Ipo Hacked 5

[Zandolee]

Hi guys, totally stumped with this one.
Customer has IPO 8.1 (85)
3 t7208 digi phones
2 analog ports with no phones connected, but has extensions configured.
1 remote h323 phone
internet facing public IP on the Wan ( I know this is nuts, but it's not my choice)

After using audit trail and seeing "unknowns" trying to connect to the system, the customer changed all the security users' passwords, and the administrator password.

Today while on site the phones randomly started going off hook on speaker phone and dialing a number in Israel. Using system status, active calls, you just see it as if a user picked up the phone and dialed the number.
Do any of you know what they were using to connect to the IPO and make those calls? Audit trail shows nothing and system status wasn't any help.
I have checked all short codes and none seems out of place. Any help will be gladly appreciated.

Thanks

 

[DavidCT]

They are using the operator and manager accounts.

They likely sucked your config off the system too, and using freeware, it's quite easy to see your passwords in clear text.

 

[amriddle01]

They're actually using Phone Manager and/or TAPI to do this

 

[hairlessupportmonkey]

> internet facing public IP on the Wan ( I know this is nuts, but it's not my choice)

Just walk away if they dont want to secure their IPO.

You could also remove the 0.0.0.0 route to your gateway and for the IP Phone tie it to the remote end IP address.

ACSS - SME
General Geek

 

[hairlessupportmonkey]

Also ask the so called decision makers to read this:

http://www.ipofficeinfo.com/TechBulletins/tb161.pdf

Also leave it alone over the weekend, and check the phone bill at the end of the month.... it will be huge.

ACSS - SME
General Geek

 

[sizbut]

Rather than hacking the admin accounts, sounds like they were using (or emulating) one of the apps (Phones Manager, one-X Portal, Softphone) to do phone control. They do that using likely usernames and passwords so thats another side of security that needs to be beefed up on the system - in addition to putting something between it and the whole world wide web.

Stuck in a never ending cycle of file copying.

 

[hairlessupportmonkey]

> whole world wide web

worse, the whole of the internet.

ACSS - SME
General Geek

 

[Zandolee]

Thanks guys, they tried to log into the systems using the manager,and operator but these passwords were changed and they did not get through. So if they are using phone manager or something like it, how would they connect without the password?
And if they have the config file, it does not contain the passwords does it? The only way to reset passwords without access to the system is through the DTE port at the back of the IPO.
I am at a lost, but will check out TAPI and phone manager

 

[hairlessupportmonkey]

the easiest way is with TAPI, as on recent releases now, the password for TAPI is password and not the switch password.

ACSS - SME
General Geek

 

[CarGoSki]

Zandolee. You are not listening. They simply connect to any user that has no user password. You know.. the password on the user form just below the user name. Do you have passwords for all of those users?

It works like this:
They use applications to find open ports then use scanners to query the phone system. Once they have a user list they use an app to connect to the user to make a call. Naturally they connect to a user that is not password protected. They make a couple calls back to themselves to make sure it works then at some date and time in the future they make many short duration calls to suspect destinations. It is these destinations that charge big bucks just to connect. That is why the bill shows many short duration calls.

That is one of many strategies to hack. Protect all passwords and turn off auto create extensions for h.323 and sip extensions

Follow the tech bulletin.

 

[sizbut]

worse, the whole of the internet" - precisely, that just doesn't alliterate nicely (bugger technical accuracy).

Stuck in a never ending cycle of file copying.

 

[Zandolee]

Boy this thing is stress oui! Thanks for helping me out, at least now I know how they did it and have a better understanding of TAPI.

 

[tlpeter]

For now remove it from the internet, this will stop it.
Get a firewall and only allow certain port and perhaps IP addresses.

BAZINGA!

I'm not insane, my mother had me tested!

 

[smokinjoe2938]

Give the next phone bill to the genus who gave the phone system a public ip address on the wan port, here's your sign!

acss sme acis sme acss cm 5.2.1 acss cm and cmm acss aura messaging.

 

[tekguy125]

Has anyone ever seen this type of behavior on the phones after they have disconnected the system from their network? The system is using a PRI. How would the hackers be connecting to the system if it is disconnected from the network

 

[amriddle01]

You can still Dial in over ISDN and that forms a network connection, I often dial in and use Phone Manager to initiate dialling while testing for customers. That's an expensive way to do it though and leaves a trail...2 things hackers don't like. Are the handsets going off hook and dialling themselves or are you just seeing some forwarding go active?

 

[tekguy125]

Phones are going off hook and numbers are showing up on the screen.

 

[amriddle01]

If it's not on the network at all then they must be using Dial In. SSA will show this if you run a continuous log, but that will require you to dial in for ages until it happens or put it back on the network and run SSA locally

 

[Gunnaro]

Tighten the Security on your dial in. That would be:
- New pwd on the Remote user
- Only allow specific numbers in your ICR for the dial in.

That said, it sounds a bit strange to do the attack this way, so make sure there is no links left (like double check the cabling going to the IPO, switches or computers running wifi and cabled to the back of an IP phone.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[tekguy125]

Thanks for the tips guys, I'll check it out