Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Possible Hacking?

Status
Not open for further replies.

Kibbs308

Technical User
Jun 28, 2011
60
US
I am currently seeing this in my IP Office Monitor, i have an IP Office 500v2 with 10.0 software and am using OneX Mobile for outside employees. This appears that something from outside is attempting to log into extension 919 which does not exist. I have SIP register turned off and H323 Auto's off as well as remote extension off. I have watched this part - From: <sip:xxx - go from extension to extension changing every few minutes for awhile now and even had my team block the IP address from coming in through our firewall. All my passwords are not default and the users that are not being used are deactivated. After all this I am still getting this entry on the monitor every minute or so.

My question is am I correct in thinking this is an attempt at hacking my system? My SIP provider tells me the IP address 95.217.58.7 is registered to RIPE Network Coordination Centre out of Amsterdam.





14:19:29 69803650mS SIP Rx: UDP 95.217.58.7:57563 -> xxx.xxx.xxx.xxx:5060
REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0
Via: SIP/2.0/UDP 95.217.58.7:57563;branch=z9hG4bK918055911
Max-Forwards: 70
From: <sip:919@xxx.xxx.xxx.xxx>;tag=184735054
To: <sip:919@xxx.xxx.xxx.xxx>
Call-ID: 1104179881-1591890171-290007897
CSeq: 1 REGISTER
Contact: <sip:919@95.217.58.7:57563>
Content-Length: 0
User-Agent: Avaya IP Phone 1120E
 
If you are doing port forwarding for the ONE-X client from port 5060 then they will try to access your system. The only way to beat this is to install a SBC for security.
Mike
 
I do not think we are using 5060 for anything including One X as far as i can see. I even changed the default ports in the VOIP settings on the IPO and then turned them off again. Besides that in this Monitor entry I removed the IP Address of our phone system and placed the xxx.xxx.xxx.xxx not the One X portal address. the other thing I noticed is the port number at the end of the 95..... address also changes here it shows :57563 but i can see it currently shows on the live view :57579. Also if i look at the SIPPhone Status nothing ever shows in there.
 
Check the port forwarding in the firewall. Check the logs in the firewall you should see the same IP accessing the firewall and what port it is trying to use. The IPO will change the port as needed behind a firewall to use what is assigned or available for the RTP ports which is what looks like the case.
Mike
 
Have you opened 5060 for everyone because of you SIP trunk?

It should only be allowed from the SIP providers servers, unless you need to connect SIP clients from outside the office in which case TLS should be used for those.

"Trying is the first step to failure..." - Homer
 
And also if you need to use SIP clients outside of the office do not use port 5060, it is customisable so should be changed!

| ACSS SME |
 
I am not using port 5060 that is one of the reasons i cannot figure out why or where this is coming from. I have had my firewall block this address and checked to see if it is even coming in and it is not shown in the firewall traffic at all but yet i am still seeing this every minute or so in the sysmon, there is nothing indicating anything is happening in SSA. The other part that is confusing me is the User-Agent: Avaya IP Phone 1120E, it been awhile since i have programmed one of these but i don't remember them being a SIP phone at all they were just H323 and didn't have remote capabilities. So why would this be identifying with this. Is it possible this is something internal like a monitor or prob checking, i do have a network prob running for our IT Management solution?
 
You don't have to be using the port for anything. The fact that you have an IP Office and that its address is accessible is enough for hackers to then attempt finding if it has any other ports open - in most cases the useful (to them) ports such as 5060.

So if you're not using it you need to have it blocked (or not open and forwarded) at your external firewall/router/whatever. And that includes making sure there's no default "for traffic without a specific forward forward it here" rule with the IP Office as its destination.

Stuck in a never ending cycle of file copying.
 
Many things seem strange with this, one that it's aaying it's a 1120E phone.

The IP that you have crossed out is that your external IP?
Does Hetzner Online mean anything to you? (who owns the IP range)

"Trying is the first step to failure..." - Homer
 
I said the same thing one of the reason i cam here.

No the IP address that's X'ed out is my internal IP address.

The IP is owned by RIPE Network Coordination Centre out of Amsterdam,and i never heard of Hetzner online before.

I am beginning to wonder if it is something internal that just gives off an id that makes the system think its an 1140, either that or i am just going crazy lol. Next week i am going to schedule some time to disconnect the provider from the firewall and see if i continue to get the same message.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top