IPO 8.1.67 Automatically Creating Unknown SIP Extensions and Users

[DBrewsky]

I have an IPO 8.1.67 that overnight will automatically create extensions and users. These look odd because it will create x100, x150, x200, x250, etc. Pretty much every 50 up to x10000, even 9000, 9050, 9150, etc. and is screwing up our outbound dialing.

Has anyone seen this?


Thanks!

--DB

 

[DBrewsky]

Note: I have insured Auto Extension Creation is turned off. One thing we do have on this is LAN2 (WAN) is connected directly to the internet for SIP trunk routing with no firewall. Is there something that I can enable in order to only use this interface for SIP traffic to specific destinations?

--DB

 

[Gunnaro]

Hi!

How is your security? Any 0.0.0.0 routing to your Internet side to the IPO? (WAN Port)

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[DBrewsky]

Yes, I do have a 0.0.0.0 route pointed to the WAN. Maybe I can find the SIP providers and their IP addresses and use static routes and then put the 0.0.0.0 address to the internal LAN1 interface and point it to the local LAN gateway.

--DB

 

[Gunnaro]

That sounds like a good idea

Make your routings as specific as possible.
<IP PROVIDER>/255.255.255.255/GW/LAN2
0.0.0.0 to Internal-address-not-in-use/LAN1 (dead)

But are you saying that there is no firewall present? That's Russian roulette!

You might want to have a look at this thread: Same thing happened to this guy

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[tlpeter]

Are you sure auto create extension is turned off because it still happens?

BAZINGA!

I'm not insane, my mother had me tested!

 

[DBrewsky]

Yes, it is disabled.

--DB

 

[tlpeter]

On both Lan1 and Lan2?


BAZINGA!

I'm not insane, my mother had me tested!

 

[Gunnaro]

(it's probably ON at LAN2, or you have been properly hacked/poked)

Still, get that door closed, there are no good reasons for inviting everyone in.

Since you don't have any firewall, at least activate the internal for now.
You should really consider buying good firewall, it's for your own protection and wellbeing.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[DBrewsky]

I have verified both interfaces do not allow for auto extension creation. But the funny thing is it is creating the extensions/users in increments of 50... Odd..

But I did change all the passwords (even Security).

There is a firewall option in the IP Office, but it's not being used. But it's only for telnet, gopher, etc.. I don't see anything that could be set to not allow IPO Manager access via the WAN port.

As for the SIP providers, I am contacting them now to determine what their SBC IP address is and if they can force voice traffic through that interface only. One of the providers turned that on, but prior to that it would just redirect the packets to wherever they needed to go on the public network.

One last thing. We deal with a partner for tier 2 support. I called them and every question I asked was answered, "I don't know.." I would rather not bash this company (Catalyst) on a public forum, but their responses seemed odd. They were more concerned about answering the next caller in queue rather than figuring out the issue. Luckily our systems have IPOSS and I can go directly to Avaya.

Thanks for the replies. If you feel the internal firewall rules can be applied, then please let me know.



--DB

 

[AndrePa]

Looks like a security issue.
I cant tell you how many new sites I go to that are using the default password!

Open SSA, Recourses -> Control Unit Audit
You will be able to see when, who, what, and IP address of who made change(s)

 

[DBrewsky]

I looked at Audit and it was only me who has logged in to Administrator within the last couple of days.. That's what led me down the Automatic Extension Creation path.

I will be keeping an eye on it and leave Monitor running and collecting log files to see if I can find something there.

--DB

 

[tlpeter]

Is it perhaps the Avaya soft phone?
Can you delete those extensions?

BAZINGA!

I'm not insane, my mother had me tested!

 

[DBrewsky]

The new phones show as "Unknown SIP Device"

--DB

 

[amriddle01]

It seems that even with auto create off the system can be "hacked" into creating them anyway and the users and calls can then be made, nothing shows in audit trail, this isn't the first instance of this happening recently

 

[tlpeter]

The Avaya softphone will auto create an extension but always higher then the highest extension number.

BAZINGA!

I'm not insane, my mother had me tested!

 

[amriddle01]

It isn't that Peter, after the hack they attempt calls..... to Mali usually

 

[Gunnaro]

Brewsky, activate that firewall, it blocks Manager by default.
You can do changes to it, but I won't put that info out on an open forum...

You can't see all changes to the system on SSA, then it would be flooded

My best guess is that someone is banging in your door with a sip softphone, have a blast (and maybe even watching this forum).

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[Gunnaro]

Number one here is Somalia...and that ain't cheap calls!

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[DBrewsky]

UPDATE:

I found the Auto-Create Extn/User in the SIP Registrar which is enabled on both the LAN and WAN port. I will make the change and reboot the system.

--DB