<div dir="ltr">The UI (or anything really) is not open to the internet. The only things open are SSH and RDP (on alternate ports). The freepbx web interface has a strong username/password. The only weakness I see is a weak secret SIP password, and default mitel admin password used. There is no provisioning server for the Mitel phones right now.<div><br></div><div>The phone system is on the same subnet/VLAN as the internal network. My guess is some internal computer has a trojan which allowed attackers to do some internal configuration changes. I don't yet know how they launched an outbound call from the internal extension.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 28, 2015 at 4:38 PM, Terry Brummell <span dir="ltr"><<a href="mailto:terry@brummell.net" target="_blank">terry@brummell.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">
<p><span style="FONT-SIZE:10.5pt;FONT-FAMILY:Consolas;COLOR:#1f497d"></span><span style="FONT-SIZE:11pt;FONT-FAMILY:'Calibri','sans-serif';COLOR:#1f497d">You don't mention if the phone is remote, or local. Although you do mention it had a default
user/pass. If the UI of the phone was/is accessible from the I'net, the GUI does have the ability to place a call from it, that is one way the calls could have been placed.</span></p><span class="">
<p><span style="FONT-SIZE:11pt;FONT-FAMILY:'Calibri','sans-serif';COLOR:#1f497d"></span> </p>
<p><span style="FONT-SIZE:11pt;FONT-FAMILY:'Calibri','sans-serif';COLOR:#1f497d"></span> </p>
<div style="FONT-SIZE:16px;FONT-FAMILY:Times New Roman;COLOR:#000000">
<div>
<div>
<div style="BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;BORDER-BOTTOM:medium none;PADDING-BOTTOM:0in;PADDING-TOP:3pt;PADDING-LEFT:0in;BORDER-LEFT:medium none;PADDING-RIGHT:0in">
<p class="MsoNormal"><b><span style="FONT-SIZE:10pt;FONT-FAMILY:'Tahoma','sans-serif'">From:</span></b><span style="FONT-SIZE:10pt;FONT-FAMILY:'Tahoma','sans-serif'"> <a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a> [mailto:<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>]
<b>On Behalf Of </b>Steven McCann<br>
<b>Sent:</b> Wednesday, January 28, 2015 4:03 PM<br>
<b>To:</b> <a href="mailto:asterisk-users@lists.digium.com" target="_blank">asterisk-users@lists.digium.com</a><br>
<b>Subject:</b> [asterisk-users] Investigating international calls fraud</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<div>
<p class="MsoNormal">Hello,</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide
some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the phone company (CenturyLink in Texas).</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Some details:</p>
</div>
<div>
<p class="MsoNormal">* PBX is located in Texas</p>
</div>
<div>
<p class="MsoNormal">* Phone carrier is CenturyLink</p>
</div>
<div>
<p class="MsoNormal">* FreePBX distro running asterisk 1.8.14</p>
</div>
<div>
<p class="MsoNormal">* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin password (argh!). Phone is used by many different people.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">More PBX setting details:</p>
</div>
<div>
<p class="MsoNormal">* inbound SIP traffic is not allowed through the firewall</p>
</div>
<div>
<p class="MsoNormal">* internal network is not accessed by many</p>
</div>
<div>
<p class="MsoNormal">* FreePBX web interface </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><b>Questions I have at this moment:</b></p>
</div>
<div>
<p class="MsoNormal">1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk PBX?</p>
</div>
<div>
<p class="MsoNormal">2) how does this typically get sorted out with the phone company? they are charging $6.25 per minute for the Texas to Cambodia calls. The phone system owners are at fault, but how have these situations worked out in the past?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I'll be tightening things up, but any feedback is appreciated.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Steve</p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</span></div>
<br><br></div>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br></div>