Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Office Hacked, FWDing Setup

Status
Not open for further replies.
94astro

94astro

Programmer
Jul 21, 2013
405
US
I'm sure this is because of my ignorance so be easy on me.

I just installed my first IP Office 8.1 63 (aside from our shop's system) Essential Edition. Customer got an email this morning from Telco that their system got hacked. I logged in and sure enough FWD Unconditional on about 10 users was set up to international area codes (Bosnia, Serbia, Iraq, Liberia etc...). I deleted all of the forwarding. No new users were created. What I did not do in the first place was put change the Manager account and security settings default passwords. Of course they are now changed. For remote access, I set up NAT in the router so I can access the IP Office remotely.

My question is, how do you think they got in? I don't know of any way to set up forwarding on embedded mailboxes remotely. They must have logged in with Manager account?
 
Sort by date Sort by votes
Manager has more than one account, as well as U: Administrator P: Administrator, there is also U: Manager P: Manager and Operator accounts, disable any not being used. Make the "system" password in security settings (used for upgrades) different to your Administrator login and monitor login as this can be "sniffed". They can also get in with Phone Manager and setup forwarding that way or initiate calls. But to stop anyone apart from you making changes or even seeing the system, tie it down with very specific IP routes it will then be literally invisible to any other IP addresses but those entered.

Hacking the IP Office has taken off massively in the last couple of months and they have installer level knowledge of how best to do it and find ways in so they are trained, I have my suspicions of someone being involved from this forum, playing both sides of the field as it were. Evidence is being gathered as there have been IP Office versions of a "Bait Car" opened up that have been hacked with conversations recorded, source addresses, numbers and other details logged and I believe action is imminent (not by me I may add) :)

 
Upvote 0 Downvote
Thanks, by Manager I meant the Manager account(as in not Administrator or Operator etc). I set up Manager for the admin on-site but left the password default. Thanks for the info, I've disabled all accounts except Administrator and Manager. I'll look into securing the IP routes.
 
Upvote 0 Downvote
Is the IP office reachable via the internet?
Did you set password on the users.

Otherwise someone could setup call forwarding using Phone manager...
 
Upvote 0 Downvote
I have also seen this. they also use a simple phone manager program to login as a user and set forwarding that way. I have come up with a few ways within the IPO to combat this. buy best practice is if it is accessible via the internet then all users, and admin accounts need non default secure passwords.

ACSS SME
ACSS a bunch of CM
CCNA Voice
 
Upvote 0 Downvote
Yes it is accessible via the internet, yes every user has a password.
 
Upvote 0 Downvote
They brute force username and password combinations, so make them complex or it's simply a matter of time :)

 
Upvote 0 Downvote
Actually every user had a voice mail password, not a phone password, I just updated that.
 
Upvote 0 Downvote
Every user has 3 passwords/codes, User name and password for Phone Manager or One-x etc, voicemail code and also login code, as login codes can only be numneric (and so easily cracked) turn off the H323 gatekeeper/registrar for the interface that's web facing :)

 
Upvote 0 Downvote
Another thing to do is setup the NAT so that only you can get in - if your office has a fixed IP address, specify that the source allowed into that NAT must be your firewall's external address. Rather than leaving that NAT port forward open to the entire internet.

New England Communications
 
Upvote 0 Downvote
94Astro
Why is the IPO even accessible form the internet?
it should be installed behind a firewall or SBC


A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
 
Upvote 0 Downvote
It is behind a firewall, but NATing is set up on the router to allow access.
 
Upvote 0 Downvote
It is behind a firewall, but NATing is set up on the router to allow access.
{/quote]
Why?

General Advice
DO NOT DO THIS

If absolutely 100% unavoidable (why cant you use a VPN?) then restrict access to known IP address only

for one-x mobility only forward the ports absolutely necessary

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
Click to expand...
 
Upvote 0 Downvote
restrict access to known IP address only"

This is what I've done in the router on the advice of others here. Next time I'm just going to install a cheap laptop with LogMeIn.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

chavz7796
  • Question
Twilio SIP trunk setup on Avaya IP Office 9.0
Replies
3
Views
245
sizbut
sizbut
cliftyview
  • Locked
  • Question
IP Office 5 DECT R4 setup
Replies
1
Views
151
phonebits
phonebits
TN94z
  • Question
IP Office 11.1.3.1 with IP Flex - Sending caller ID
Replies
7
Views
445
TN94z
TN94z
4thright
  • Question
IP Office 500 v2 - T1 Trunking
Replies
14
Views
583
derfloh
derfloh
john3voltas
  • Question
IP Office Server Edition - tcpdump / Wireshark
Replies
3
Views
319
john3voltas
john3voltas

Part and Inventory Search

Sponsor

Back
Top