Avaya IPO 8 hacked and passwords changed, unable to reset. 1

[AXCL824]

Anyone aware of how to reset a hacked IPO with the passwords reset when you can't run any AT commands?

We believe the IPO was hacked while attempting to get external phone IP dialing working...not using the VPN method...yea I know stupid idea. All firewall rules have been disabled. The system appears to be working as it should with no further unauthorized calls, but we still can't get into Manager.

The password have all been reset and when you try any AT commands at the DTE you just get "Error". In fact you get "error" just by pressing enter at the prompt. What is displayed during boot and after at the prompt is not what you'd expect to see, so the hackers have done something in an attempt to disable the ability to reset anything. It does allow "?" and any of the commands listed here seem to work. Only non intrusive ones that output version numbers have been tested. Any chance the DTE is locked in datatransfer mode? Tried +++ to break, but again just "Error", but I also know there is a way to disable the +++ to break, but I believe this should reset on a reboot, but no go.

I've read about a lot of Avaya hacks, including password resets, but all listed still allowed the at-securityresetall to be run. This one is much more malicious. This system only had ports opened for 24-48hrs, so nothing should be considered safe without strict lockdown (Yes...Mr. Obvious!)

 

[budbyrd]

If you have a back up you can reset with the button on the back, there are three different levels of reset, I don't recall how long you have to hold it, but I know 30 seconnds will do a complete wipe.

Dermis and feline can be divorced by manifold methods.*
*(Disclaimer for all advise given)--'Version Dependent'

 

[IPGuru]

assuming an ip500V2 you can try removing the security.cfg file form the SD card


Do things on the cheap & it will cost you dear

 

[Pepp77]

budbyed, the reset hole only resets the config, it doesnt touch the security settings (and its 10-30 seconds or flashing orange to reset).

| ACSS SME |

 

[AXCL824]

budbyrd - Yes, to confirm it is IP500V2.

IPGuru - Could try to modify the SD card, but I don't believe that would resolve whatever the other changes are to the DTE setup. I guess it would at least provide access and GUI control over a deeper review. Do you think it would be possible to replace the security.cfg with a known good copy if just deleting it didn't work? Never messed with the SD before, so wasn't sure if it was protected by a CRC check or something similar.

 

[AXCL824]

Pepp77 - So I guess that rules out that option being of any value to us. Any other reset options available. Preferably like a factory reset, but not a full software reload.

CCR and VM Pro are on another server, including a config backup, but it's looking like even getting a config restored wouldn't help us, but it does allow for a complete wipe and reinstall of IPO...but I believe you need the DTE for that too.

 

[amriddle01]

Just swap the chassis out, they're cheap enough, then put the (secured) config back on

 

[holdmusic34]

before going nuts i would check the baud rate settings. try one either side of the connection that's 'working'.

daddy? are you doing blah blah blah things again?

 

[IPGuru]

Delete the config.cfg file as well & the unit should boot into factory defaults.

you should be able to gain access & restore a good (& secured) config from there



Do things on the cheap & it will cost you dear

 

[AXCL824]

Holdmusic34 - Will be trying that shortly. As other commands were working, I don't think it will help, but willing to try anything. Will confirm the results.

IPGuru - Sounds easy enough and will likely try it. Best option so far. I do know the security data is saved in the unit and on the card, so I don't know if deleting it from the card will impact anything if the unit still has the settings.

From what I've been reading the issue is this may get me back into my system, but I don't think it will resolve the issues at the DTE as this is not impacted by the config as its more "firmware" level. I want to do everything possible to remove any potential trace of the hack. Great that this gets me back into my system. If there is still some side effects, I'll be paranoid (with reason) there are still some root level hack allowing remote access.

 

[azrael2000]

Make sure the settings on your terminal program (I use putty.exe) are 38400, 8, N, 1.

Regards

 

[AXCL824]

azael2000- I can enter a few other commands and they work fine, just nothing beginning with "AT", so I'm assuming the terminal app is working fine. Used Putty, Hyperterm and 2 different cables just to be sure.

 

[sizbut]

Give us some examples of the "other" commands you can run, it might be your system is in some debug or ther function mode we'll recognise.

Stuck in a never ending cycle of file copying.

 

[AXCL824]

Any command I've tried from the below seems to work. Note, all I did was connect to the DTE press enter and then ? enter to display the below. All other info is displayed on its own.

 

[Pepp77]

Are you rebooting the system whilst connected and pressing esc?

| ACSS SME |

 

[AXCL824]

Pepp77 - Not at this point, but did do that previously just to try other options. No go, but I'm assuming you'll say because you're not supposed to do that. ;-) The images are on a fully booted running system prior to connecting.

Holdmusic34 - Tried different baud rates, but no luck. Lower wouldn't do anything but squares and higher most letters would work, but enter wouldn't.

 

[intrigrant]

Is there a special entry in the nouser source numbers?
On the SD card there is a file config.cfg which is the running config, open it offline in Manager.
I suspect there is a special command to boot into a special debug mode.

 

[AXCL824]

intrigrant - ok, now we're getting into new ideas. You're comment gives me to thoughts, aside from reviewing for the nouser source numbers boot.

1) Is there a way to be able to read the SD card without needing to shutdown and pull it out. Can it be accessed by another method..I'm sure unlikely. Or temporarily pulled and put back in live...I'm sure not recommended. Just looking for experience answers, hopefully to debunk my theory.

2) If I have a backup of the config, is it the exact same format as the one on the SD? i.e. Could I copy it to the SD, rename and reboot? I'm thinking its tagged with the dongle ID when its saved to the system so this won't work.

3) Could I edit the config to remove any potential nouser source numbers and save back to the card and reinsert. Also assuming you can't due to a dongle ID.

Just throwing stuff out there to try and trigger more ideas. Thanks everyone for their input!!!

 

[Westi]

1.) with Manager: File - Advanced - embedded file management
2.) the file on the SD card is config.cfg and in order for the system to take it you would have to erase the config with the reset button then it may take it as backup if you load it after the reboot because if you load it before that it will erase it
3.) the config.cfg is not the configuration it will load when it starts up as long as there is still an active configuration in the system it is a backup in case you switch chassis due to a failure.

This looks like a maintenance mode if you ask me.
have you tried typing Exit?
or hatric (it lists that as dumping hatric register and on the top it lists hatric data)

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[intrigrant]

1, you can safeky remove the SD card for two hours without ab=ny impact, just re-insert it within two hours
2, the config.cfg file is the current running config, copy it and rename it
3, bring the IP Office to factory settings by pressing the reset button over 30 seconds (SD Card insereted!)
4, bring IP Office to standard mode with Manager
5, offline send the config.cfg file
6, after several reboots it shoukd be up and running with default security settings
If the same problem is still there then replace the base unit