Obi 110 hacked?
Gonzalo:
Hello,
Yesterday our phone company warned us that we had spent 300€ on international calls the past day.
We quickly analyze our asterisk system but there was no trace about the calls. Then we accessed to a one of our Obi 110 devices (which has connected the compromised PSTN line) and we can view attacker's calls in the call history so I think the attacker was able to dial directly from the Obi110 bypassing the asterisk system and his security controls.
How it went possible? With direct IP Dialing?
We need your help to investigate the case in two ways:
1º) We need to know the local IP of the caller device (We suppose that one of our PCs is infected and is responsable of the calls). Is Obi110 login the caller IP? Maybe accesible through console?
2º) Securize our Obi110 (we have 5 units) to avoid this kind of attacks.
Any help would be appreciated.
Gonzalo.
LTN1:
So many variables involved here that it reminds me of a recent thread: http://www.obitalk.com/forum/index.php?topic=11018.0
The guy thought his OBi was the problem but it came down to the security of his PBX system. Take a read and follow Steve's suggestions on securing your OBi with a stronger password. Otherwise, one cannot be certain where the weakness lies based on your information thus far. You likely need a tech security consultant--unless someone on this forum wants to essentially be your security consultant since the problem may be (and is likely) beyond the OBi.
ianobi:
Whatever the problem turns out to be, it is always a good idea to takes sensible security measures regarding any OBi device. There's some good ideas in this thread:
http://www.obitalk.com/forum/index.php?topic=5467.msg35387#msg35387
Gonzalo:
Good afternoon!
Thank you very much for the answers! The second post is very interesting :)
I've been analyzing traffic on the local network and have not found anything suspicious, neither PCs nor the OBI 110.
Then I have done a port scan to the OBI 110 and I have seen that has open UDP port 10000 is identified as SIP:
PORT STATE SERVICE VERSION
10000 / udp open SIP (SIP end point; Status: 100 Trying)
The potential problem is that it seems to open the port on the router itself using uPNP. The strangest thing in my case is that in the router this port is not listed as redirected to OBI, but if I do a port scan from outside, it is listed as open.
After this, I would say that the attack came from outside and directly to the OBI 110. I would like to know how you can place the call directly connecting to de OBI at port 10000 and redirect the call to the LINE port. Could anyone show me the way? I would like to test this behavior to see if my tehory is correct.
If the attack was using port 10000 / UDP, how can I block the possibility of making the call? I need to know because maybe the next attack comes from the LAN...
Does anyone have any SIP client or something to run tests calls on these devices and ports?
Greetings and thanks again!!
drgeoff:
Port 10000 is used by the OBiTALK service. Suggest you disable the Auto-Attendant if not using it. However I would have expected that any call made by coming in to that would show up in the OBi's Call History. As would any call, however initiated, that goes out on the 110's LINE port.
Navigation
[0] Message Index
[#] Next page