Obi 110 hacked?
Gonzalo:
Hello!
Ok, I will try to desactivate this, but I keep asking myself how they did the calls. As you correctly say, the calls were registered in the Call History, here is an example:
<CallHistory date="3/29/2016" time="16:08:59">
<Terminal id="SP1" dir="Inbound">
<Peer name="" number="1000"/>
<Event time="16:08:59">Ringing</Event>
<Event time="16:09:32">End Call</Event>
</Terminal>
<Terminal id="LINE1" dir="Outbound">
<Peer name="" number="00355666660301"/>
<Event time="16:09:06">Call Connected</Event>
</Terminal>
</CallHistory>
<CallHistory date="3/29/2016" time="14:02:41">
<Terminal id="SP1" dir="Inbound">
<Peer name="" number="1000"/>
<Event time="14:02:41">Ringing</Event>
<Event time="14:03:12">End Call</Event>
</Terminal>
<Terminal id="LINE1" dir="Outbound">
<Peer name="" number="0041414641104"/>
<Event time="14:02:49">Call Connected</Event>
</Terminal>
</CallHistory>
The extension 1000 does not exists in our system :\
Is possible to do these calls through this UDP port?
Thanks!
ianobi:
This looks like a classic case of hackers using scanners to find open SIP ports. If left at default, then your sp1 SIP "listening port" (known as UserAgentPort in your OBi devices) will be 5060. This is the common SIP "listening port" for SIP and the first one the scanners look for. It is nothing to do with UDP port 10000. Scanners simply scan through thousands of ip addresses looking for an open port 5060.
I'm assuming that your sp1 InboundCallRoute allows access to PSTN Line either by the Auto Attendant or direct through dialling.
Change all of your devices spX UserAgentPorts each to a unique number well away from 5xxx maybe up above 30000. Also look at the other methods detailed in the link in reply #2. Method 4 in that post is particularly effective - the "Oleg Method".
LTN1:
Quote from: Gonzalo on March 31, 2016, 11:06:53 am
Good afternoon!
Thank you very much for the answers! The second post is very interesting :)
I've been analyzing traffic on the local network and have not found anything suspicious, neither PCs nor the OBI 110.
Then I have done a port scan to the OBI 110 and I have seen that has open UDP port 10000 is identified as SIP:
PORT STATE SERVICE VERSION
10000 / udp open SIP (SIP end point; Status: 100 Trying)
The potential problem is that it seems to open the port on the router itself using uPNP. The strangest thing in my case is that in the router this port is not listed as redirected to OBI, but if I do a port scan from outside, it is listed as open.
After this, I would say that the attack came from outside and directly to the OBI 110. I would like to know how you can place the call directly connecting to de OBI at port 10000 and redirect the call to the LINE port. Could anyone show me the way? I would like to test this behavior to see if my tehory is correct.
If the attack was using port 10000 / UDP, how can I block the possibility of making the call? I need to know because maybe the next attack comes from the LAN...
Does anyone have any SIP client or something to run tests calls on these devices and ports?
Greetings and thanks again!!
I don't have an OBi110 but from the manual picture (attached below; don't know if it pertains to the latest firmware upgrade), you can select not to have Auto Attendant and/or to place a 4-digit pin for any dial out from the AA. You can enter OBi expert and configure your primary outgoing SP by configuring it under Voice Service/Auto Attendant/Auto Attendant 1. You can also limit the time in a bridged outbound call under Voice Service/SP(#)/X_BridgedOutboundCallMaxDuration after entering OBi expert. You are welcomed to take a snapshot of your configuration pages (blocking out your personal information) and let us see your current configuration if you need further advice.
Navigation
[0] Message Index
[*] Previous page