ALERT The $4263.84 Phone Bill

wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
20,217
Reaction score
5,974
If only he had deployed Incredible PBX instead of you-know-who's free PBX...

community.freepbx.org

Someone got into my system

Helo, Someone broke into my freepbx phone system soemhow they guessed my 16 digit password. I do have ports open for when I’m traveling. They are all coming from the same 128 Ip address. Is there a way to fix this so when I travel I can still use my phone extension that I’m using my cellphone...
community.freepbx.org community.freepbx.org

And the guy is still using the same system that got hacked. Yikes!
 
Yeah, I read that yesterday and was like .... UMMM... seems like the guy doesn't have a firm grasp of what power there is there nor how to protect it. I mean the whole comment about someone hacked his 16 digit random passcode. No - I'm sure they didn't. Reminds me of when FreePBX used to have a backdoor that people found out how to exploit in the past. That's why IncrediblePBX was a better solution because it had additional firewall safeguards. I haven't installed the FreePBX iso in a long time, but I thought they now had proper firewalls in place to prevent this?
 
krzykat said:
Yeah, I read that yesterday and was like .... UMMM... seems like the guy doesn't have a firm grasp of what power there is there nor how to protect it. I mean the whole comment about someone hacked his 16 digit random passcode. No - I'm sure they didn't. Reminds me of when FreePBX used to have a backdoor that people found out how to exploit in the past. That's why IncrediblePBX was a better solution because it had additional firewall safeguards. I haven't installed the FreePBX iso in a long time, but I thought they now had proper firewalls in place to prevent this?
Click to expand...
They do but like anything it's only as good as the user makes it. Just because the application came with a firewall doesn't mean the user actually used it. The user admitting to opening their firewall while travelling. It wouldn't have matter if it was IPBX or FreePBX, the user willing opened up access to the system so they could reach it from the outside from anywhere.

Straight from the OP:
I do have ports open for when I’m traveling.
Click to expand...

The entire issue here is a PEBCAK issue. No amount of default firewalls are going to help with someone adds rules (or disables them) so they can have free range remote access. It means everyone has free range remote access.
 
Samot said:
They do but like anything it's only as good as the user makes it. Just because the application came with a firewall doesn't mean the user actually used it. The user admitting to opening their firewall while travelling. It wouldn't have matter if it was IPBX or FreePBX, the user willing opened up access to the system so they could reach it from the outside from anywhere.

Straight from the OP:


The entire issue here is a PEBCAK issue. No amount of default firewalls are going to help with someone adds rules (or disables them) so they can have free range remote access. It means everyone has free range remote access.
Click to expand...
That's not quite accurate. There are ways to protect remote client access: VPNs and FQDN-only access are two supported with Incredible PBX, and there have been no reported issues.
 
wardmundy said:
That's not quite accurate. There are ways to protect remote client access: VPNs and FQDN-only access are two supported with Incredible PBX, and there have been no reported issues.
Click to expand...
I agree, there are ways to protect things. But the OP just opened up ports for remote access. They didn't bother with a VPN or FQDN-only access. I'm not saying there weren't ways to prevent this because there were. I'm saying none of that was used and **closed access** was **opened up** because the user wanted remote access from any where and opted to just open things and not do it right. It wouldn't have mattered if it was FreePBX or Travelin' Man firewalls, they both block access to things like 80/admin by default. However, if the user **opens that port** then it is just open.

This wasn't something that IPBX could have done better or that IPBX doesn't have solutions that could have been used, the user would have just done the same thing.
 
If I'm not mistaken, the FreePBX Distro requires the user to configure the firewall and turn it on. That's quite different than the Incredible PBX way of doing things. Yes, anyone can trash their server with enough effort. But some platforms make that a lot easier to accomplish.
 
It's a bit unclear from the FreePBX thread, but it sounds like the OP's reference to a firewall is to his SonicWall which apparently had port 80 wide open. I see no reference to configuring or using the actual FreePBX firewall. He then used some simple password for admin access to the FreePBX GUI, and the rest is history and a big phone bill.
 
I agree, it wasn't completely clear to me when reading the thread originally, and that's why I interjected on there that using FQDN can substantially cut down on that. I mean someone might know your server IP is 3.3.3.3, but if they try to register to 3.3.3.3 they get denied and they'll have no clue why. Anyhow - as Ward say's, there are MANY parts that can be blocked, and it just seems like they didn't take proper precautions. Like we don't even know from their post if the person gained access to the FreePBX portal, if a bad actor monitored their SIP connections from a public WIFI or ... Many many variables that require a deeper analysis.
 
This gives me an idea. Someone could start up a service for a SBC that would whitelist and blacklist IP's. I mean I know that I've gotten many different hack attempts today, and while I block them, what about the next guy? Would be nice if they were all blocked at the SBC and that everyone got to take advantage of that.
 
I know Ward used to have honeypot server to catch the ip addresses of bad actors. I don't know what he does with the data.
 
It should be known that these guys are quite sophisticated, they first scan for 'fingerprints' , i.e. a subset of ports that by default any distro might b e open for web, SIP, provisioning, management, openvpn, whatever and having got a 'mark' send it on to folks who know that even if http is rewritten to https that

openssl s_client 3.3.3.3:https < /dev/null

is quite 'leaky" if using a standard web server. If you use the same leaked domain for SIP transports then all bets are off, you can buy a domain name for < $10/year from namecheap though.
 
wardmundy said:
If only he had deployed Incredible PBX instead of you-know-who's free PBX...

community.freepbx.org

Someone got into my system

Helo, Someone broke into my freepbx phone system soemhow they guessed my 16 digit password. I do have ports open for when I’m traveling. They are all coming from the same 128 Ip address. Is there a way to fix this so when I travel I can still use my phone extension that I’m using my cellphone...
community.freepbx.org community.freepbx.org

And the guy is still using the same system that got hacked. Yikes!
Click to expand...
Just a word of sympathy for joseph chrzempiec well his got a nice $4263.84 Phone bill could be a lot worse, and hope next month doesnt add more pain; at least he is now able to put an end to it.
 
Historically there have been many 'penetrations' in this ecosystem of all flavors, they pop up maybe once a year or so.
Can anyone say there is not an as yet undiscovered one ?

Personally, some while ago, I identified at a cost of $11K to AT&T that allowing in-call DTMF forwarding within an answered voicemail should not be allowed for any external caller, this on a totally TDM air-gapped system.

Complacency is not a good thing, nothing should be 'relied on', constant vigilance is practiced by wise virgins :) ( I no longer consider myself to be a virgin ;-) )
 
Last edited:
Fixed long ago in main-stream FreePBX it's just the presence of t and/or T in the dial() command
 
Yeah, 40 years ago I remember we had a hack for getting free phone calls from pay phones. But that was just for fun ... now its for money. Probably about 15 years ago I got hacked by an open backdoor with FreePBX that cost me about $500 each hack and happened a few times before we got the door completely closed. Thank God it was a time when international calling was best achieved by buying international minutes overseas that required a wire transfer, so no auto-refills that allowed the damage to be minimized.

Some mitigation techniques are as simple as changing the ports. Do you use port 5060? Do you use port 22? ... Easy things to put another barrier in front.
 
As a kid, learning to hook-flash at 10pps was a great way to not need 4d.

For me UDP/![5000-5999] was 99.5% effective switching to TCP was an order of magnitude improvement, moving to TLS against a completely unrelated domain certificate has been so far 100% effective across lots of PBI (FreePBX and otherwise)
 
Last edited:
You must log in or register to reply here.

Members online

Total: 32 (members: 1, guests: 31)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,411
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top