IP Office hacked

Are these by chance, hot desk extensions? If you logoff and log back in incorrectly it will have a tendency to create a new base extension. Make sure auto create sip extensions is turned off in the System form.

Let me guess.... R8.1.67? There are more threads on this and it seems to be a bug in IP Office of some kind, nothing confirmed yet but unless you created remote access without the proper security then yes, the IP Office can be hacked but in a well secured config.. no way.

These are the steps to perform on any new install before connecting the system to any LAN:
Change the security settings, remove all unnessecery accounts and create a new one for yourself and one for the customer using complex passwords.
Lock down all connections you don't use like IPDECT etc.
Change the default system password, VM password and Monitor password.
Change the unique security account and give it a complex password.
Nevere ever link a IP Office direct to the Internet, always behind a solid firewall.
Use SIP trunks from providers who have a solid Session Border Controller or install one locally.
Allow only remote access to the IP Office through a secure VPN connection.

If done the above then it is nearly impossible to hack your system, but unfortunally there are a lot of installers now wondering what a "Session Border Controller" is and "Security settings? Where can i find that in my config?". These are not the kind of partners to work with these days.

This issue happened in the last two days.

To answer your questions, in both instances the IP Offices have been behind firewalls with only SIP ports opened since they were installed. Months ago all passwords were changed to difficult ones and all Manager and Security accounts have been deleted except a personalized account months ago.

We have not detected that a single call had been made by any of these extensions. However, I wanted to know how these new extensions could have been created.

I think they may have found a way around it, but have you left auto create extn and/or user turned on for that system?

Yes the Auto create was on for SIP extensions on the WAN link. However, there is only one license for a SIP extension. I have since turned that option off. I will monitor it to see if that takes care of it. Thx.

Ok, you have a firewall, good.

The auto extn was only on WAN? Then it sounds like it's coming from the outside. Any 0.0.0.0 routes?
Look in SSA, all the way down at IP Routes, it will show you even routes made by the system.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

Auto Extension only was only enagbled on the WAN. Since we discovered the problem we disabled it. No evidence of intrusion to the manager as the firewall only allow SIP ports to enter from the outside. It looks like the only attempt was to create extensions which could not dial out as the firewall did not allow the connection to establish. Since the auto extension feature was disable there have been no new extensions created. It looks like this hole has been closed. THX