sundance-communications.com/forum Forums TDM Business Telephone Systems NEC Telephones & Systems Hackers

Our carrier rang up this morning. Our office 8100 system was hacked at the weekend. Somehow they got in via one of our ADSL circuits and used a 3rd party SIP client to find a spare port with station number assigned and registered it and then used it to call out to South America. After the hack they dereistered all but one of the three ports they used and it was a dead give away as it came from 192.168.1.4 which is not in any of our address ranges and the SMRD show lots of calls over the weekend from these 3 stations... We have Intl Toll barred all ports except our desk sets in day mode and all ports in nite mode..
We have no form of remote access to our inhouse system and there were no MAC records in Webpro.
Here's hoping that our telco lets us off the call charges..:-)

We now know how they got in. Last week we setup uMobility on one of our ADSL circuits with port 5070 pointing to our house systems. They must have done a random scan for an open port 5070 until they found one and the rest is history..

Just curious: did the int'l number start 9 011 632 xxxx xxxx ?

Used to be a lot of weak voicemails that got forwarded to Manila...

No. Mostly to country code 232 = Sierra Leone and a couple to CC 972 = Israel and CC 562 Santiago (Metropolitan Region)

We could still see them yesterday trying to access the system,. One of guys is going to do some wireshark traces today and see if he can see where they are coming from though I suspect they will be using some relay system ..

The hackers are still at it. They seem to have a fixation with station numbers in the 2XX range. It is coming from IP address 37.8.45.72 ISP is Hadara located in Ramallah, Palestinian Territory. Time to send in a drone. Whether that is the origination location is anyones guess..

NEC's official response to the issue is pretty weak, but here it is none the less:

» Knowledgebase Hacking of the SV8100
ID# 10628 | Published 04/05/2013 08:36 AM | Updated 04/05/2013 09:17 AM

Products: SV8100 Categories: Documentation, Engineering, KB Article, Features, Business What can be done to protect the SV8100 from hacking?

Like other customer sensitive network equipment, the SV8100 should be placed behind a network firewall and all relative ports should be blocked from outside access. To ensure security, port XXX (HTTP) for the Web Pro port, port XXX for the PCPro port and port XXXX for the DIMM port should all be secured from outside Internet access.


Along with the above network firewall protection, all user names and passwords should be set to the maximum allowed entries in PRG 90-02.


User Names can be set for up to 10 upper case, lower case and special alphanumeric characters.


Passwords can be set for up to 8 digits using only digits 0-9, * and #. Note: Unlike the User Name, all special characters cannot be used in the password. Only * and # are allowed.


Avoid sequential numbers and mix in as many combinations of the allowed digits as possible. An example of usernames and passwords would be:


Username: TeSt96@K#*


Password: *538#*49


When changing the username and passwords, the changes should be documented and stored by the Associate. These changes should also be provided to the customer for safe storage.


If ports are going to be forwarded in the router for Remote Maintenance, then NEC recommends changing the default well known port numbers of Web Pro and PCPro in programs 90-54-01 and 90-54-02.


(I X'ed out the default port numbers so hackers don't know where to start.. Probably dosen't matter though ~TTECH)