8.0 ip office hacked!! 2

[Jonjr88]

The past few night my system has been getting hacked or something odd is going on. First time over 1000 SIP extensions and users were added, that happened a couple times now this time over 2000 SIP extns and users were added and all of my user rights were deleted and my manager folder with backups was cleaned out!!! I was told they were able to get through VMPro. Any help would be great. I do use SIP trunks and all passwords and usernames are changed and i ordered an SBC but i am not 100% convinced they are getting in through the WAN.

Thanks

 

[amriddle01]

They cannot get in through VM Pro, you need to configure VM Pro specifically to allow outside access and then it's only to make calls not anything like this. They will be coming in through your WAN, what do you get if you out the external address your system comes from into Manager/Monitor? In the meantime turn off auto extn create on that interface

 

[amriddle01]

That should be.... put the external address in Manager/Monitor not "out"

 

[Jonjr88]

if i put the external address in manager i can login to it and make changes

 

[tlpeter]

Then you did not change the standard credentials.
I bet you have auto create extension turned on and i guess a lot of calls has been made to expensive numbers.
Change the login credentials right now and disable auto create extension for all type of extensions.


BAZINGA!

I'm not insane, my mother had me tested!

 

[Jonjr88]

i changed login credentials so a completely different username and password and disabled all other accounts and auto create extn is off

 

[Jonjr88]

and no expensive numbers plus international is locked there is a separate code on the trunks to get out

 

[amriddle01]

Why is the system on an external address? This isn't required for SIP or Remote extns

 

[Gunnaro]

And don't forget to remove routings you don't need, like 0.0.0.0/wan/static IP.
The narrower, the better.
Get a decent firewall if you need to keep it online.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[Jonjr88]

how else would i set it up without a SBC??

 

[Jonjr88]

Yea i have the 0.0.0.0 route but i thought i needed that for the trunks, should i change the address to the address where the trunks are coming from??

 

[amriddle01]

We use SIP trunks and we have the system on an internal address without any port forwarding or anything, a good SIP provider will have a SBC themselves and that will take care of your systems NAT. Only thing you may need to do is turn your routers SIP ALG off depending on make/setup

 

[Gunnaro]

So...you have invited everyone on Internet in the front door.. Yes, change It, and if you ran Stun, check the settings there too.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[Jonjr88]

ok i will try that amriddle01. thanks

 

[Jonjr88]

Gunnaro i changed the IP route and i can still access from the outside any suggestions?

 

[AACon]

What did you change the IP route to?

-Austin
ACE: Implement IP Office

 

[amriddle01]

If you are using the same connection that the system uses it will be coming from the same address range so the system will respond, what if you try from a totally different connection? You really need it on an internal address

 

[Jonjr88]

address to (sip provider)
mask- 0.0.0.0
gateway to - gateway of my external IPs

 

[Jonjr88]

i logged into a customers pc and tried from their manager

 

[amriddle01]

The mask should be 255.255.255.255 to allow a single address only