Hacked IPO version 7 6

[bcmfiftyfan]

Hello,

One of my customers has been hacked and subjected to toll fraud. The hacker has gained entry to IPO Manager and changed the password locking me and everyone else out. The hacker apparently has a grudge against this customer because he's made changes to the IPO preventing the customer from being able to use it.

What, if anything, can be done about this situation?

 

[TouchToneTommy]

Google ip office reset security settings and follow the 1st link.

 

[holdmusic34]

Unplug ipo from network.
Hire a competent installer.
Reset security settings and then change them.
Turn unused services off.

Punjab Power. Lighting up your life.

 

[derfloh]

And remove IPO from Internet.

 

[amriddle01]

You need to reconsider supporting these systems if this has happened and you don't know how to resolve it

 

[bcmfiftyfan]

Thanks to everyone for helpful suggestions.

amriddle - another vendor installed this system. We suspect one of their technicians is the hacker.

The company I work for took over service of this system less than a month ago. One of our other technicians has been to this site. I've never been there. This problem was dropped in my lap yesterday morning.

The Avaya IP Office is relatively new to me after concentrating all my time on Nortel for the past 30 years. I'm trying to learn more about IPO but my time is divided still between a lot of Nortel and a little IPO so it takes time.

My employer is in the process of deciding whether to stay with IP Office because of the many bugs and foibles that we never encountered with Nortel.

Thanks for providing me with helpful advice in the past.


Lanny

 

[janni78]

You need to reset the security settings as said before so you can gain access to the system.

If you suspect it's the old company messing with the system you should see some info on who connected in the Audit log in System Status when you have access to the system again.

"Trying is the first step to failure..." - Homer

 

[bcmfiftyfan]

Many thanks janni78.

 

[koulioumbis]

Does your other tech have a local config of the IPO on his laptop?
if he ever connected to the system before the hack then he has a clean config.
You can go onsite and restore the system.
nikos

 

[Westi]

also as a rule of thumb, when taking over a new system do a security audit and see how many holes you have to stuff to make it your baby.(especially an IPO as they are prone to getting hacked if they are on the open Internet)

We always talk to our customers and tell them that we would like to change all the passwords to avoid any problems like this. If the customer denies our request then we tell them to sign a paper that absolves us from all their issues and we bill them for fixing it even if they sign a maintenance contract because that is just careless.

I feel for you if you are coming from Nortel btw. working for a long time on a great product line and then being told sorry learn something new is never easy. Especially after a certain age (I am there too but did not have the Nortel line)

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[bcmfiftyfan]

Many thanks koulioumbis and Westi for the helpful, friendly advice.

 

[Westi]

Thanks for the pink love bcmfiftyfan, hope you have good luck with the IPO in the future.

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[hairlessupportmonkey]

I confess, I found your IPO on ShodanHQ


ACSS - SME
General Geek

 

[ltxn]

Here is are some guidelines from Avaya to secure an IP Office:

http://downloads.avaya.com/css/P8/documents/101008102

Mind you that this is about R9.1, On R7.0 it might be a bit different.

 

[critchey]

I have seen on a few occasions that techs will leave a backdoor user to connect. As stated you should do a security audit when taking over and make sure there are no users enabled that don't need to be. No passwords should be left default if the system can accessed from the outside world (or ever but some people will never learn). You should have a config backed up from the day you took over. These things should be done every time you take over for an IPO system. If your customer won't do it, make them sign something (again as already stated). IP office is so very easy to access if you don't do these things you are pretty much asking to get hacked.

Luckily resetting the security settings is very easy to do and very straight forward, you just need a serial cable. Just as important though is to make sure it doesn't happen again.

 

[bcmfiftyfan]

hairlessupportmonkey - Not sure how that could be possible since the system has been turned off since Saturday morning.

Itxn - thank you for the helpful link. I'll read it thoroughly as time permits.

 

[amriddle01]

Because Shodan is a historical record of systems scanned over so many months previously, turn it back on, post here and wait 2 mins then we'll prove it

 

[bcmfiftyfan]

amriddle - you don't have to prove anything to me. I believe you. This is not my system. It belongs to the customer. While I would never wish bad fortune on anyone, I'm on the tail end of my career and if this IPO crashes and burns, it's the customer's problem, not mine. My employer's talking about saying goodbye to IP Office anyway.


I'd like to thank everyone again who have posted helpful suggestions.

 

[hairlessupportmonkey]

I was only kidding. But the serious message is there are many IPO's visible on the interwebs. We should know, we helped push Avaya to write the above document.

ACSS - SME
General Geek