Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » hacked?
  •  
allgraphicsit

Messages: 46
Karma: 2
Send a private message to this user
Hello,

My SIP trunk supplier has closed our account as they think our phone system has been hacked.

I can't work it out, seems there were a bunch of calls made one after the other before the account got closed.

Looking through the Call History I see some strange calls.

The extension of the user is also doing call forwarding to their mobile number. What I find strange is in the Call History I have numbers that are from external to external. Like a caller is somehow able to call our phone system and thn call out to a different number once connected.

I have just this second upgraded to the latest version just in case there are security improvments in there. I think we were on the last version before the latest.

Ta,

David
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
Hi,

Please check the configuration of your SIP interface immediately. The option Advanced > Allow incoming calls to use outgoing routes should not be checked (unless it is a connection to a branch office or similar scenario). Also change the administration password to something complex. Change the user's password. If someone stole the user's/admin's password, they could be able to change the call forwarding rules. Change the SIP passwords for all your SIP extensions, and use very complex passwords.

Inspect the recent entries in the logs - Auth log, Security log, Config log.

Make sure you use the protection against SIP password guessing. Set up outgoing calls constraints, limit calls to countries you do not deal with very often. Or block some countries altogether using call permissions.

If your installation is not very large, you might consider reinstalling from scratch.

I'd also do a check of your entire network, starting with your router/firewall. Inspect all the routing rules, change passwords. Be sure to use complex passwords. Scan all machines in your network for viruses - there could be a key-logger somewhere, stealing your passwords.

Hope this helps,
Vladimir

  •  
M. Steinhauser (Kerio)

Messages: 190

Karma: 6
Send a private message to this user
Maybe also check the "third party CTI integration (AMI)" setting https://<your_operator_ip>:4021/admin/#integration and try more restrictive firewall settings https://<your_operator_ip>:4021/admin/#menuNetwork (second tab).

______________________________
Martin Steinhauser
tester
Kerio Technologies
  •  
Jef

Messages: 6
Karma: 0
Send a private message to this user
Hi,
We had the same problem.
We were not hacked but made lots of calls to other country's.
When they se something abnormal they block your account.
The best is to call your sip provider for an explanation.
They can tell you wat's wrong.

Sometimes they set a credit limit to protect you.

Lets hope there is not a Pakistan callcenter running on your pbx. Wink

Greets
Jef
  •  
allgraphicsit

Messages: 46
Karma: 2
Send a private message to this user
Thanks for your suggestions.

It is puzzling.

I have gone through and checked logs and made sure those basic security settings were applied and they were.

Passwords are pretty good and doesn't look like anyone has signed in as administrator and changed any configuration.

The "Allen incoming calls to use outbound routes" is off on all interfaces.

The user in question has a rule setup to forward to her mobile. Is it possible that while the call is being diverted the person calling could enter some codes to make another call?

I have screen shot the log, see how her 353 extension is diverted to the 07... mobile number and appears an external call then makes an external call. Anyone make sense of my call history there? See attached.

  •  
M. Steinhauser (Kerio)

Messages: 190

Karma: 6
Send a private message to this user
One more thing please. Go to Status -> System Health (https://<your_operator_ip>:4021/admin/#systemHealth and click on "Support information" link in lower left corner. Generated .ZIP file sent to address martin.steinhauser(at)kerio.com.

I'll send it to devel then...

THX

______________________________
Martin Steinhauser
tester
Kerio Technologies
  •  
allgraphicsit

Messages: 46
Karma: 2
Send a private message to this user
thanks Marin,

I have just emailed it to you.

Ta,

David
  •  
allgraphicsit

Messages: 46
Karma: 2
Send a private message to this user
Hi Martin,

Sorry, your email address is bouncing on me, I tried two different email account.

Is it correct?

Thanks,

David
  •  
M. Steinhauser (Kerio)

Messages: 190

Karma: 6
Send a private message to this user
Is wrong of course. I mixed two addresses... Sorry!
Use:

msteinhauser(at)kerio.com

______________________________
Martin Steinhauser
tester
Kerio Technologies
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
Is the extension 353 located in your LAN? What is the phone model? Any special config/local call forwarding on that phone?

BTW, country code 224 is Guinea, known as a frequent source of scam calls. I'd recommend that you block calls to 900224... now until the issue is further researched.
  •  
allgraphicsit

Messages: 46
Karma: 2
Send a private message to this user
Hi Vladimir,

353 is a user in Singapore. At the time it appeared she was not logged in. Usually uses Bria iPhone client and SNOM 870 or SNOM 810. SNOMs are on Singapore Office LAN with VPN back to our office in London (I was surprised how well the VoIP survived encrypted VPN connection over that distance).

She forwards her calls to her mobile phone. It looks like someone kept trying to call her, I wondered if while it was forwarding they somehow managed to make an extra external call which dropped when the mobile's voicemail got full, probably at 20m.

I will see about blocking that country. Thanks.
Previous Topic: remove ISDN card entry
Next Topic: Outbound routing
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Jan 24 18:25:20 CET 2017

Total time taken to generate the page: 0.01194 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.