ALERT Yesterday I was hacked but can't figure out how

[sirdotcom]

Yesterday, while I happened to be out for a few minutes, about 25 calls were made to African countries. Most of them were no answers or busy, but I still got charged. I've seen this scam before few years ago, but I thought it was fixed. My main boo-boo was that I had the firewall down at the time ... however, the CLIDs are all Google voice numbers! 2 different ones. The logs don't say anything them dialing trunk access codes, it just show my GV numbers as the source and the destination as the rather expensive number. I only lost about $8, but I don't think this was a firewall thing .. it seems they expolited GV somehow.

They used voip.ms and a "011" dialling prefix (which from internal you need more than that,) and also another provider that doesn't accept an int'l prefix, and those calls failed. Here is a snippet from the log:

[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:13] Set("Local/005311034197@tha
nku-outcall-0000001f;2", "OUTNUM=005311034197") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:14] Set("Local/005311034197@tha
nku-outcall-0000001f;2", "custom=SIP/voipms_44") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:15] ExecIf("Local/005311034197@
thanku-outcall-0000001f;2", "0?Set(DIAL_TRUNK_OPTIONS=M(setmusic^default))") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:16] ExecIf("Local/005311034197@
thanku-outcall-0000001f;2", "0?Set(DIAL_TRUNK_OPTIONS=M(confirm))") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:17] Macro("Local/005311034197@t
hanku-outcall-0000001f;2", "dialout-trunk-predial-hook,") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk-predial-hook:1] MacroExit("Loca
l/005311034197@thanku-outcall-0000001f;2", "") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:18] GotoIf("Local/005311034197@
thanku-outcall-0000001f;2", "0?bypass,1") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:19] ExecIf("Local/005311034197@
thanku-outcall-0000001f;2", "0?Set(CONNECTEDLINE(num,i)=005311034197)") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:20] ExecIf("Local/005311034197@
thanku-outcall-0000001f;2", "0?Set(CONNECTEDLINE(name,i)=CID:)") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:21] GotoIf("Local/005311034197@thanku-outcall-0000001f;2", "0?customtrunk") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] pbx.c: Executing [s@macro-dialout-trunk:22] Dial("Local/005311034197@thanku-outcall-0000001f;2", "SIP/voipms_44/005311034197,300,") in new stack
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] netsock2.c: Using SIP RTP TOS bits 184
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] netsock2.c: Using SIP RTP CoS mark 5
[2016-08-27 07:11:15] VERBOSE[24680][C-0000001f] app_dial.c: Called SIP/voipms_44/005311034197
[2016-08-27 07:11:15] VERBOSE[24646][C-0000001e] app_dial.c: No one is available to answer at this time (1:0/0/0)
[2016-08-27 07:11:15] VERBOSE[24646][C-0000001e] pbx.c: Executing [s@macro-dialout-trunk:31] NoOp("Local/0023155566195@thanku-outcall-0000001e;2", "Dial failed for some reason with DIALSTATUS = NOANSWER and HANGUPCAUSE = 16") in new stack
[2016-08-27 07:11:15] VERBOSE[24646][C-0000001e] pbx.c: Executing [s@macro-dialout-trunk:32] GotoIf("Local/0023155566195@thanku-outcall-0000001e;2", "1?continue,1:s-NOANSWER,1") in new stack

There's a lot more FreePBX stuff but what gets me is the Dialing xxx@thanku-outcall ... how the hell did they do that? Just another reminder to lock things down I suppose.

 

[wardmundy]

Yesterday, while I happened to be out for a few minutes, about 25 calls were made to African countries. Most of them were no answers or busy, but I still got charged. I've seen this scam before few years ago, but I thought it was fixed. My main boo-boo was that I had the firewall down at the time ...

If the calls are going out on voip.ms, it's not a Google Voice problem. If you had your firewall working, the whitelist would have kept an outsider from being able to make SIP calls on your nickel. So, yes, it's a firewall problem. If thanku-outcall isn't a context that you created, then you need to delete your entire setup and start over... AND KEEP THE INCREDIBLE PBX FIREWALL IN PLACE.

You didn't mention which software you were actually running. That, too, would be helpful info.

 

[islandtech]

Top two searches for thanku-outcall here and here

 

[SMTC]

wow! I won't even try to understand how this happens. I have trouble just getting things to work when the are supposed to. lol.

"Kep'tin, the shields are up at maximum"

 

[sirdotcom]

Thanks guys for your helpful replies. I'm using the Scientific Linux 13.2 ISO and I'm about to wipe it and start over ... this time with the firewall on of course!!!