IP Office Toll Fraud Stumper

[Cat5Jive]

Hi all,

Hoping to get an assist with toll fraud on an IP Office V 9.0.200.860

I have the following ports forwarded to the IP Office:

5060
3478
49152-53246
1718-1720

I am using SIP trunking, remote H323 sets and analog trunking.

Despite having changed all my default passwords, disabling all but the Administrator account, complex passwords for both the password field and Login Code field, and tested ARS tables disabling 0 from being dialed, I still have fraudulent calls being made after hours. None of the calls have come from users that have Remote User enabled. The office is secure after hours so I know the cleaners are not calling home. I am using SMDR and my logs indicate the fraudulent calls are being made from local digital sets in the office.

I'm tearing my hair out trying to figure out how this could possibly be happening with these safeguards in place. I have read other threads that suggest TAPI hacking but i'm not clear on how that could be happening or how it could be bypassing the ARS tables.

Any thoughts would be greatly appreciated!!

 

[Westi]

The calls are made from the User not the actual digital set there is a difference.
The only way to do so is to do so with the password setup in one of the 2 options for user passwords. If they are setup with complex passwords then I would still change them and make them 8 digits or more.
Also check the forwarding option in the user to see if someone forwarded it

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Cat5Jive]

Thanks for your reply @Westi.

No users have been call forwarded, the passwords are 8 digits and complex - I realize the calls come from the user and not the set, I mistyped. The calls are coming from digital sets in the office, as opposed to IP sets on the internet - The users actually have reported that the phones are going offhook and making calls as if possessed.

The administrator password is also 8 digits and complex, and all passwords have been changed since the first toll fraud instance, and it has reoccurred.


Any other thoughts?

 

[amriddle01]

Trace the system with SSA and Montior, monitor will show any PC connections and TAPI interfacing with the system, SSA will show what's being dialled and what it matches in realtime. Close the port forwarding one night, if it happens it's an internal PC that's doing it, if not it's probably the port forwarding etc etc etc. You need to lots more investigation beyond looking at SMDR data

 

[Cat5Jive]

Thank you @amriddle01 for your suggestions.

I do have monitor running since the last fraud instance, but it has yet to reoccur.

I'll take your suggestion regarding the SSA and have enabled trace all on all the trunks.

I have checked TAPI and the TAPI sub filters in the Monitor, are there others you might specifically suggest?


Thanks!!

 

[Gunnaro]

Let me guess, the calls are going to Balkan or Middle East?

You make it pretty easy for them with that gaping hole in your firewall.
Some of your open ports is used by Manager, SSA, Monitor, VMPro use for connection.
Take a look in the Audit trails, you might see failed login attempts there.

Your passwords are not that safe, a clever boy can break them relatively quick.
(and did you change the Monitor pwd as well?)

If VPN is out of the question(!): Make the routing more narrow, not 0.0.0.0.
That's an open invitation to all the hackers online.
Even if remote users have DHCP on from their ISP, the IP is not going to be totally random.
Then I'd bar international numbers you're never going to call, it's a half hour collect- and implement job.

Here's a pretty good document on securing the IPO

If the attack is coming from the inside, you need to protect the IPO from the computers.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[gknight1]

I had this happen, after I changed the password on the first page of the users, haven't had the problem since. I think they were using phone manager or something.

 

[Westi]

49152-53246 are UDP only for RTP or both?

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Cat5Jive]

Both @westi.

 

[Westi]

UDP is enough because your TCP ports in that range open SSA, Monitor, Manager and all the other applications

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Cat5Jive]

Thank you Westi.

Any idea on how they might be getting past the ARS tables?

 

[Gunnaro]

Not entirely correct, these applications use UDP ports:

50791 IPO Voicemail - To voicemail server address
50794 IPO Monitor
50795 IPO Voice Networking - Small Community Network signalling and BLF updates
50796 IPO PCPartner - Phone Manager or Softconsole

For one, ARS can be bypassed if there are any other short codes that provide trunk access.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[Cat5Jive]

Thanks for your reply Gunnar.

I have previously confirmed there are no other Dial short codes, the only one routes to the ARS.

At this point my best guess is that someone has been able to suck the config file off the IP office, despite strong admin passwords and disabled extraneous user accounts and are using that information to initiate these calls. Still don't know how they are bypassing the ARS. I've got monitor logging to a file every six hours waiting to see if there is another attempt.

Any other input would be appreciated, thank you all kindly for your assistance.

 

[Gunnaro]

Can't say that I see you specify that earlier, but ok.
Still I would take a good look on every User's Short Codes and Button Programming.

If they gained access to the config, and were able to make changes to it, they could have "hidden" the trick there.

As for sucking out a config, I don't want to going into details on an open forum, but it is possible.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[DrDrayAvaya]

hey, if the phone is being "possessed" it really has to be something TAPI/OneX controlling it, shouldn't be phone manager now if it's 9.0.2.... whether that be on a PC on the LAN that's been hacked? or via open ports? if Monitor is open, then they could gain any info they like really... clamp down the RTP UDP range to the minimum port range.. make it minimum 1024 range. nothing in audit trail showing failed login attempts or changes to the config? even from a trusted machine, could be them putting a user/ system short code in as Gunnar states, but other options like FNE codes for users with twinning, or DDI pointing to FNE function? VMPro dial $ action? do you have monitor logging full time currently? that'll show straight away what's happening tbh. not sure they can kill the monitor log, but you have ACL's in place on SIP router? and IP routes in IPO are masked to specific outside host addresses? not that should matter if router has ACL dropping traffic from other hosts? let the router do that bit. SBC is a great upsell.
but isolate the IPO from the LAN perhaps for a period too.. shotgun approach

 

[Gunnaro]

TAPI is the favourite, but there are other possibilities.

In general people need to wake up and face the reality.
Talented criminals are drilling into our systems around the globe.
Each day they are getting smarter, finding new ways to penetrate or circumvent security measures.

Spend a little money on your protection, or risk paying a hundred times more when you get hit.
It's not a question of IF, but WHEN you get a "visitor".

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[MikeSide]

Best way :

- Change all user and password
- Desactivate account who not use
- Desactivate Create auto extension (SIP and H323)
- Change RTP port (Dont use over 50000)
- Put a account code for 011 call

Be sure you cannot access at the manager with your public ip adress.

 

[StubbedmytoeonIPO]

I have not read this entire thread, but how do you know the calls were made via the IPO? I have had a few instances recently that the Adtran supplied by the carrier was hacked and phone calls made from it. Of course the carrier blamed the IPO until I proved otherwise. What evidence do you have that the IPO originated the calls?

 

[Gunnaro]

I am using SMDR and my logs indicate the fraudulent calls are being made from local digital sets in the office

I'd say that's a pretty good indicator of an IPO intrusion.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[MikeSide]

I have not read this entire thread, but how do you know the calls were made via the IPO? I have had a few instances recently that the Adtran supplied by the carrier was hacked and phone calls made from it. Of course the carrier blamed the IPO until I proved otherwise. What evidence do you have that the IPO originated the calls?

Exemple...

If some port are open on your network and create auto SIP extension are enable. A person who scan your public IP adress can create at distance an extension and make a call from there SIP phone...

Idem with a softmanager...

The port management is very important and can cause a lot of hacking on the IPO system...