News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Obi 110 hacked?

Started by Gonzalo, March 30, 2016, 11:34:48 AM

Previous topic - Next topic

Gonzalo

Hello,


Yesterday our phone company warned us that we had spent 300€ on international calls the past day.

We quickly analyze our asterisk system but there was no trace about the calls. Then we accessed to a one of our Obi 110 devices (which has connected the compromised PSTN line) and we can view attacker's calls in the call history so I think the attacker was able to dial directly from the Obi110 bypassing the asterisk system and his security controls.

How it went possible? With direct IP Dialing?

We need your help to investigate the case in two ways:

1º) We need to know the local IP of the caller device (We suppose that one of our PCs is infected and is responsable of the calls). Is Obi110 login the caller IP? Maybe accesible through console?

2º) Securize our Obi110 (we have 5 units) to avoid this kind of attacks.

Any help would be appreciated.
Gonzalo.

LTN1

So many variables involved here that it reminds me of a recent thread: http://www.obitalk.com/forum/index.php?topic=11018.0

The guy thought his OBi was the problem but it came down to the security of his PBX system. Take a read and follow Steve's suggestions on securing your OBi with a stronger password. Otherwise, one cannot be certain where the weakness lies based on your information thus far. You likely need a tech security consultant--unless someone on this forum wants to essentially be your security consultant since the problem may be (and is likely) beyond the OBi.

ianobi

Whatever the problem turns out to be, it is always a good idea to takes sensible security measures regarding any OBi device. There's some good ideas in this thread:

http://www.obitalk.com/forum/index.php?topic=5467.msg35387#msg35387

Gonzalo

Good afternoon!


Thank you very much for the answers! The second post is very interesting :)

I've been analyzing traffic on the local network and have not found anything suspicious, neither PCs nor the OBI 110.

Then I have done a port scan to the OBI 110 and I have seen that has open UDP port 10000 is identified as SIP:

PORT STATE SERVICE VERSION
10000 / udp open SIP (SIP end point; Status: 100 Trying)

The potential problem is that it seems to open the port on the router itself using uPNP. The strangest thing in my case is that in the router this port is not listed as redirected to OBI, but if I do a port scan from outside, it is listed as open.

After this, I would say that the attack came from outside and directly to the OBI 110. I would like to know how you can place the call directly connecting to de OBI at port 10000 and redirect the call to the LINE port. Could anyone show me the way? I would like to test this behavior to see if my tehory is correct.

If the attack was using port 10000 / UDP, how can I block the possibility of making the call? I need to know because maybe the next attack comes from the LAN...

Does anyone have any SIP client or something to run tests calls on these devices and ports?


Greetings and thanks again!!

drgeoff

#4
Port 10000 is used by the OBiTALK service.  Suggest you disable the Auto-Attendant if not using it.  However I would have expected that any call made by coming in to that would show up in the OBi's Call History.  As would any call, however initiated, that goes out on the 110's LINE port.

Gonzalo

Hello!

Ok, I will try to desactivate this, but I keep asking myself how they did the calls. As you correctly say, the calls were registered in the Call History, here is an example:

<CallHistory date="3/29/2016" time="16:08:59">
  <Terminal id="SP1" dir="Inbound">
    <Peer name="" number="1000"/>
    <Event time="16:08:59">Ringing</Event>
    <Event time="16:09:32">End Call</Event>
  </Terminal>
  <Terminal id="LINE1" dir="Outbound">
    <Peer name="" number="00355666660301"/>
    <Event time="16:09:06">Call Connected</Event>
  </Terminal>
</CallHistory>
<CallHistory date="3/29/2016" time="14:02:41">
  <Terminal id="SP1" dir="Inbound">
    <Peer name="" number="1000"/>
    <Event time="14:02:41">Ringing</Event>
    <Event time="14:03:12">End Call</Event>
  </Terminal>
  <Terminal id="LINE1" dir="Outbound">
    <Peer name="" number="0041414641104"/>
    <Event time="14:02:49">Call Connected</Event>
  </Terminal>
</CallHistory>

The extension 1000 does not exists in our system :\

Is possible to do these calls through this UDP port?


Thanks!

ianobi

This looks like a classic case of hackers using scanners to find open SIP ports. If left at default, then your sp1 SIP "listening port" (known as UserAgentPort in your OBi devices) will be 5060. This is the common SIP "listening port" for SIP and the first one the scanners look for. It is nothing to do with UDP port 10000. Scanners simply scan through thousands of ip addresses looking for an open port 5060.

I'm assuming that your sp1 InboundCallRoute allows access to PSTN Line either by the Auto Attendant or direct through dialling.

Change all of your devices spX UserAgentPorts each to a unique number well away from 5xxx maybe up above 30000. Also look at the other methods detailed in the link in reply #2. Method 4 in that post is particularly effective - the "Oleg Method".

LTN1

#7
Quote from: Gonzalo on March 31, 2016, 11:06:53 AM
Good afternoon!


Thank you very much for the answers! The second post is very interesting :)

I've been analyzing traffic on the local network and have not found anything suspicious, neither PCs nor the OBI 110.

Then I have done a port scan to the OBI 110 and I have seen that has open UDP port 10000 is identified as SIP:

PORT STATE SERVICE VERSION
10000 / udp open SIP (SIP end point; Status: 100 Trying)

The potential problem is that it seems to open the port on the router itself using uPNP. The strangest thing in my case is that in the router this port is not listed as redirected to OBI, but if I do a port scan from outside, it is listed as open.

After this, I would say that the attack came from outside and directly to the OBI 110. I would like to know how you can place the call directly connecting to de OBI at port 10000 and redirect the call to the LINE port. Could anyone show me the way? I would like to test this behavior to see if my tehory is correct.

If the attack was using port 10000 / UDP, how can I block the possibility of making the call? I need to know because maybe the next attack comes from the LAN...

Does anyone have any SIP client or something to run tests calls on these devices and ports?


Greetings and thanks again!!

I don't have an OBi110 but from the manual picture (attached below; don't know if it pertains to the latest firmware upgrade), you can select not to have Auto Attendant and/or to place a 4-digit pin for any dial out from the AA. You can enter OBi expert and configure your primary outgoing SP by configuring it under Voice Service/Auto Attendant/Auto Attendant 1. You can also limit the time in a bridged outbound call under Voice Service/SP(#)/X_BridgedOutboundCallMaxDuration after entering OBi expert. You are welcomed to take a snapshot of your configuration pages (blocking out your personal information) and let us see your current configuration if you need further advice.