Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IPO Hackers Nightmare 2

Status
Not open for further replies.

StreamlineNet

Vendor
Jun 5, 2006
32
US
I am tired of these hackers...

I have locked the doors, and getting ready to throw away the keys..
Every customer will be getting a VPN tunnel for management, I guess I am paying money for this now. So in retaliation I have created a honeypot program. When the user attempts to connect to the IP Office (so they think):
1) I am logging all actions. (running now and capturing their user information (or the device it is coming from)
a) Going to make a database of these A**Wipes so at the very least we block the addresses​
b) Should this go public?
2) I have a small package in the cfg file to corrupt there manager
a)currently working on test lab, is hit and miss about working; versioning is an issue right now​
b)all passwords will be default.​
3) I want to implant a small package to implement remote control of their system, it will be a Java package on a false web manager.
a) I plan to impliment a geo tracker in this program as well; proxy device installed with a Java service.​
b) maybe reporting it's own computer to local authorities as cyber crimes. How hard will it be to screen record for them?​

My big question.... Is this legal? I will disclaimer the site as making it illegal to hack and they could face financial and legal consequences.

All in all... Partners if you agree copy and paste this below passage send it to you Channel reps, distributors, trainers, and anyone else who will listen....
Avaya really needs to look at this issue. Maybe have a secure upgrade with 2 forms of authentication before any configuration changes are made. Even as simple as requiring a private self signed certificate for any access (other than SIP trucking with one button to open and close). Only access available should be by local (private) subnet unless they have the Certificate. And in essence of network security responsibility, this must be a free upgrade for any supporting box. Example IPO500 and IPO 500 V2 free upgrades. Older units will require Hardware upgrades. In your security put a IP packet drop with 5 failed attempts.


I have found 206.221.187.163 to be a gaming server in Chile this is a recent hacker used to connect. Tried to use PC Manager
RaedNahal from Pakistan Mac address (20-68-9d-6d-86-f5) (tried to use BusinessPartner and Manager) (Internal IP 192.168.15.10 different time 192.168.1.102)
anaa from mac address (78-E4-00-1A-D0-08 Hon Hai Precision Ind. Co.,Ltd., CHINA) Tried to use Administrator (internal IP 192.168.1.112)
 
It is not illegal and a good initiative, know your enemies is always a good start for defense.
 
I feel ya and I am not a lawyer, but I am pretty certain most of this is illegal in most countries. Especially:

3) I want to implant a small package to implement remote control of their system, it will be a Java package on a false web manager.
a) I plan to impliment a geo tracker in this program as well; proxy device installed with a Java service.
b) maybe reporting it's own computer to local authorities as cyber crimes. How hard will it be to screen record for them?


I am also pretty certain Avaya would take issue with "a small package in the cfg file to corrupt there manager "

Proceed with caution and don't advertise publicly what you are doing would be my advice. And lock down and hide the systems as they probably should have been from the start. This is not a unique issue with Avaya IPO..



teamonesolutions.com
 
What a relief, I'm not alone hating that MF (you'll figure out the missing letters).

Raed Nahal was the name of a high ranking militant Palestine, and probably a hero to them. Ergo not his real name, but you'll find plenty of posts regarding hacking if you google that.

The person behind the handle does not appear to be too clever in the ways of breaking in to an IPO, he does his routine the same way every time, testing for default pwds.

About 18 months ago I went on a little crusade, tracking this person back to a building in Israel.
Turned out to be a local IT/telco company renting most of the office space at that address, and one of their services is maintaining Avaya and Cisco pbx...

Also in the evenings his activity origins from multiple domestic IP's on the Gaza strip, guessing he sits at home banging on IP addresses he scanned. Digging deeper, you'll find that he holds an Egyptian mobile phone, making test calls to his hacks.

I've turned over my findings to Israeli officials, hoping Mossad pay him a visit.


I like your proposal/idea, and it's probably not illegal (in the Palestine territories).
But you risk chasing a lot of innocent people, the more clever hackers don't use their own pc's, they highjack someone elses.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
BTW, it looks like they're using the web-management first, so you can edit the index.htm pointing the links elsewhere and put in a 100% white jpg with tracking.
It's not illegal to trace your own pictures, and any domain-owner can legally collect the IP of who has entered their sites, where they came from and where they went afterwards.

Where you point the links is up to you, but I would talk to the proper officials, see if they are interested in catching the bastards.
Anything bouncing of your public IP is registered as a potential hacker, and they'll do their thing...

Government have way cooler tools than any of us, and telco is often regarded as part of the national infrastructure.
That's something the authorities like to protect.


Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Honeypot sounds great, collecting/reporting information is always fantastic; especially when shared with the community.

Even though they deserve it, any malicious payload could get you in trouble. Scare tactics to a redirect showing any pertinent info you collected on them and a message about being reported would be fun.
 
It may be illegal but these hackers reside in countries which have quite different laws and moral attitude to the matter as overhere. The chance to get sued is little, at worst you get a warning about bad behaviour....
On the other hand, infecting their systems is useless as it may be repalced within a few hours and if they run the software on virtual boxes it even can be restored in minutes so I would not even try to touch their systems, logging and publishing their activities is the best way to get rid of them.
 
Indeed, honeypot (bait car) is a great activity.

a) You take up the hackers time, going berserk on a system without any lines connected
b) You collect info about the hackers, like phone numbers they try calling, their IP addr, etc.


My findings so far:

- They are located in Palestine/Israel, Balkan, Saudi, UAE, Jordan and Egypt
- They know enough about IP Office to divert calls
- Some of them work together
- Do this for money, not pranking
- Their activity drops significantly whenever IDF launches an attack
- Their "handles" are: Jodo, baraa, awadallah, ppdd, besan, dola, Abu Yousef, RaedNahal


As Intrigrant pointed out, there's no point in infecting their computer.
You may even risk infecting a perfectly innocent hijacked computer, that suddenly makes you the bad guy.

Avaya implemented quite a few security measurements after some of us blew the whistle back in 2013, like forcing pwd changes and turning off features that expose the systems.
I don't think they'll do anything more than what they've already done, and altering their software will probably make the pretty grumpy.

There is an easy fix to all of this: Firewall and/or SBC.
This will stop most of them from entering, and a secondary firewall facing the data network takes care of the more gifted hackers sneaking in through an infected company computer.

They don't go in to your config, but if your port 5060 has to be open(!) and your dial codes permit international calls, all they need to do is to find an extn number that works.
To fix this, tighten the permissions for 5060, allowing only the IP of your provider to pass and put a call barring on any country code you don't use.
(this even takes care of the cleaning personnel calling Somalia at 2:30 AM)

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top