DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Malicious calls and resets initiated from the WAN
- njkmoore
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
26 Mar 2014 17:58 #79466
by njkmoore
Malicious calls and resets initiated from the WAN was created by njkmoore
Hi
I noticed malicious outbound calls being attempted on my 2820 IP PBX in the call logs. They were failing because it was from an unregistered extension number, and possibly because of a price cap on my outbound SIP trunk. Alarmingly the number being dialled appeared to be a premium rate Israeli phone number!
I called customer support who gave me a firmware patch which seems to have stopped this (something about responding to an invitation to call that number?).
There was one other detail about the attack, though. The attacker seemed to be clearing my call logs to cover their tracks. I'm not sure how it was doing this but I'm guessing they had a trick to restart the router remotely, which has the affect of clearing the call log.
This restarting continued to happen after I patched, until I set "Disable remote registration", which seems to have resolved the issue. This is annoying, though, because I was connecting to the VPN and then to the IP PBX from remote locations prior to that.
As far as I can see, my VPN has not been compromised, nor the router itself, otherwise there would have been more damage done. It's a little alarming, though, and I wondered if Draytek have anything to say about the remote resets that I was experiencing.
Thanks
Nick
Model Name : VigorIPPBX 2820
Firmware Version : 3.5.9_PB3a (upgraded a couple of days ago from the supplied variation of 3.5.9)
I noticed malicious outbound calls being attempted on my 2820 IP PBX in the call logs. They were failing because it was from an unregistered extension number, and possibly because of a price cap on my outbound SIP trunk. Alarmingly the number being dialled appeared to be a premium rate Israeli phone number!
I called customer support who gave me a firmware patch which seems to have stopped this (something about responding to an invitation to call that number?).
There was one other detail about the attack, though. The attacker seemed to be clearing my call logs to cover their tracks. I'm not sure how it was doing this but I'm guessing they had a trick to restart the router remotely, which has the affect of clearing the call log.
This restarting continued to happen after I patched, until I set "Disable remote registration", which seems to have resolved the issue. This is annoying, though, because I was connecting to the VPN and then to the IP PBX from remote locations prior to that.
As far as I can see, my VPN has not been compromised, nor the router itself, otherwise there would have been more damage done. It's a little alarming, though, and I wondered if Draytek have anything to say about the remote resets that I was experiencing.
Thanks
Nick
Model Name : VigorIPPBX 2820
Firmware Version : 3.5.9_PB3a (upgraded a couple of days ago from the supplied variation of 3.5.9)
Please Log in or Create an account to join the conversation.
- kingussie
- Offline
- New Member
Less
More
- Posts: 9
- Thank you received: 0
07 Jul 2014 17:31 #80596
by kingussie
I got the below email
after my account drained all credit between 2-3 in the morning
seems the 2820 can be easily hacked
Dear Customer,
Please ignore our last email
We have noticed call attempts from account 8435053 to numbers that have historically been the targets for fraudulent dialling.
Example numbers dialled are:-
01:05:23 8435053 255411400202
00:00:29 8435053 37855771540
If you have not made these calls we believe your VigorIPPBX 2820 security has been compromised as we can see that these calls are originated from your IP address 217.46.245.6. Please change your draytel ID 8435053 password and secure your PBX by following the draytel security guide attached below. Please use the IP address range given below which is recently updated and missing from the attached guide.
217.14.138.0/24
77.240.48.0/24
77.240.54.0/24
77.240.56.32/27
77.240.60.0/24
77.240.61.160/27
http://www.draytel.org/resources/pdf/Password%20Security%20Policy.pdf
Please let us know if you need any further assistance.
Thanks
Replied by kingussie on topic Re: Malicious calls and resets initiated from the WAN
after my account drained all credit between 2-3 in the morning
seems the 2820 can be easily hacked
Dear Customer,
Please ignore our last email
We have noticed call attempts from account 8435053 to numbers that have historically been the targets for fraudulent dialling.
Example numbers dialled are:-
01:05:23 8435053 255411400202
00:00:29 8435053 37855771540
If you have not made these calls we believe your VigorIPPBX 2820 security has been compromised as we can see that these calls are originated from your IP address 217.46.245.6. Please change your draytel ID 8435053 password and secure your PBX by following the draytel security guide attached below. Please use the IP address range given below which is recently updated and missing from the attached guide.
217.14.138.0/24
77.240.48.0/24
77.240.54.0/24
77.240.56.32/27
77.240.60.0/24
77.240.61.160/27
Please let us know if you need any further assistance.
Thanks
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek