atcomsystems.ca/forum Forums TDM Business Telephone Systems Samsung Telephones & Systems SIP Accounts hacked

They are very persistent. You should lock down the ports for IT Tool/DM immediately for 2 reasons, 1- there's a backdoor password that you have no control over. 2- if they hammer port 5090 it locks your system up (i just had this happen last week).
Even worse if you have 23 open to the system for File control that password is always default and you cannot change it.

Change you SIP extension port in sip stack/ext/trunk options to something other then default and change the port forward in your router accordingly as well.

I had todo this as a couple of months ago they were hammering port 5060 with a asterix hack tool to try to get in and it locked up the sip stack requiring a reboot of the system and router.

Steve - is there a set range to the ports that can be used for SIP extensions? I havent tried going down the range (only just thought of that whilst writing this...) but when going up I can not get it to log in with anything past 5063? I have made sure ports in the modem are forwarded each time and set the same new port in SIP extension TCP port and SIP extension signal port, but anything above that just refuses to connect.

Haven't tried running any traces though, since the remote SIP client is my mobile and was doing this from home! Also means I cant lock the modem down to a set IP as the SIP client is my mobile phone which can connect from any IP the carrier gives me, or any WiFi network I connect to.

You guys have my Full attention. Where's the popcorn.
I'm shutting down ports now. Didn't realize some of these security issues. Is there a clearly defined list of ports used for each purpose on Samsung? Offline of course. TIA

This still works OK for incoming calls?

Also, I changed ports on the SIP extensions as per above and could no longer get SIP trunks to register!! Had to change it back to what it was. Will try fiddling again today if I get time.

Same happened in our office a few days ago! Somebody loged in via Non Samsung SIP client/phone and made lots of calls to Haiti! We'll really have to pay max attention.

Dave - I'll send you screen shots of my sip carrer and trunk/ext screens from my system (OS7200 MP20 4.60b).
*edit* and my router port forwards *edit*

The 4.60b OS7030 files have been avail since release, they just haven't been shipping with them, though i got an email today saying all ones sent from today will come pre-loaded with 4.60b.

It's cause they don't want to unpack them, upgrade them and pack them up again that we don't get them with the new version at release.

They just change the files on the SD card for all the other systems.

I just block out entire regions (pretty much anything outside of the US such as all APNIC).
Use this site to get the ranges you can block and where they are
https://www.ipdeny.com/ipblocks/

Depending on your router version you can find premade config files just for this usually for cisco equip.
If your really lucky and have a Linux firewall you can install software to block out specific countries and it updates the IP's for you
Either way i would focus on Eastern Europe and most of Asia.

Na, cant get the system to fire up on SIP if I change the extension ports or activate Alive Notify - very weird. Will try again once we get our SIP account changed back from individual user accounts shortly.

I like the idea of the IP blocks - will look into that one as I have a couple of sites left I cant get access to the remote phones to reprogram anything.