3CX - To prevent hacking attempt from spam callers

First and foremost, there is no reason to blame 3CX for this hack, still there is some recommendation here for them to prevent potential hacking in the future.

The call-center password has been leaked by spyware and hackers got it. And the console access was open for all, so the hackers got control. Spamers  made many calls, and once they got a call from ISP many suspected spam calls were going from our number they have realized our server was hacked.

Now the story begins.

First, they tried to log in to the system. The password wasn't working. So they tried to reset the password through email. No email was received. Installed Wireshark on the server to know if the email traffic is initiated to port 2528 ( that's the 3cx SMTP port ). No. Then they realized that the hacker had changed the email setting inside the console as well. 

( Recommendation 1: The system has to send an email through the 3CX server along with the configured server, otherwise they will never be able to reset the password of a hacked server ) 

Then they checked the backup. They found only one backup file there in the folder. The reason was, on the backup setting, the rotation value is 1. That means, only one backup will be there, and if you are not lucky that backup is the one with the password that only the hacker knows.

( Recommendation 2: Please keep the default value of rotation minimum 7 ) 

Then they tried to restore the backup, but there was no option to change the password during the restore. So even after restoring backup, the hacker was still controlling our system.

( Recommendation 3: There should be an option to change the password while restoring. For the security of backup, they already have an Encrypt password ) 

Now are configuring all the phones and agents one by one, 

( Recommendation 4: Console access should be limited to private IPs by default )

( Recommendation 5: Allowed country codes must be unchecked for all by default ) 

I know in large companies and corporates, there will be people to take care of these things. But for small companies, engineers leave these settings as default. So 3CX team please make sure default settings are the strictest.