PBX Hacked! Making random calls

Ok, First of all I do want to apologize for placing this in the Asterisk Support even though I’m running the Switchvox Free edition. But the because this section gets the most hits, and I’m in dire need of help.

Last week, We started getting calls from people who were getting calls from our number stating they need to activate their CC number, we sell trucks.
When I looked at the log, I saw constant calls outgoing from one of our extensions. I called my SIP provider (WHo is also our ISP provider, Cbeyond). They said it has absolutely nothing to do with them and our PBX has been compromised (even though I see no changes to it) and I could have swore they were giving us hardware Firewall.

Anyways, I deleted the extension that was making all the calls and the calls stopped. I looked all over our PBX and phones and it seems like no changes were apparent.

Today, it started again with a different extension (even though I changed all passwords for phones and PBX). I have disabled all outgoing calls on this such extension, now in the log, i see it keeps trying to dial random numbers but the calls are not going through.

Note it’s not making any new extensions, the log is seeing it as our current extensions are making all the calls. weird.

What the heck is going on???


Basicly two things:

1 your passwords were too simple.
2. You havent deployed ACL , (Does switchvox support them ?)


What the heck is going on???[/quote]

I’d agree with the prior poster and say that you have two things that you should do IMMEDIATELY:

  1. Your firewall is clearly… not firewalling. You need to work with CBeyond or whoever installed your firewall and ask them how it is possible for people on the Internet to be making calls. (Maybe it’s someone relaying off a machine inside your office? You should really figure out where the attacker is coming from.)

  2. Your passwords are insufficient and are being guessed by someone, probably with one of the more commonly-available SIP penetration toolsets. You should make passwords a minimum of 8 characters, with numbers and symbols in them.

Please see this blog post: blogs.digium.com/2009/03/28/sip-security/