Avaya IPO 8 hacked and passwords changed, unable to reset. 1

[AXCL824]

Anyone aware of how to reset a hacked IPO with the passwords reset when you can't run any AT commands?

We believe the IPO was hacked while attempting to get external phone IP dialing working...not using the VPN method...yea I know stupid idea. All firewall rules have been disabled. The system appears to be working as it should with no further unauthorized calls, but we still can't get into Manager.

The password have all been reset and when you try any AT commands at the DTE you just get "Error". In fact you get "error" just by pressing enter at the prompt. What is displayed during boot and after at the prompt is not what you'd expect to see, so the hackers have done something in an attempt to disable the ability to reset anything. It does allow "?" and any of the commands listed here seem to work. Only non intrusive ones that output version numbers have been tested. Any chance the DTE is locked in datatransfer mode? Tried +++ to break, but again just "Error", but I also know there is a way to disable the +++ to break, but I believe this should reset on a reboot, but no go.

I've read about a lot of Avaya hacks, including password resets, but all listed still allowed the at-securityresetall to be run. This one is much more malicious. This system only had ports opened for 24-48hrs, so nothing should be considered safe without strict lockdown (Yes...Mr. Obvious!)

 

[AXCL824]

Westi - Just tried Exit, same error, when I type HATRIC, it asks "Enter Hatric number (1-4):"

I can't find any info on that command, so I'm hesitant to enter anything unless someone knows a bit more.

Westi/intrigrant - Thanks for the info on the SD Card. Going to review these options now.

 

[AXCL824]

Westi - your 1) option doesn't work for us as it requires a login...thats not working.

 

[AXCL824]

Ok...Lots of updates.

I pulled the SD card and have found a few things.

1) IPGuru - There is no security.cfg file on the SD card, so I have nothing to delete and it's been rebooted, so I guess that wouldn't fix anything. Now I'm worried if I delete the config.cfg, it would be in a state that I couldn't reload a backup config.
2) intigrant - Checked the nouser source numbers, nothing
3) found some arabic writing for a couple of new Incoming Call Routes - translated to something like, "looking for lines I can access"

No other real changes I've found so far.
Anything else in the config I can search for that would force it to boot differently?

intigrant - your latest ordered list of suggestions, doesn't mention anything to do with deleting/renaming a security.cfg file, only the config.cfg file. Is the security.cfg data now stored in the config.cfg and the file doesn't exist in my version, or is there an issue that I'm missing it? Do you still expect your suggested fix to do the same thing?

 

[IPGuru]

if you are sertain that you are getting no responce from the Serial port (Should be 38400 baud) when the system is running so that AT-SECURITYRESETALL does not work then I thin you only option is a total reset

hold the Reset button for 30-40 seconds (the LED will turn RED) & then release

this will erase CFG, Alarm Log & Core software so you will have to recreate the SD card to get the unit back up, but you should then have a Virgin system that you can restore your backup cfg into.


you may prefer to replace the IP500V2 CCU & recover the existing unit at your leisure off site.


Do things on the cheap & it will cost you dear

 

[sizbut]

Not had a chance to break out my DTE cable yet but really scratching the memory, look for a user called DTEDefault in the configuration. Surprised if its even still supported but their source numbers tab would be a way to sneak an automatic AT-DEBUG command into the system, which is the mode your system appears to be stuck in.

Stuck in a never ending cycle of file copying.

 

[AXCL824]

sizbut - I checked both the Operators list and the Users list. No "DTEDefault

 

[intrigrant]

I wonder what will happen if you give the "Abort" command with PuTTy, I wouldn't be surprised if it will run as a "normal" unit.

 

[AXCL824]

Hi to Everyone that tried to help.

It turns out that Westi is local and got the call to come assist! Thanks!!!

We're not sure exactly what did it, but the DTE eventually started working. The only conclusion we could come up with is that removing the SD card long enough to replicate it, may have reset something that several reboots did not.

At this point, AT-SECURITYRESETALL was able to reset the passwords. This time all user/password info was changed from the default and many originally default ports were changed to resolve some security holes.

Again Thanks for all of your input!