Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


IP Office hacked

IP Office hacked

IP Office hacked

I have two instances where I found our IP Office 500 with over 800 SIP extensions. Has anyone had this problem?

RE: IP Office hacked

Are these by chance, hot desk extensions? If you logoff and log back in incorrectly it will have a tendency to create a new base extension. Make sure auto create sip extensions is turned off in the System form.

RE: IP Office hacked

Let me guess.... R8.1.67? There are more threads on this and it seems to be a bug in IP Office of some kind, nothing confirmed yet but unless you created remote access without the proper security then yes, the IP Office can be hacked but in a well secured config.. no way.

These are the steps to perform on any new install before connecting the system to any LAN:
Change the security settings, remove all unnessecery accounts and create a new one for yourself and one for the customer using complex passwords.
Lock down all connections you don't use like IPDECT etc.
Change the default system password, VM password and Monitor password.
Change the unique security account and give it a complex password.
Nevere ever link a IP Office direct to the Internet, always behind a solid firewall.
Use SIP trunks from providers who have a solid Session Border Controller or install one locally.
Allow only remote access to the IP Office through a secure VPN connection.

If done the above then it is nearly impossible to hack your system, but unfortunally there are a lot of installers now wondering what a "Session Border Controller" is and "Security settings? Where can i find that in my config?". These are not the kind of partners to work with these days.

RE: IP Office hacked

This issue happened in the last two days.

To answer your questions, in both instances the IP Offices have been behind firewalls with only SIP ports opened since they were installed. Months ago all passwords were changed to difficult ones and all Manager and Security accounts have been deleted except a personalized account months ago.

We have not detected that a single call had been made by any of these extensions. However, I wanted to know how these new extensions could have been created.

RE: IP Office hacked

I think they may have found a way around it, but have you left auto create extn and/or user turned on for that system? smile

RE: IP Office hacked

Yes the Auto create was on for SIP extensions on the WAN link. However, there is only one license for a SIP extension. I have since turned that option off. I will monitor it to see if that takes care of it. Thx.

RE: IP Office hacked

Ok, you have a firewall, good.

The auto extn was only on WAN? Then it sounds like it's coming from the outside. Any routes?
Look in SSA, all the way down at IP Routes, it will show you even routes made by the system.

Kind regards

Hippos have bad eyesight, but considering their weight, it’s hardly their problem

RE: IP Office hacked

Auto Extension only was only enagbled on the WAN. Since we discovered the problem we disabled it. No evidence of intrusion to the manager as the firewall only allow SIP ports to enter from the outside. It looks like the only attempt was to create extensions which could not dial out as the firewall did not allow the connection to establish. Since the auto extension feature was disable there have been no new extensions created. It looks like this hole has been closed. THX

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close