ipo 8.1 toll fraud 1

[jr001]

Hi ,

I had one of our clients say that his telco suspended their LD service because they think the IP office got hacked.

Here are the facts:
IPO 8.1
No sip or ip endpoint licensing only digital sets and analog trunks.
Embeded VM.

The system is on a public IP so i can manage it remotely but i have changed the Administrator and security password.

I cant figure out were they would have been hacked through?

Any help would be appreciated.

 

[ncarter2]

With a public IP Someone could log in with the "Operator" user and set up call forwarding to a Toll Number, Check the "Audit Log" for any strange changes being made, and look for users that are set to Forward that shouldnt be. Need to be very careful with IP office on a Public IP

 

[jamie77]

If it is on a public IP have you restricted that to only your office public IP and only the ports you need on the firewall?? If not, you have opened the doors to the bad people and it WILL be abused. Get it firewalled properly NOW!!!

Just changing the Admin and security p/ws is not enough.

If not, they could go through IP Office Manager, Web Manager, use TAPI, use Phone Manager, maybe try register a remote H.323 phone. Only IPO Manager access really shows up in the Audit Trail.


Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer

 

[sizbut]

Whilst you set about making that public IP access more secure, change all the passwords for all the Service Users in the security configuration and set those that aren't used to be Disabled. There are a lot more accounts than just Administrator.

Stuck in a never ending cycle of file copying.

 

[amriddle01]

They brute force the username/passwords, it's only a matter of time once they start trying

 

[jr001]

I removed all the other accounts ( disabled them ) other that the administrator acct which has a complex password. i have checked all users to make sure they have no forward option or twining activated and no weird shortcodes.
I have also changed the password on the remote user profile and the system has no ip licensing so no one can create a remote h323 extension.

Do you think with theses steps done the system should be secure?

 

[amriddle01]

Not really, they could still use Phone Manager to forward some extns or generate calls to premium rate numbers they own or call themselves then transfer to Angola etc etc

 

[amriddle01]

Monitor can be used to shut the system down amongst other things and that password can be sniffed, best to limit IP's the system responds to with IP routes

 

[94astro]

An 8.1 off mine got hacked a few weeks ago, they set up international forwarding on users. I think they used phone manager to do this. After talking to guys here on the board, I did what you've done plus gave every user a password.

 

[EmuDan]

The best way to remotely administer is with something like Teamviewer, LogMeIn, GoToAssist, etc.. You need to have a secured connection, and the IPO should be behind a firewall.

Dan

What's that? Your paging doesn't work?! Just get yourself a good bullhorn..problem solved!

 

[itguy604]

Pardon my ignorance, but what do these people do with Toll Fraud?

Do they call their relatives and talk for hours? Isn't this all traceable ?

It all shows up on the phone bill, doesn't it?

 

[gwebster]

Yes it shows up. But that can be after they have run up a huge bill - at your expense.

 

[Laxboye]

I have a lot experience fighting toll fraud for as a consultant for many telco's. The people who hack these systems use the hacked capacity to sell on the black market or even the legit wholesale long distance market. They usually like to hit the PBX hard over a weekend because no one will notice. Then they rack up thousands of dollars to very high LD termination places like Africa, eastern Europe and Cuba etc.

Best way to protect yourself is a VPN to the switch and only have the switch answer on specific ports you need. If it must be on the public IP then specify what address the unit can answer to and what port. If you are not using SIP always block ports 5060,61.