IP Office phones being hacked into 3

[tmcd123]

Our customer has IP Office v2 with 8.1.85. They are seeing their phones go off-hook and then an international number being dialed. They sent us a video of what happening. Their phones is idle and then the ICM button goes off-hook and a international number displays in the screen and starts making a call.
The have 2 IP phones configured as remote extensions and are coming in directly to an ISP IP address connected to LAN 2.
Admin password has been changed. All SIP register and auto-create extensions are unchecked.

Has anyone ever seen a phone go offhook and make calls without someone physically doing it?

 

[bob10752000]

they are more than likely using tapi or phone manager to dial the phones from remote. Make sure all the ports are locked down on the firewall and ip routes only allow known Ip addresses.


ACSS (SME)
APSS (SME)

 

[AvayaNACR]

Do they have One-X portal installed? Or Phone Manager? I would think both applications could do this without touching the phone.

Manager could be installed without an external server. Trying changing the password for that user

 

[tmcd123]

Passwords have been changed. No One X Portal and just Phone Manager lite. Is there a way to disable Lite?

 

[bob10752000]

Is the IP Office in a DMZ or visable to the internet?

ACSS (SME)
APSS (SME)

 

[tmcd123]

Yes, the IP Office is visable on the Internet.

 

[AvayaNACR]

Has it happened after the password was changed?

Not sure there is a way to disable Phone Manager access. Avaya has said they are making numerous security enhancements in 9.1 (Dec 2014) but not sure if this is addressed.

As referenced changing ports is a good place to start. You can assign ports in IPO manager that are used. This will require you to change all the setup on the remote devices connected over the internet, but it will make much harder for a 3rd party to access your system.

Depending on what remote devices/ applications you are using, I recommend one of two long term adjustments:
1. VPN concentrator for remote IP Phones and soft phones
2. Avaya's eSBC, Session Border Controller, for smart phone and tablet apps like One-X Mobile or Flare.

If you do not have a decent BP that is helping you, feel free to PM me. I am in meetings all afternoon but can call you after hours to talk at a high level if you like.

 

[kchom]

Another way hackers could be getting in is through the AA or VM, best way to avoid LD Toll fraud is make sure all employees have a 6 to 8 digit p/wrd for their VM, and in Manager you can restrict overseas calling, if you require overseas calling you can create account codes that need to be entered before an overseas call is completed.

 

[amriddle01]

The system needs protecting, they can use Phone Manager or TAPI to initiate calls. This will continue until you secure the system correctly

 

[Gunnaro]

Yes, the IP Office is visable on the Internet.

This is where you should put your concentrations right now.
Get a firewall! (or SBC, but that would probably take longer and cost a lot more)

The hackers use SIP softphone, Phonemanager, Manager, Monitor, etc... You're offering all kinds access to your system, so stopping PM will only make them move on to the next "tool".

Remote phones should always connect through a VPN, either site-site or as a client.

Read this document on securing IP Office




Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[twitchy087]

Gunnaro is absolutely correct. We have had this happen to a few clients, all of which are public facing (not our choice). You NEED to get something in front of the IPO so it is not public facing. This will forever continue until you have a firewall in place.

 

[IPGuru]

Gunnaro is absolutly correct.
An IP office should never be corrected directly on a public IP address & should almost never have any port forwarding directed at the IPO
if you must use h323 NAT traversal for remote phones then only the ports absolutely necessary for this service should be open

Did you install this yourselves or have it installed "professionally" by a 3rd party?

if you installed it yourself then you need to study the documentation on securing your system

if it was installed for you then I would recommend you locate a competent installer as soon as possible.

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[IPGuru]

sorry I have just seen it is YOUR CUSTOMER who has the issue.

So the question should have been did they configure this themselves or did you do it for them?

I hope it was the former.
if the later at least you are now learning the correct way to do things in the future, this forum is a good place to learn best practices & I would recommend following the old advise - If in Doubt Ask.



A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[Gunnaro]

I got a good laugh today, I'm still laughing actually

A SIP provider bought an IPO to test their new SIP platform.
*we don't need any help with this, we know this stuff*

A week later billing departement made an internal call to the Chief of R&D...

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[jslewis]

I have a customer that is using wide open sip trunks. I locked down all the passwords during the install. Each user also has a password. But I see in system status, that someone has been hammering on a user account using an app called pc partner. Has anybody used or heard of this app?

BTW
They are in the process of upgrading to a TW SBC

Thanks

ACA
ACS
ACIS

 

[intrigrant]

A PC Partner can be a Phone Manager or TAPI or One-x Portal server.

The used connections:

Phone Manager :
"UDP 50796 and UDP 50799" Phone Manager Phone Manager\PhoneManager.exe
"UDP 1719 and UDP 1720" Phone Manager VOIP Server Phone Manager\iClaritySvr.exe

TAPI:
UDP 50797 TAPI2 TAPI\tspi2w.tsp

One-X portal server:
4560 This port is used by log4j socket appender.
5222 This port is used for XMPP client/server communication.
5269 This port is used for server to server federation. This port federates with the External XMPP servers or XMPP enabled servers such as GTalk, Yahoo, and MSN.
5269 This port is used for XMPP server to server federation. If the customer is not intending to federate with external XMPP servers then this port does not need to be opened on the firewall.
8005 Used by the Tomcat shutdown listener.
8080 Default HTTP browser access port. This port number can be changed during installation.
8082 The database component of the one-X Portal for IP Office uses this port.
8086 This port is used for HTTPS access to MyBuddy.
8443 Used for HTTPS access to one-X Portal for IP Office (Only for Windows installation of the one-X Portal for IP Office).
8444 This port is used for initial communication between the mobility client (Android/iPhone) and the one-X Portal for IP Office. If customer is NOT using the mobility client or is only using it on the internal WiFi network, then this port does not need to be opened on the firewall.
8666 This port is used by the JVMX component of the one-X Portal for IP Office. This port number can be changed during installation.
9094 This port is used for OpenFire XML RPC (Remote Procedure Call) and administration console.
9095 This port is used by the OpenFire admin console (https).
8080-to- 8090 "To allow the one-X Call Assistant to communicate through a specific TCP port"

Make sure you locked these all down with a decent firewall.