Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

hacked or compromised IP Office 500 V2 SIP 2

Status
Not open for further replies.

commnorth

Programmer
Oct 28, 2006
31
US
Well the absolute worst nightmare in the IP Office world has become a reality. My 9.0.4 system has been bootlegged. I was looking over my SIP accounts and found that one of my customers had placed 335 outbound calls over a 12 hour period. The only red flag was that the time period that this anomaly occurred was 7 P.M. to 7 A.M....WHAT!!!!! Sure enough, there were calls to countries I can't even begin to pronounce, let alone even heard of. alls to US only, but in less than an hour, they started to make US bound calls; that is only a very small "issue"; they added 83 SRS routes,so all in-bound calls to customer come back as 486 system busy, no lines available. HHHEEEEELLLLLLPPPPPPPP !!!!!!!!!!!!!!!!!!!!!
 
Change all passwords to start with.
Change the IP route to the outside and only allow the provider.
Put a firewall in front and only allow SIP ports or use a SBC.
Can you see if there is a change mentioned in the audit trial?

BAZINGA!

I'm not insane, my mother had me tested!

 
I bet you have a 0.0.0.0 IP route, remove that, and secure according to Peter's post.

Kind regards

Gunnar
_______
B.U.B.F

2cnvimggcac8ua2fg.jpg
 
Also Tell your provider to block all IP addresses except proxy. Some can do some won't
 
Thanks all, one question for GUNN; what does the 0.0.0.0 do, I'm NOT a network guru. Jim.
 
The 0.0.0.0 route will allow connection from any IP address on this planet.
The narrower (as close to the remote end as possible) you make your IP routes, the better.
If you have a SIP provider initiating traffic, from only a single public IP for the SBC, then that IP is what you put in your route. (And don't forget the MASK)


Kind regards

Gunnar
_______
B.U.B.F

2cnvimggcac8ua2fg.jpg
 
thanks Gunnaro for your clairifcation on quad 0's. Commnorth.
 
1) Call in a COMPETENT Maintainer!
2) Make sure your IPO is behind a firewall & is not visible to the Public internet
3) Change all system password & security password
4) Set strong passwords for all users
5) Call in a COMPETENT maintainer ( I Know this is the same as Point 1 but it is really important!)



A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
 
They have access to your system, which means that either you have a public ip address on your system or you forward all the ports from the firewall to the ip office.
Both are wrong.
Follow ipguru advices.
 
They have access to your system, which means that either you have a public ip address on your system or you forward all the ports from the firewall to the ip office."

Not to mention default passwords.

APSS/ACIS/ACSS-SME
not arrogant, just succinct.
 
If your SIP provider's address is 123.123.123.123, you would add a route that says: 123.123.123.123 mask 255.255.255.255, gateway whatever the next hop router is, and of course the appropriate LAN interface.

The 255.255.255.255 mask specifies a SINGLE host rather than all hosts (which is 0.0.0.0/0.0.0.0). This way the IPO can't get to the internet at large, it can only use that hop to get to the SIP provider. By doing this, it cannot respond to any incoming SIP requests from anything but that SIP provider's IP - the IPO doesn't know how to talk back as there's no route.

By doing this you can still have a public IP address assigned to one of the IPO's ports and still be relatively secure.

You should still change all the default passwords, don't forget about the "security" and "system" defaults too.

New England Communications
 
Hogwash!

Never connect the IPO directly to the internet.

Get a firewall, they are cheap and way more reliable than "IP route lock".


Kind regards

Gunnar
_______
B.U.B.F

2cnvimggcac8ua2fg.jpg
 
reliable", until you find out the SIP NAT implementation is broken. Especially in the cheap ones.
You need to pick the right firewall.


New England Communications
 
Never connect the IPO directly to the internet.
Port forwarding is rarely necessary (& if should should be restricted to the ISTP proxy address only!)
in most cases SIP_ALG on the router should be disabled so even broken implementations should not be an issue, STUN can usually be used as an alternative when NAT traversal is an issue (trunks registered by IP Address not Credentials)

Commnorth Please Please Please contact a competent installer/maintainer to assist you with securing this system



A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
 
Commnorth, just to clarify things you said that "I was looking over my SIP accounts" are you a sip provider or you use the ip office as a hosted pbx.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top