BSFH
Technical User
- Apr 2, 2013
- 7
Hi Guys,
I've inherited an IPO 500. Having no prior experience with administrating telephony systems, and no training on this one, I have some pretty big gaps in knowledge. Before I hit my shiny red PANIC! button I wanted to confirm as to whether you've ever heard of an IP office unit being compromised or otherwise attempting the below comms. My specific issue is that our IP Office is generating traffic with a fake IP, trying to talk to other IPs that while routable, don't exist. It is attempting communications on a wide variety of ports and protocols. We recently upgraded the firmware, but its still occasionally trying. To give you some idea of what its attempting:
Attempted to reach (external IP, "A") on UDP 2427
Attempted to reach (internal, non-dhcp range IP) on UDP 137
Spoofed IP from above (external IP, "A"), attempting to reach external IP, "B" on UDP 14378
Spoofed IP from above (external IP, "A"), attempting to ping external IP, "B".
Spoofed IP from above (external IP, "A"), attempting to reach external IP, "C" on TCP 19954
Spoofed IP from above (external IP, "A"), attempting to reach external IP, "D" on TCP 26424
As far as I can tell, there is no external routable access to the IPO, with the exception of VPNs. I'm hoping to get superior firewalls soon which should let me get greater visibility of what is going on.
Within the IP Office Manager I see no references to any of those external IPs. It should only declare itself on an internal IP. The external IPs do not and have never belonged to our organisation.
So to return to the original question. Could an IP office be compromised and execute code? I've opened a case with our maintainer as well, but just wanted to hear directly from the community as well.
I've inherited an IPO 500. Having no prior experience with administrating telephony systems, and no training on this one, I have some pretty big gaps in knowledge. Before I hit my shiny red PANIC! button I wanted to confirm as to whether you've ever heard of an IP office unit being compromised or otherwise attempting the below comms. My specific issue is that our IP Office is generating traffic with a fake IP, trying to talk to other IPs that while routable, don't exist. It is attempting communications on a wide variety of ports and protocols. We recently upgraded the firmware, but its still occasionally trying. To give you some idea of what its attempting:
Attempted to reach (external IP, "A") on UDP 2427
Attempted to reach (internal, non-dhcp range IP) on UDP 137
Spoofed IP from above (external IP, "A"), attempting to reach external IP, "B" on UDP 14378
Spoofed IP from above (external IP, "A"), attempting to ping external IP, "B".
Spoofed IP from above (external IP, "A"), attempting to reach external IP, "C" on TCP 19954
Spoofed IP from above (external IP, "A"), attempting to reach external IP, "D" on TCP 26424
As far as I can tell, there is no external routable access to the IPO, with the exception of VPNs. I'm hoping to get superior firewalls soon which should let me get greater visibility of what is going on.
Within the IP Office Manager I see no references to any of those external IPs. It should only declare itself on an internal IP. The external IPs do not and have never belonged to our organisation.
So to return to the original question. Could an IP office be compromised and execute code? I've opened a case with our maintainer as well, but just wanted to hear directly from the community as well.