i been hacked - telkom pstn line

[Milano]

Yes indeed. Not clip on style but looks like the work of a low-life hacker. Used a SIP extension on my IP-Pbx to make calls to Slovenia using one of my outbound Telkom pstn routes. WTF phones Slovenia? So, some of the calls register at just under R300 per call. Hee, hee. Bastards. Guess there is an argument for changing default passwords. Should have read a book on network administration. Shields Up told me my network was impenetrable. Netgear built-in firewalls are fallible? Whodunit and how? There is always a trail?

 

[HavocXphere]

Not clip on style but looks like the work of a low-life hacker. Used a SIP extension on my IP-Pbx to make calls to Slovenia using one of my outbound Telkom pstn routes.

:wtf: Damn. Haven't been that lost on a MyBB tech post in years.

So he hacked the Netgear router & made the calls from there? Or is the IP PBX a device behind the Netgear router?

WTF phones Slovenia?

A Slovenia who earns a portion of the phone costs?

 

[Milano]

:wtf: Damn. Haven't been that lost on a MyBB tech post in years.
So he hacked the Netgear router & made the calls from there? Or is the IP PBX a device behind the Netgear router?
A Slovenia who earns a portion of the phone costs?

The IP-PBX connects via the Netgear router using the router as its gateway. Router login is not default however the SIP extensions on the IP-PBX use default passwords as I assumed they were only accessible via the LAN. No remote access was enabled as I don't require it. No special ports open besides default settings. Network security knowledge is limited. I have a media centre device on the network which also establishes a PPPoE connection. I am guessing that may be the security vulnerability? Or is the router? Does the hack always leave a trail? At ISP level or how is it traced? I will open a dispute with Telkom when the bill arrives but need to close any vulnerability in the interim.

Edit: So now I'm wondering how anyone would get access to my IP-PBX if neither the PBX device nor the router are configured for remote access?

 

[Sting]

I will open a dispute with Telkom when the bill arrives but need to close any vulnerability in the interim.

Open the dispute with Telkom immediately.

http://www.telkom.co.za/minisites/utilities/crimeb.html

Phone 0860 124 000

 

[rorz0r]

Maybe cracked the wifi key and connects,then he is on your lan?

 

[w1z4rd]

default passwords... yup. Thats it.

 

[Vince0]

Lol default passwords definitely it! I had some Russian sounding guy get into my router and steal the dsl password, I hadn't finished configuring it. I've also seen an increase of SIP scanning and brute force tactics at work from Poland, Russia etc. They didn't manage to get anything though. I guess anyone in the world is vulnerable to such abuse - the darker side of the Internet!

 

[Milano]

My router password seemed of a decent strength. Consisted of lower case, upper case and digits so it should have withstood an attack but yeah. I have changed the default SIP passwords now that my there seems to be a network vulnerability. I already filled in an affidavit at the local SAPS and opened a case with case number issued. Spoke to the folks at Telkom 0860 124 000 on Friday and she said I can only open the dispute once I provide them with a copy of the itemised billing with the disputed numbers indicated. Have to get that at a Telkom shop on Monday as they won't fax that to me. I have the numbers showing on my IP-PBX call log but will need the actual Telkom bill to open the dispute. Guess it could even be a wi-fil attack as mentioned as a possibility but maybe the destination being Slovenian numbers would point to a higher probability of a remote attack?

Damn bastards. Oh, Havoc never even occurred to me that it is a revenue source rather than an actual call to a mate but of course yes that must be the way they operate.

 

[werner]

content removed

 

[evilsee]

what exactly are you disputing with telkom, I dont see how it was there fault? Its was your insecure setup that caused this, wasnt it?

Does your netgear router log incomming connections, I know mine does and it also shows which ports are being used. Even if you got there IP address what could you do if they are outside of SA, you would have to start litigation against them in there own country, that is provided of course you manage to get information from the relevant foreign ISP who the IP belonged to at the time of the incident.

It may not even be worth the effot to be honest, it certainly could cost more than the value of the calls the mase

 

[Milano]

@Werner, had no idea it was possible using spoofed internal LAN addresses. If my dispute fails well then I paid for a crash course in network security

@evilsee, the dispute will simply be that I never initiated the calls and a crime has been committed by a remote fraudster accessing my network. Not that Telkom is necessarily to blame. Whether the fault lies with Telkom, me or the router, it is a crime for someone to use my fixed line without consent. Therefore the line was used illegally so I'll dispute the calls. They can investigate and decide on their course of action. I am confident the calls will be struck however will update the thread with the results.

In terms of the crime, surely this is not a civil matter, it is a criminal matter so it would not cost me anything to pursue it if I so wished? That said, I have no intention of pursuing it. I may be mistaken but I doubt the SAPS have detectives well versed in network security who would be willing to spend resources on such a case unless maybe it involved a large bank and millions The purpose of the case number is for procedural reference in order to meet Telkom dispute requirements. My router has all logging options enabled however it seems thin on details.

 

[UnUnOctium]

through the media centre device? what open ports/services is it running?. Check system logs (if XP should be in comp management)

 

[Milano]

through the media centre device? what open ports/services is it running?. Check system logs (if XP should be in comp management)

It's an AC Ryan PlayOnHD media player on the LAN which makes a PPPoE connection, possible source through which attack occurred?

 

[daffy]

You obviously forwarded port 5060 from your router in to your PBX.
From there, they brute forced the password for some of your extensions, or your PBX configuration allowed any SIP connections to dial out.

I've seen this many many times before. Infact last week I saw a company get taken for $36000 on calls to Lithuania.

My home PBX is under constant brute force attacks

 

[Datura]

If exchanges are such a big target, what would be the first thing a person should do when setting one up in order to prevent the exchange being compromised? Would changig the default passwords to passwords that include digits and multi-case passwords suffice? I know there is never 100% guaranteed method of protection against hackers but the simplist method for at least a certain degree of peace of mind...

 

[daffy]

Do you really need to allow external registrations to your extensions? If you do, can you restrict it to certain ranges of IP addresses?
Do you allow anonymous SIP calls? Are they put into a context that doesn't allow outbound dialing?

If you really really have to leave it wide open, make sure you've got strong passwords.
Install something like fail2ban that will block connections from IPs that have failed registration too many times. This will slow down bruteforce attempts.

 

[Milano]

You obviously forwarded port 5060 from your router in to your PBX.
From there, they brute forced the password for some of your extensions, or your PBX configuration allowed any SIP connections to dial out.

Yes, that would make sense as I'd imagine 5060 would need to be open for the IP-PBX to make the connection with the SIP provider, however I don't recall ever manually opening that port on my router unless it is automatically open.

I've seen this many many times before. Infact last week I saw a company get taken for $36000 on calls to Lithuania.

My home PBX is under constant brute force attacks

Ouch!