web statisticsweb stats Business Phone Systems Tech Talk Forum - VOIP & Cloud Phone Help

Business Phone Systems

Previous Thread
Next Thread
Print Thread
Rating: 5
Page 1 of 2 1 2
#535262 09/13/12 12:35 AM
Joined: Jul 2009
Posts: 157
Member
OP Offline
Member
Joined: Jul 2009
Posts: 157
We have many, many OfficeServ systems out there using SIP accounts for outgoing calls.

Recently we have had two customer's receive bills in the thousands of dollars for international calls they obviously did not make. I am aware of hacking through the voice mail and this is programmed out of the systems, and the voice mail logs show no call attempts through the voice mail.

When looking at the billing from the carrier, there are obviously more calls being made simultaneously than the phone system will support.

The Carrier is stating its the customer's equipment at fault, we believe they are logging directly into the carrier's network, so they must have gained the username and password for the account. But where from is the question? If it were our office that was compromised I would imagine it would be a lot more than just 2 (of hundreds) customers, and the phone systems whilst they are accessible via remote programming are secured with secure passwords.

Any one had this issue before and able to prove it was not the customers equipment? Carrier is simply saying they have to pay and are not interested in trying to resolve how they got in.


Cheers, Dave.
Eco Communications
Selling and installing Ericsson BP150/50/250 from 1996 to 2005
Samsung selling and installing since 2000
Toshiba selling and installing since 2004
Microsoft NT and SQL certified (10 years ago...)
Atcom VoIP Phones
VoIP Demo

Best VoIP Phones Canada


Visit Atcom to get started with your new business VoIP phone system ASAP
Turn up is quick, painless, and can often be done same day.
Let us show you how to do VoIP right, resulting in crystal clear call quality and easy-to-use features that make everyone happy!
Proudly serving Canada from coast to coast.

Joined: Jun 2006
Posts: 3,004
Likes: 4
Moderator-Samsung
*****
Offline
Moderator-Samsung
*****
Joined: Jun 2006
Posts: 3,004
Likes: 4
Hey Dave,

We had this happen to a heap of customers earlier this year.
Can you ask the carrier for a list of the ip's that the calls originated from?

What i'd say has happened is that someone has got the username/password and registered it on an asterisk box or similar for a dodgy calling card type provider.

We setup a "customer level" username/password which doesn't have access to the sip settings or the system settings so that way no-one can get any info like this.

Is it the main sip provider we use or another one?

Cheers
Steve

Joined: Jul 2009
Posts: 157
Member
OP Offline
Member
Joined: Jul 2009
Posts: 157
Yeah last two were the same provider, but we did have another one back in March on MNF. Getting the office to request the IP addresses that originated the calls, but then they are still saying that even if the calls were not made through the customers phone system then the passwords must have been obtained from compromised customer equipment.

I know the calls didn't go through the systems, as they all happened over night and looking at the modem history graph there has been no overnight traffic over the last week, so not voice mail hacking/dialling (also voice mail logs show no calls passing through).

We don't tell the customers how to program anything, not even customer level programming for speed dials and such, we do it all for them remotely so none of our customers even know how get into user programming let alone the password.

I just realised something - will tell the carrier its the same phone system they use in the their own office - in fact installed by the same tech!!

But it still leads to he question of where they are getting the SIP user name and passwords from.

Last edited by SeaComms; 09/13/12 07:37 AM.

Cheers, Dave.
Eco Communications
Selling and installing Ericsson BP150/50/250 from 1996 to 2005
Samsung selling and installing since 2000
Toshiba selling and installing since 2004
Microsoft NT and SQL certified (10 years ago...)
Joined: Nov 2009
Posts: 602
Samsung Moderator
*****
Offline
Samsung Moderator
*****
Joined: Nov 2009
Posts: 602
Did you get the bulletin about the SIP Peering vulnerability of the Samsung prior to ver 4.53? They may have buried it in a manual but i've had to call samsung about it as it was happening to our office. If you haven't already there is a setting for Carrier Exclusive (837) that will stop this if your system is up to the right version, otherwise you will need to upgrade the system to the proper version or it will keep happening.

Joined: Jun 2006
Posts: 3,004
Likes: 4
Moderator-Samsung
*****
Offline
Moderator-Samsung
*****
Joined: Jun 2006
Posts: 3,004
Likes: 4
So what about the systems that can't goto 4.53c (OS7100 MP10, OS7200 MCP, OS7400 MP40 with SM cards)?

We have never had that bulletin here, they have told us about carrier exclusive, but not as a toll fraud prevention, more as a way to prevent nuisance callers (or people trying to use well known hacking tools for asterisk boxes)

Joined: Nov 2009
Posts: 602
Samsung Moderator
*****
Offline
Samsung Moderator
*****
Joined: Nov 2009
Posts: 602
I don't know the specifics of what they do but they nailed us overnight, fortunately we were using a test sip account.
At the time 4.53 wasn't out so we just restricted IP's on 5060 to our carrier within the firewall and it never happened again

Last edited by Genesiscomm; 09/13/12 09:06 AM.
Joined: Jun 2006
Posts: 3,004
Likes: 4
Moderator-Samsung
*****
Offline
Moderator-Samsung
*****
Joined: Jun 2006
Posts: 3,004
Likes: 4
I don't forward 5060 anymore, just use the "alive notify - options" setting in sip carrier options, and set it to a low value and it works with the need for 5060 for trunks.

The extensions i change the port from default

Joined: Nov 2009
Posts: 602
Samsung Moderator
*****
Offline
Samsung Moderator
*****
Joined: Nov 2009
Posts: 602
I would still be looking at the system, i wouldn't think that many of your customers sip accounts got hacked especially when samsung acknowledged a problem with peering being vulnerable. Who knows to what extent people can exploit it and you know how persistent these people can be.
nameless i was told even if your using the alive notify to still do a DENY ALL on 5060 and then allow your carriers IP's. It is a pain in *** especially if they tend to change IP's once in a while but it did stop all of our problems.

Joined: Jul 2009
Posts: 157
Member
OP Offline
Member
Joined: Jul 2009
Posts: 157
Interesting, never heard of that one before. This system is 4.53c and just looked through and SIP peering is disabled.

ISP has come back and says the calls were made from the customers IP address - so either it was through the system somehow or the IP was spoofed. Looked back over the data traffic for the last week and nothing out of the ordinary, nor any traffic at all over night or weekend.

Awaiting call records from the SIP provider so I can see if multiple calls were made at once - only 2 sip licences and 2 MGI channels.


Cheers, Dave.
Eco Communications
Selling and installing Ericsson BP150/50/250 from 1996 to 2005
Samsung selling and installing since 2000
Toshiba selling and installing since 2004
Microsoft NT and SQL certified (10 years ago...)
Joined: Jul 2009
Posts: 157
Member
OP Offline
Member
Joined: Jul 2009
Posts: 157
Well a third one got done last night, our own office!!

Finally worked out the link between them all - all 3 have nonSamsung SIP extensions....

Thats not bad going, 3 out the 5 sites we have with SIP extensions get hacked into within the week, guessing both username and passwords.

Passwords changed, will look at changing ports tomorrow and also awaiting for the 4.6 software to upgrade the 7030's to increase password strength to 8 character alphanumeric.

We also had several failed attempts to log into our own office system via management tool from a Ukranian IP address... Man these guys are persistent.


Cheers, Dave.
Eco Communications
Selling and installing Ericsson BP150/50/250 from 1996 to 2005
Samsung selling and installing since 2000
Toshiba selling and installing since 2004
Microsoft NT and SQL certified (10 years ago...)
Page 1 of 2 1 2

Moderated by  nameless, pvj 

Link Copied to Clipboard
Forum Statistics
Forums84
Topics94,262
Posts638,693
Members49,757
Most Online5,661
May 23rd, 2018
Popular Topics(Views)
211,098 Shoretel
187,703 CTX100 install
186,793 1a2 system
Newest Members
BPopilek, Rich F, LewisR, TDKs79, Buttinset
49,757 Registered Users
Top Posters(30 Days)
dexman 18
Toner 14
TDKs79 8
Who's Online Now
1 members (Curlycord), 110 guests, and 239 robots.
Key: Admin, Global Mod, Mod
Contact Us | Sponsored by Atcom: One of the best VoIP Phone Canada Suppliers for your business telephone system!| Terms of Service

Sundance Communications is not affiliated with any of the above manufacturers. Sundance Phone System Forums - VOIP & Cloud Phone Help
©Copyright Sundance Communications 1998-2024
Powered by UBB.threads™ PHP Forum Software 7.7.5