We have many, many OfficeServ systems out there using SIP accounts for outgoing calls.

Recently we have had two customer's receive bills in the thousands of dollars for international calls they obviously did not make. I am aware of hacking through the voice mail and this is programmed out of the systems, and the voice mail logs show no call attempts through the voice mail.

When looking at the billing from the carrier, there are obviously more calls being made simultaneously than the phone system will support.

The Carrier is stating its the customer's equipment at fault, we believe they are logging directly into the carrier's network, so they must have gained the username and password for the account. But where from is the question? If it were our office that was compromised I would imagine it would be a lot more than just 2 (of hundreds) customers, and the phone systems whilst they are accessible via remote programming are secured with secure passwords.

Any one had this issue before and able to prove it was not the customers equipment? Carrier is simply saying they have to pay and are not interested in trying to resolve how they got in.

Hey Dave,

We had this happen to a heap of customers earlier this year.
Can you ask the carrier for a list of the ip's that the calls originated from?

What i'd say has happened is that someone has got the username/password and registered it on an asterisk box or similar for a dodgy calling card type provider.

We setup a "customer level" username/password which doesn't have access to the sip settings or the system settings so that way no-one can get any info like this.

Is it the main sip provider we use or another one?

Cheers
Steve

Yeah last two were the same provider, but we did have another one back in March on MNF. Getting the office to request the IP addresses that originated the calls, but then they are still saying that even if the calls were not made through the customers phone system then the passwords must have been obtained from compromised customer equipment.

I know the calls didn't go through the systems, as they all happened over night and looking at the modem history graph there has been no overnight traffic over the last week, so not voice mail hacking/dialling (also voice mail logs show no calls passing through).

We don't tell the customers how to program anything, not even customer level programming for speed dials and such, we do it all for them remotely so none of our customers even know how get into user programming let alone the password.

I just realised something - will tell the carrier its the same phone system they use in the their own office - in fact installed by the same tech!!

But it still leads to he question of where they are getting the SIP user name and passwords from.

Did you get the bulletin about the SIP Peering vulnerability of the Samsung prior to ver 4.53? They may have buried it in a manual but i've had to call samsung about it as it was happening to our office. If you haven't already there is a setting for Carrier Exclusive (837) that will stop this if your system is up to the right version, otherwise you will need to upgrade the system to the proper version or it will keep happening.

So what about the systems that can't goto 4.53c (OS7100 MP10, OS7200 MCP, OS7400 MP40 with SM cards)?

We have never had that bulletin here, they have told us about carrier exclusive, but not as a toll fraud prevention, more as a way to prevent nuisance callers (or people trying to use well known hacking tools for asterisk boxes)

I don't know the specifics of what they do but they nailed us overnight, fortunately we were using a test sip account.
At the time 4.53 wasn't out so we just restricted IP's on 5060 to our carrier within the firewall and it never happened again

I don't forward 5060 anymore, just use the "alive notify - options" setting in sip carrier options, and set it to a low value and it works with the need for 5060 for trunks.

The extensions i change the port from default

I would still be looking at the system, i wouldn't think that many of your customers sip accounts got hacked especially when samsung acknowledged a problem with peering being vulnerable. Who knows to what extent people can exploit it and you know how persistent these people can be.
nameless i was told even if your using the alive notify to still do a DENY ALL on 5060 and then allow your carriers IP's. It is a pain in *** especially if they tend to change IP's once in a while but it did stop all of our problems.

Interesting, never heard of that one before. This system is 4.53c and just looked through and SIP peering is disabled.

ISP has come back and says the calls were made from the customers IP address - so either it was through the system somehow or the IP was spoofed. Looked back over the data traffic for the last week and nothing out of the ordinary, nor any traffic at all over night or weekend.

Awaiting call records from the SIP provider so I can see if multiple calls were made at once - only 2 sip licences and 2 MGI channels.

Well a third one got done last night, our own office!!

Finally worked out the link between them all - all 3 have nonSamsung SIP extensions....

Thats not bad going, 3 out the 5 sites we have with SIP extensions get hacked into within the week, guessing both username and passwords.

Passwords changed, will look at changing ports tomorrow and also awaiting for the 4.6 software to upgrade the 7030's to increase password strength to 8 character alphanumeric.

We also had several failed attempts to log into our own office system via management tool from a Ukranian IP address... Man these guys are persistent.

They are very persistent. You should lock down the ports for IT Tool/DM immediately for 2 reasons, 1- there's a backdoor password that you have no control over. 2- if they hammer port 5090 it locks your system up (i just had this happen last week).
Even worse if you have 23 open to the system for File control that password is always default and you cannot change it.

Change you SIP extension port in sip stack/ext/trunk options to something other then default and change the port forward in your router accordingly as well.

I had todo this as a couple of months ago they were hammering port 5060 with a asterix hack tool to try to get in and it locked up the sip stack requiring a reboot of the system and router.

Steve - is there a set range to the ports that can be used for SIP extensions? I havent tried going down the range (only just thought of that whilst writing this...) but when going up I can not get it to log in with anything past 5063? I have made sure ports in the modem are forwarded each time and set the same new port in SIP extension TCP port and SIP extension signal port, but anything above that just refuses to connect.

Haven't tried running any traces though, since the remote SIP client is my mobile and was doing this from home! Also means I cant lock the modem down to a set IP as the SIP client is my mobile phone which can connect from any IP the carrier gives me, or any WiFi network I connect to.

You guys have my Full attention. Where's the popcorn.
I'm shutting down ports now. Didn't realize some of these security issues. Is there a clearly defined list of ports used for each purpose on Samsung? Offline of course. TIA

This still works OK for incoming calls?

Also, I changed ports on the SIP extensions as per above and could no longer get SIP trunks to register!! Had to change it back to what it was. Will try fiddling again today if I get time.

Same happened in our office a few days ago! Somebody loged in via Non Samsung SIP client/phone and made lots of calls to Haiti! We'll really have to pay max attention.

Dave - I'll send you screen shots of my sip carrer and trunk/ext screens from my system (OS7200 MP20 4.60b).
*edit* and my router port forwards *edit*

The 4.60b OS7030 files have been avail since release, they just haven't been shipping with them, though i got an email today saying all ones sent from today will come pre-loaded with 4.60b.

It's cause they don't want to unpack them, upgrade them and pack them up again that we don't get them with the new version at release.

They just change the files on the SD card for all the other systems.

I just block out entire regions (pretty much anything outside of the US such as all APNIC).
Use this site to get the ranges you can block and where they are
https://www.ipdeny.com/ipblocks/

Depending on your router version you can find premade config files just for this usually for cisco equip.
If your really lucky and have a Linux firewall you can install software to block out specific countries and it updates the IP's for you
Either way i would focus on Eastern Europe and most of Asia.

Na, cant get the system to fire up on SIP if I change the extension ports or activate Alive Notify - very weird. Will try again once we get our SIP account changed back from individual user accounts shortly.

I like the idea of the IP blocks - will look into that one as I have a couple of sites left I cant get access to the remote phones to reprogram anything.