- This topic has 6 replies, 1 voice, and was last updated 15 years, 1 month ago by Teodor Georgiev.
5th March 2006 at 02:11 #30759Wilson BoyrieGuest
To all fellow operators and owners of Quintum gateways:
Seems very likely that crooks are in possesion of some sort of master password for at leat the Dx series of gateways.
The facts: Our gateway was broken into few months ago, and someone with good skills modified the configuration to allow calls to come in from VOIP to the PSTN ports.
What follow what many thousand calls to Jamaica, from one I.P. that was traced back to the NAP of americas,in Miami.
The crooks were smart enough not to take every trunk available, they only used 20 channels out of every T1.
By interecepting some of the calls, we learned that those calls got originated in places like the U.K., Australia, Europe ans even in the U.S. That indicate that the equipment sending the calls was receiving the calls from several other switches.
We firewalled this guys out, and we did not have any more troubles for few months, until February first, about a month ago.
We found out that the configuration of the Quintum was changed one more time, and fearing a compromised password, changed the Quintum password one more time.
The configuration got chenged one more time next day, with somoene from Brazil doing the changes, and making several test calls.
Few minutes laters, calls to Jamaica started from and I.P. on the U.S.
What we know:
a)They are able to login,without erasing the password, aparently via TELNET.
b)These are crafty VOIP operators, with good Quintum know how.
c)When we disabled the Telnet and GUI on the gateway, they were unable to get back in.
d)I.P. addresses: The test calls did originated in I.P. ‘s 126.96.36.199 and I.P. 188.8.131.52. The calls to Jamaica were from I.P. 184.108.40.206.
If anyone recognize these I.P. addreses and have any information about these scum, I will be glad if you write to me with the info.
And to the rest,be sure to firewall your Quintum from these I.P.’s at least.
And remember, using the “allow” and “restrict” tables on the Quintum itself is not of any use against these crooks, since they will be able to login into your gateway and change the configuration anyway.
Mike and the gang, do you have any information about this situation??????
Wilson A. Boyrie.
Many regards, and whatch out!!!!!!5th March 2006 at 03:54 #30760MikeM to WilsonGuest
I recall a problem similar to this almost 2 years ago with old software, but Quintum quickly came out with a patch and it was never seen again.
I would suggest you send this in to Quintum along with all information. The problem may be that if they cannot see what is going on, they may not be able to see how to fix it. I seem to recall a telnet log in the system that if someone were to capture this log Quintum may be able to see more info. They also had a software that would log each keystroke and can see how they are doing it.
I will also send your message to an associate at Quintum to help get the ball rolling, but it may carry more weight from a customer.
Mike5th March 2006 at 05:12 #30761Wilson Boyrie to MikeGuest
I am about to leave on vacation, but will try to gather all the information and send it to Quintum before I run out of the country.
The first time around I tought that I did not set the filters after a factory reset, but htis last time I saw the changes from one day to the other, and that with the gateway with a password that not even my partner knew.
I do not care that Quintum have a master password, but it should reset the box to factory default when used.
That way you will realize that something is up.
Of course that applies to us, that could rebuilt the box in a couple of hours and a gallon of coffe, but I bet there are a lot of people terrified of loosing a configuration.
From the Quintum point of view, you could not please everyone.
Wilson Boyrie.5th March 2006 at 05:33 #30762MikeM to wilsonGuest
To my knowledge (at least when I was there) there is no master password or backdoor password to get in to the Tenors. The only way for quintum to get in is to get the hex number that comes up at the login prompt, enter this into a program and it spits out a time sensitive password to get in. This program is secure on an internal server at Quintum and is not accessible from outside their network. So even if someone leaves Quintum, they cannot access this program and hack in. However, there may be a hole in the software that someone found.
have a good vacation.
Mike5th March 2006 at 12:44 #30763TomGuest
One thing that has always concerned me about Quintum machines is the telnet server. Logging on results in the password being sent in clear text. AFAIK, Config Manager encrypts the password, but an SSH server would make more sense for the CLI interface. Could it be possible that someone with a strategically placed sniffer has got your password?
I am always careful to make sure there are no unauthorised calls being sent directly to my gateways, but that means logging on to the Quintum and looking at the calls – using telnet!
Another concern is P103. Any fixes now will presumably be added to the P103 firmware. But, my own tesing has shown many issues with P103, so I have held back on upgrading my production gateways.5th March 2006 at 15:25 #30764Wilson BoyrieGuest
What you mention is not completely imposible, but unlikely.
We are not in a colocation, but in a office building. We are the only telcom people on the entire building.
The data circuits (wan) enter the building via T1 circuit to a ISP provider,on HDSL format.
The “demarcation” point and the routers are inside our space.
Not a easy target,considering that the office is manned most of the day and we constantly drop by at any time.
I found out that there are many small terminal servers that are priced bellow one hundred dollars.
They have a ethernet port and a serial port that could be connected to the console port.
The I.P. address of this device will be diferent than the gateway, and also the port could be changed to something diferent than the normal “23”.
That is what I will using from now on.
Wilson Boyrie6th March 2006 at 07:30 #30765Teodor GeorgievGuest
Mike is right that Quintum TAC can generate a short-time-active temporary password for your Quintum based on what hex symbols appearing at your telnet prompt.
No matter how secure is the Quintum temporary password generation server, if you are good in disassembling, you can easily debug the firmware code of Quintum and find the subrouting responsible for calculating the temporary password 🙂
Another big mistake is to leave your SNMP community to public.