Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

LeonardG (Vendor) (OP)
20 Nov 13 15:49
I have two instances where I found our IP Office 500 with over 800 SIP extensions. Has anyone had this problem?
THX
jjoyner55 (TechnicalUser)
20 Nov 13 16:02
Are these by chance, hot desk extensions? If you logoff and log back in incorrectly it will have a tendency to create a new base extension. Make sure auto create sip extensions is turned off in the System form.
intrigrant (Programmer)
20 Nov 13 16:06
Let me guess.... R8.1.67? There are more threads on this and it seems to be a bug in IP Office of some kind, nothing confirmed yet but unless you created remote access without the proper security then yes, the IP Office can be hacked but in a well secured config.. no way.

These are the steps to perform on any new install before connecting the system to any LAN:
Change the security settings, remove all unnessecery accounts and create a new one for yourself and one for the customer using complex passwords.
Lock down all connections you don't use like IPDECT etc.
Change the default system password, VM password and Monitor password.
Change the unique security account and give it a complex password.
Nevere ever link a IP Office direct to the Internet, always behind a solid firewall.
Use SIP trunks from providers who have a solid Session Border Controller or install one locally.
Allow only remote access to the IP Office through a secure VPN connection.

If done the above then it is nearly impossible to hack your system, but unfortunally there are a lot of installers now wondering what a "Session Border Controller" is and "Security settings? Where can i find that in my config?". These are not the kind of partners to work with these days.
LeonardG (Vendor) (OP)
20 Nov 13 16:28
This issue happened in the last two days.

To answer your questions, in both instances the IP Offices have been behind firewalls with only SIP ports opened since they were installed. Months ago all passwords were changed to difficult ones and all Manager and Security accounts have been deleted except a personalized account months ago.

We have not detected that a single call had been made by any of these extensions. However, I wanted to know how these new extensions could have been created.
amriddle01 (Programmer)
20 Nov 13 18:01
I think they may have found a way around it, but have you left auto create extn and/or user turned on for that system? smile

LeonardG (Vendor) (OP)
20 Nov 13 20:50
Yes the Auto create was on for SIP extensions on the WAN link. However, there is only one license for a SIP extension. I have since turned that option off. I will monitor it to see if that takes care of it. Thx.
Gunnaro (Vendor)
21 Nov 13 1:07
Ok, you have a firewall, good.

The auto extn was only on WAN? Then it sounds like it's coming from the outside. Any 0.0.0.0 routes?
Look in SSA, all the way down at IP Routes, it will show you even routes made by the system.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

LeonardG (Vendor) (OP)
21 Nov 13 15:46
Auto Extension only was only enagbled on the WAN. Since we discovered the problem we disabled it. No evidence of intrusion to the manager as the firewall only allow SIP ports to enter from the outside. It looks like the only attempt was to create extensions which could not dial out as the firewall did not allow the connection to establish. Since the auto extension feature was disable there have been no new extensions created. It looks like this hole has been closed. THX

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close