vicidial.org

Hi support,

just wanna ask about thousands of minutes of unknown calls, all of the sudden our monthly voip bill became 66K minutes where in our average monthly bill is less than 10K minutes only, when we checked we've found unknown destination numbers "17127755736" that has calls more then 4K seconds, allot of destination number that started at "1712775xxxx" has high in number of seconds. but when we try to search that number in vicidial admin that number doesn't exist in the system or our leads but in cdr table they are. Can you help me why and how this happened or what are the possible causes and how to prevent that from happening again? thank you

VICIDIAL VERSION: 2.14-644a
BUILD: 171130-0036
Asterisk Version: 11.25.3-vici

by the way most of the calls caller id in the cdr table are came from our 102 sip extension. thank you

You didnt use extension 102 login password 102 registration password 102 did you?

Are you using a firewall?

http://viciwiki.com/index.php/DGG

Voip minutes are the first thing hackers try to attack on a vicidial computer. I’m very sorry, but it sounds like they discovered your sip extension 102 login and maybe other extensions and used them to steal your voip minutes. Unplug from the internet, change your phone extension passwords, system passwords, set up a whitelist firewall (DGG) connect back to the internet, confirm that your firewall is dropping connections from non whitelisted IP addresses.

journalctl -f -k

Please post back and let us know if you need assistance.

Thank you for your reply and suggestions. I did not use the extension 102. i don't have firewall either. Can i ask what is this command "journalctl -f -k" for?

irodel_ini wrote:Thank you for your reply and suggestions. I did not use the extension 102. i don't have firewall either. Can i ask what is this command "journalctl -f -k" for?

I bet this will help you: http://bfy.tw/JG4K

Also note that while the DGG link before is useful to install the DGG firewall ... it begins with instructions on how to Whitelist your server (without installing anything!). So start with the whitelist, immediately. Reboot after you've got the whitelist configuration done to lock out anyone who already has a connection. Then decide whether to complete the DGG install (which is really just an add-on to make whitelisting of IPs easier!).

And from this moment forward: Never put a PBX / Dialer online without whitelisting it.

If you require assistance with the installation: http://catalog.poundteam.com/product_in ... cts_id=687

Thank you so much for you help. is this applicable and ok even our server is on cloud? meaning i don't have the physical server at my place.

The server can be virtual, physical, at your location or at some other location. There is no Cloud.

But to answer your question: None of those is relevant. It's a device with internet access and it's been accessed as such. Because the firewall wasn't whitelisted.

It's rare to see this type of fraud to a destination in the US. It more frequent with international destinations. Just a sobering reminder that you need to lock down and secure your equipment!