzion and they put a block for overseas calling. Now I have a new problem. By some chance I screwed up myself up when I changed my web interface password now I can not see the top of my nav bar. It is gone also If I try to hit the search box it won’t find anything.
You should roll back to a backup or snapshot from before this happened, assuming you know when the hacker got it. Bear in mind, it could have been months ago. If you don’t know then rebuild from scratch if it’s possible and practical.
The hacker did not do this to my admin account. I did this to my account when I changed admin password I think forgot to do something and lost my rights to it or something and the nav bar went away.
How to I gain access back as an admin?