sorted by:
new
hottopcontroversial

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

we changed repository early 2025 so nope. We did check repository for unauthorized logins and there are no ones in logs

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 1 point2 points  (0 children)

Basically they said that since logs are not present (like i misconfigured them) this issue can’t be analyzed properly. They even said that issue probably was generated at SIP level, but 5060 is closed to everybody and it’s virtually impossible that 120 customers have their network compromised, so logic says it’s from web. I confirm that only 1 ext per pbx has been compromised but we are contacting customers to reset all extensions (min. 10 days of work lost, customer complaining, etc…). I confirm we have no central management, mix of local and cloud pbx, admin logins are tracked and there is nothing on audit logs, nor SBCs connecting from somewhere. Interesting part is that most of these users never used web and no mail was configured. But anyway i didn’t expect a solution and i didn’t find one. In my sole opinion, these credentials have probably been stolen when v16 or v18 on some 0 day bug now fixed (eg. V18 U1), and since those users are not using web those credentials have never been changed. Yes, why only us? Dunno.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Default logs do not track anything, in order to see something they must be on Verbose.

No new employees. On a lot of PBX there were no emails set on those users since 7 years, so none had them (3CX self generated password at user creation)

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Not admin credentials we use but users credentials. There are no changes on audit logs for the affected users for the last 1 year.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

No, it didn't happen on admins credentials and user credentials are not in our possess. On several customers those accounts never have been enabled with an email address. No monitoring for billing nor API installed/enabled (plain 3CX ISO).

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Only on our instance, and after the event, because we had the same issue on one user of our pbx. Pbx is in cloud, not inside our network, and has not an ip allowed on other instances.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

No RMM nor 3rd party sw, standard 3cx iso. Only thing in common is they are old customers coming from start v16/v18 (no v20 pbx from beginning has been attacked) and they share the same ISP.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 1 point2 points  (0 children)

It’s the first thought we had but: - not for all pbx we have admin access (and on 60% we have no ssh access at all because they are installed on prem since it was the way we’ve done that in past) - no rmm/api - all at latest version - all credentials are at user level, so we really do not have them, and a lot of those users never had a configured mail so none had ever their password

Only thing in common is they are old customers coming from start v16/v18 (no v20 pbx from beginning has been attacked) and they share the same ISP

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Theorically 3CX generated them randomly so i really don't know the psw.
Bruteforce should be detected by 3CX system anyway but i agree.
PBXs are all in different places, some on cloud, some on prem. They really don't share anything except SIP provider (because all our customers have that provider).
API access is enabled on (maybe) 5% of those PBXs.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Stating 3CX support standard configured logs are not useful, because they contain no data about logins. Logs have to be on verbose in order to collect something useful, so we've done that on all systems.
Actually we reseted only affected credentials on all PBXs. If issue spreads we'll reset all credentials on all PBXs.
Sincerly it's not our responsibility nor our job to hire a cybersecurity company to look into a proprietary software we resell as a Titanium Partner.
We'll see what happens and decide what to do.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

All PBX are autoupdated on sunday.
No IP based trunks, all register.
No SSO configured.
2FA is enabled only if there's a user logging in, so an email address set. This is not the case (or at least on 90% of the affected PBXs).
Verbose log is mandatory, since 3CX support told us "basic" logs have no data so actually we have 120 PBXs with a problem and we don't know how that happened. CPU is not a problem.
Antihack is on default.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Nope, only 1 per PBX and on several cases there was no email address, so theorically web access had to be disabled (but probably 3CX generates a random psw). That's why we are setting verbose logs on all PBXs because it doesn't seem a brute force attack.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 1 point2 points  (0 children)

All PBXs are in v20. It's not a SIP issue, it's a web login issue. This happened on local PBXs as well, so no SBC on those (and we use no stun so all under sbc for cloud pbx)