AA50 PBX hacked, please help (or so says XO)

Asterisk Asterisk Support
1

we have a AA50 for our small business to use, recently our ISP XO stopped all long distance calls because we were “hacked”.

according to XO, we are making international phone calls from our pbx, they showed us several long records of it.

we couldn’t find anywhere under the GUI of AA50 that we made those calls.
we match the outgoing number to internal extension and found nothing.
went to the phone that had the phone number according to XO, and found nothing again.

running the “sip show peers” command showed everyone is where they are suppose to be coming from. no outside / unknown IPs.

and the call detail records showed zero records all the time (says beta in the web GUI, i assume it’s probably not working properly)

i’ve added a 8 char plus password to each extension, everyone of them different. SSH access was never enabled, and the web GUI password was changed.

then two days later, XO said our pbx is still trying to dial international phone calls. (from one of the other phone number, already added 8 char password) our phone number and extension are dramatically different, and what XO was able to show us does not show any mention of the extension on the AA50, just the outgoing number.

tried contact digium support, but from what we described, they do not think the calls are made from the AA50.
the tech quote :

"There is no way that a person can hide active channels in AA50 (in the case they are using your AA50 as proxy server to place calls) But, there is another possibility. In the case that someone hacked your system, they probably got your SIP provider peer info. If they have this info, they can set their own server and place calls using your peer. "

Couple of questions:

  1. How can XO be so sure the calls are from our PBX when we see no trace of it?

  2. under AA50’s voip trunk setup for XO, there is no user name and password XO provide, only a set of IP address. we were told it use CID as a method to let out phone calls. if that is true, someone could very easily hack this?

  3. is there a better way to monitor AA50? right now i am in the CLI emulator doing “core show channels”

  4. i searched the forums before posting and seems like there were couple of cases like this before (hackers using your pbx to make unwanted phone calls, but at least they were able to see where the hackers from etc), what were you able to do to fend off these attacks?

  5. what law enforcement agency do i need to contact? local PD seems to have no clue on how to deal with it.

many thanks!

2

HI

You need to get XO to provide you with details of the IP address that the calls have originated from. This SHOULD match yours if it doesnt then make sure XO only accept calls from your IP address

[quote][under AA50’s voip trunk setup for XO, there is no user name and password XO provide, only a set of IP address. we were told it use CID as a method to let out phone calls. if that is true, someone could very easily hack this?/quote]

CID is VERY insecure to use as authentication you realy should be using a user/password or IP address at the least.

THis sounds more like XO is accepting calls with spoofed caller ID and passing the buck to you just because its your caller id thats been spoofed.

Ian

3

Ian, thanks.

as a simple test, we unplugged our pbx. we’ll see if calls are still being made.

(thou trying to get real time call log from them has been a royal pain)