Hi,
Got hacked the last 2 nights & lost £91 (thankfully no more, my account top's up & stopped after 3 quick £20's, not sure why but pleased)
Sipgate Trunk but don't think their fault but not 100% sure
First night got email from sipgate - call blocked to high value overseas. no lost money.
I was actually locked out of the pbx (unless in my panic somehow got the pw wrong but 99% sure did not)
I use PC Pro but web is enabled, I will look into see if can turn this off.
Factory reset, uploaded saved config.
I realised I have been testing a new router and left the IP port fully open just that 1 night. Actually, stupidly did not worry as this router does not have SIP ALG and I CANNOT call out anyway so figured OK. Was going to lock once got working or knew not helping.
Closed port, change SL1100 log in PW but NOT the profile sipgate PW credentials!!
2nd night
£91 taken. this time hundreds of low value calls to Egypt & other places, even locally to the UK 0116-4400011, so guess not picked up by sipgate.
In a matter of seconds I think a few thousand calls, how does that work!
What I am trying to work out is what happened & how can I stop it.
Did they just steal the credentials and use elsewhere or perhaps that night try & fail but keep the login info.
2nd night use on a different system or access the pbx again. I was NOT locked out this time.
If used the pbx again my concern is how do they get past firewall & NAT. Port was definitely shut this time. I do not have any port forwarding as seems to work without & thought if not set up is more secure without PF.
I guess hackers are pretty good at what they do but I could not see the admin password on 90-02, only the Dots have to re-type over.
I think can assume they can get past those hidden PW's in the config & but surprised at the ease can access the pbx at all with a different login, to be honest only had a 4 digit code (though random - was still "tech" user!!), guess a brute force attack would take seconds if the system allows rapid incorrect attempts.
Still surprised just in just 1 night they found the open port on the pbx & got past the password, time to open 10-36 the authentication pw (also hidden).
I hope with 10-36 changed & no ports open should be secure & guess as not many mentioned on here the NEC generally OK.
What is annoying most of the calls were made on a 2nd Sipgate trunk (On the same account) which I do not use & does NOT have a number assigned. I would have thought this would have failed anyway if no number assigned.
Also disappointed Sipgate did not detect this very off behaviour, hundreds of call to the same number, I think about 80 or more a second?
I cannot think of any of this being considered normal behaviour.
Still waiting to migrate my main ISDN account & huge relief I did not as can disconnect from LAN completely when worried.
I read a lot where people say set it up to prevent certain call etc but if they can actually access the pbx they can turn off any barring anyway
Also if they can get past the main login means only NAT protecting and whilst I think pretty secure I do not think this is its purpose & to be 100% relied upon. unless my "tech" & only 4 digit pw simply made it too easy.
Any advise on what you think happened & how to protect or should I be OK now.
Any pw's & code now are full length & have others characters where allowed.
(never used or set up voicemail, no inmail software or licence, do I need to do anymore, could someone turn on something, have 2 mlt, one on voip)
Got hacked the last 2 nights & lost £91 (thankfully no more, my account top's up & stopped after 3 quick £20's, not sure why but pleased)
Sipgate Trunk but don't think their fault but not 100% sure
First night got email from sipgate - call blocked to high value overseas. no lost money.
I was actually locked out of the pbx (unless in my panic somehow got the pw wrong but 99% sure did not)
I use PC Pro but web is enabled, I will look into see if can turn this off.
Factory reset, uploaded saved config.
I realised I have been testing a new router and left the IP port fully open just that 1 night. Actually, stupidly did not worry as this router does not have SIP ALG and I CANNOT call out anyway so figured OK. Was going to lock once got working or knew not helping.
Closed port, change SL1100 log in PW but NOT the profile sipgate PW credentials!!
2nd night
£91 taken. this time hundreds of low value calls to Egypt & other places, even locally to the UK 0116-4400011, so guess not picked up by sipgate.
In a matter of seconds I think a few thousand calls, how does that work!
What I am trying to work out is what happened & how can I stop it.
Did they just steal the credentials and use elsewhere or perhaps that night try & fail but keep the login info.
2nd night use on a different system or access the pbx again. I was NOT locked out this time.
If used the pbx again my concern is how do they get past firewall & NAT. Port was definitely shut this time. I do not have any port forwarding as seems to work without & thought if not set up is more secure without PF.
I guess hackers are pretty good at what they do but I could not see the admin password on 90-02, only the Dots have to re-type over.
I think can assume they can get past those hidden PW's in the config & but surprised at the ease can access the pbx at all with a different login, to be honest only had a 4 digit code (though random - was still "tech" user!!), guess a brute force attack would take seconds if the system allows rapid incorrect attempts.
Still surprised just in just 1 night they found the open port on the pbx & got past the password, time to open 10-36 the authentication pw (also hidden).
I hope with 10-36 changed & no ports open should be secure & guess as not many mentioned on here the NEC generally OK.
What is annoying most of the calls were made on a 2nd Sipgate trunk (On the same account) which I do not use & does NOT have a number assigned. I would have thought this would have failed anyway if no number assigned.
Also disappointed Sipgate did not detect this very off behaviour, hundreds of call to the same number, I think about 80 or more a second?
I cannot think of any of this being considered normal behaviour.
Still waiting to migrate my main ISDN account & huge relief I did not as can disconnect from LAN completely when worried.
I read a lot where people say set it up to prevent certain call etc but if they can actually access the pbx they can turn off any barring anyway
Also if they can get past the main login means only NAT protecting and whilst I think pretty secure I do not think this is its purpose & to be 100% relied upon. unless my "tech" & only 4 digit pw simply made it too easy.
Any advise on what you think happened & how to protect or should I be OK now.
Any pw's & code now are full length & have others characters where allowed.
(never used or set up voicemail, no inmail software or licence, do I need to do anymore, could someone turn on something, have 2 mlt, one on voip)