sundance-communications.com/forum Forums TDM Business Telephone Systems NEC Telephones & Systems Hackers

We had our 1st SV8100 hacked, they got past the fire wall, used web pro to set call forward all calls to international numbers, I don't know what extension they used, they were smart enough to go back and undo the settings. The way I know they did it is the modification history, it shows the program number along with date and time, it does not and will not show what extension was used.

To all NEC techs change all passwords in web pro and make notes of what they are.

Dan S

If they hacked the VPN password assuming thats how they got in maybe an inside job??

Paul

No inside job.

Dial up or via VPN??

If you look in modification history, what user name did they use? Was the password default for that login? What day of the week was it done. Just curious, we had 4 SV8100s that were on public IPs due to CCIS, hacked on the last few saturdays. We made a mistake of not changing USER1 password due to keeping it default for software like desktop and shared services. All 4 system had someone log in as user 1 and fwd an extension to an international number (3 systems were the same number).
We have sinced changed/ disabled USER1 and also changed 90-28 logins for all extensions.
So if port 80 is open, you should change all of those.

They came in through port 80 using tech as the user name, I have since changed all passwords, not only on this system but all the ones we service.

First thing I do is change the passwords on the system.

Via the Internet?? I don't know of any one here who will allow direct access via port 80 via the Internet. They insist on convoluted VPN access only or dialup (if you don't have SIP trunks)..

Our customers IT company was supposed to setup the customers router to only allow access to port 80 from my offices WAN IP address, they failed to put that security procedure in place.

Changing port 80 is one of the first things I usually do. 1 reason being most of the time the customer is already using port 80. 2nd reason being a small SV8100 with like 3 phones was in service for 1 day and started to crash. it would come back up and then crash. With port 80 open it was getting flooded and would crash the system. I was on the road and had the customer reboot it and it would come up and then would go right back down. I had them unplug the patch cable to it thinking it was a bad port on the switch and it was fine. I called their IT guy and he checked and told me about the flood and ever since then I have changed it.