Obi508 Hacked
LTN1:
Quote from: sp508 on March 07, 2016, 06:52:05 pm
It really seems that the only thing that stayed the same in the whole process is the phone number that is being hacked called and SP1-4 being changed.
Perhaps a cheaper solution is to change the number but if it is a main number as on business cards, letterheads, etc., quite a sacrifice to take.
sp508:
Probably will go with Vonage for that one line and see what happens.
SteveInWA:
Quote from: Ostracus on March 07, 2016, 06:12:09 pm
Quote from: Taoman on March 06, 2016, 11:04:26 pm
Quote from: sp508 on March 06, 2016, 08:22:14 pm
Do you have any idea of how they get into the OBi in the first place?
I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.
My reading of the manual indicates star codes can only be entered via the PHONE port.
After mulling this over while running errands today, I was going to post this same comment. I don't see how anyone could attack the device over a phone call, regardless if they're calling the PSTN number or via a direct SIP URI.
It's why I spent time emphasizing generic account password hardening, on all points of entry: the OBiTALK account portal user ID/PW, the administrative password for the OBi 508's own web server interface, and the SIP credentials.
Aside from that, I believe this is an "inside job", meaning, somebody is gaining access to your LAN. Are you running a web server, for example, with open ports, that could be compromised? Anyone with access to port 80 on your LAN and knowledge of the OBi's password could do this sort of damage.
ianobi:
With reference to replies #22 to #26, concerning UserAgentPorts, I think there has been a misunderstanding.
I do agree with Taoman that you should change these away from the defaults. However, 5060 and 12060 are the PhonePower servers’ “SIP listening ports”. These values can be set here:
Service Providers -> ITSP Profile X -> SIP -> ProxyServerPort : 12060
This will have no effect on scanners looking for a way in to your OBi.
The UserAgentPort is the “SIP listening port” for each individual OBi spX. They should all be different. Set them at random numbers above 32000. Each OBi spX will send a REGISTER message to the PhonePower servers telling them where to send calls to ipaddress/port – the port will be whatever you have set in the UserAgentPort. This is a sensible change for all OBi owners as one more measure to defeat SIP scanners.
I don’t use PhonePower, but I note that on their website there is advice on changing the SIP port of their softphone:
Quote
Click on the check box Open random port above 32000 to allow the entry field to be modified and type in the requested SIP port.
Up to now you have only used default UserAgentPort settings and the advertised 12060, so scanners will be having an easy job getting in to your OBI. Using random ports above 32000 will make it much harder. Of course, if the problem is an “inside job” as Steve describes, then it will not help, but it is a good safety measure in any case.
Good luck with solving your problem.
sp508:
Thank you everyone for your help!!!
Last night at around 11 PM a call came in on Line 2. Caller ID showed private. I didn't take the call but the call went to VM on my desk. My voicemail allows me to screen messages and pick up as the messages are being left. I was able to hear that tones were being dialed.
Then the indicator light on Line 1 went on. This happened without any incoming call. I barged into Line 1 and heard tones again.
There were a flurry of incoming calls.
My phone system is an old analog system. It has several ports that are for VM. Those ports had access to all CO lines (including 1 & 2).
I am wondering if the hacker is simply getting into my voicemail. Dialing 9 to get an outside line. Then he dials *72 (All Call Forward) to his Cuban number and thiis is the way he hacks!
I have since disabled CO access to the VM ports and put a password on the Voicemail Extension that he was using.
Scary to think that he would know which phone system I have, know my phone numbers and call in when the phones aren't being used for a while.
Now, if this is the way he hacked is it correct to say that he would not need to do any additional programming on the OBi. Remember SP1-4 and OBiTalk Service are all enabled for this field CallForwardUnconditionalEnable with a specific Cuban phone number.
What does everyone think???
Just to get it out there: The number he is calling from is 239 234 4377/8 is there a way to see where he is calling from?? It says Naples, Florida on the Caller ID. AND does anyone have experience with that number being a hacker?
Navigation
[0] Message Index
[#] Next page
[*] Previous page