R9.0 Toll Fraud thru digital 5420 phone 1

[jeffthephoneguy]

Guys I have a weird one here. My customer has an IPO R9.0.7.Someone has hack us 3 times over digital phones. The phone goes off hook and the calls go out over the speaker like a ghost is making the calls. They have digital phones, SCN, and one-X but the phones that are being used are basic user profiles with no access to One-X. I even turned off intentional calling for the extension, but somehow this is being bypassed? Any one heard of this before?

Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com

 

[AACon]

I'm going to guess someone is logging in with tapi. Go disable tapi in security settings.

Is this thing exposed to the internet?

-Austin
I used to be an ACE. Now I'm just an Arse.

 

[jeffthephoneguy]

I think it is somehow. they have one-X so it has to be accessed.

Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com

 

[jeffthephoneguy]

Disabled TAPI now. we are changing all our customers over to VPN access for One-X. I have not gotten to them yet. I have not ever seen this type of hack before. Is this common?

Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com

 

[jeffthephoneguy]

how would TAPI overide my ARS restrictions for 011N Barred?

Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com

 

[IPGuru]

we are changing all our customers over to VPN access for One-X.

if this means what I think it does & you have the IP Office has a public IP address then it is no surprise that you are being hacked.
The hacker has also probably got access to system programming so he can disable call baring easily.
or possibly you have failed to bar any possible network prefixes which would enable users to bypass barring, for example in the uk 141 can be used as a prefix to disable CLI & if it is not barred correctly then call barring can be bypassed easily.

the only thing that surprises me is the fact that he is taking control of a phone to achieve his ends instead of simply re-routing calls temporarily, perhaps he expected no-one to be there & did not want to leave obvious clues in the Audit trail.

Besides TAPI, Phone manager is also a possibility. Although no supported on V9.0 I believe that the code had not been removed & it would still function.

Bottom line, secure the network so that the IPO Office is no longer accessible via the internet.




Do things on the cheap & it will cost you dear

 

[janni78]

I'm assuming you're using SIP trunks.
What ports are forwarded to the IPO?

"Trying is the first step to failure..." - Homer

 

[jeffthephoneguy]

no sip trunks, PRI. And the company that installed this before us had LAN2 on the internet wide open. I was able to lock manager down before they were hacked, but the hacker used TAPI to dial out even though I had international calling for that extension barred. Now I have the system off the open internet and TAPI disabled in security. I think we are good for now until these buggers come up with another way to get in.

Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com

 

[critchey]

It is still amazing to me just how many people put their systems on the public internet and think they won't get hacked. If they are on public internet and you take over advise them to remove it and make it crystal clear you will not be responsible WHEN they get hacked not IF. Getting something signed even better.