Hacked

[Thermus]

I have a customer with an IPECs 50B with 5.0Gs software and 3 ISDN BRA trunks.

Last weekend the customer got hacked and some lucky people got to make lots of calls to Cuba via their PABX.

This is embarrassing enough but I still cannot break out of the PABX auto attendant or voicemail using any codes at all.

The PABX was on night service, directed to an AA with CCR to leave a MSG or go to another CCR table to dial speed dials of certain people.

All CCR digits were programmed with destinations.

PGM 166 has all COS set to 07

PGM 227 auth codes had default pswd "*"

Unfortunately SMDR was not being recorded

Can anyone out there tell me how hack an ipecs because I need to stop this.

Have since changed PGM 227 auth code COS Night and Timed to 07.

 

[odyjohnf]

Thermus/ Doktor, thanks for your fast replies.

I have changed the codes to be stronger, and have also added the call barring on night service and on the actual isdn30 itself via the carrier. This seems to have prevented the unauthorised calls.

I still cant see how its possible to break out to a trunk from within a user voice mail though? Is this a bug/vulnerability in the 5.0 software or something? I cant recreate how this is done.

Thanks again,

john

 

[doktor]

The ISDN30 carrier we use gives a warning automatically if the load on the trunk increases rapidly - with internatioanl calls.
The carrier is TDC in Denmark. Maybe you can push you carrier to do this also.

///doktor

 

[3Sixty]

I normally find that the individuals who complete this type of hack do not want to make free phone calls, but they have set up a premium number in a far away place that is extremely difficult to trace. They then enable remote notification on voicemail boxes set the remote notification to the lowest setting and number of attempts to the highest setting. They then leave blank messages on all the mailboxes and the system does all the hardwork by contacting the number over and over again racking 1,000s on the calls to notify the users of messages.

Thanks,
Colin

http://www.3sixtynetworks.com

 

[SteveBUK]

When training I always advise the engineers to NOT use default or blanket program passwords in PGM 227....
THIS IS very important.... Cos if I know my passowrd, I now know everyones...


Regards
Steve

 

[PuffinBilly]

Hi Guys

Make sure the password is not at default "*" on all extension ports. I am talking about all extn s availible to Ipecs not just those using voicemail or those with phones connected. if Stn 149 does not physically exist but has a known password to me I can make my calls to whereever I wish.
For those of you that are no aware the hackers are likely to be highly organised Russian Mafia types.
Once control of system is obtained calls are redirected to international equivalant of a 1900 service.
Calls are made, Telstra pay the Russians/Cubans etc who pay the holder of the 1900 service. Telstra bill the owner of the phone service the calls call originted from.
Bills can be around $30'000 - $40'000 for a weekend of calls.
Telstras Stance is that they have provided a legitimate service that you must pay for.

Going back to step 1 change password on all extensions.
This is easiest via phone programming not using network access as full extn range can be changed in one hit.
I think you will also find that LG will insist that latest firmware should be installed. They have removed the default password in this forcing you to set your own.