- This topic has 3 replies, 1 voice, and was last updated 10 years, 8 months ago by Linz.
21st April 2010 at 15:55 #31980HALGuest
Hi everyone, Hi Mike,
We are a VoIP Provider in Europe and Our DX2030 which is alocated in other country in Europe and connected direct to a big Telecom provider, has been hacked over the weekend from a provider named CHINANET-GD. The Technical details of our Quintum is as bellow:
Manufacturer: Quintum Technologies
Product Name: Tenor DX
H/W Version: 0 [1 0 0 0]
S/W Version: P107-09-00
DS1 Info: 2 DS1
Network: xxx.xxx.xxx.xxx (Static)
Total Calls: 0
This Hacker succeeded to send THOUNSED of calls using the Following IP Addresses:
220.127.116.11 – 18.104.22.168 – 22.214.171.124 and ASTERISK (SIP!!!)
After connecting through the Config Manager to the Quintum, nothing has been changed in the Config, and I have changed immediatly the pwd and disabled the DI completly.
Our Quintum is configured with all important steps to secure it:
-Strong Admin Password
but I can’t set the webserverport and the managmentAccess Parameter to 0 because the Tenor as I montioned is allocated in another country and I need remote access to it.
So my Questions:
1. How they Succeeded to send Calls with SIP and we are using H323 and EPAD?
2. If they hacked the system why they didn’t change the pwd and the config?
3. WHY THEY STILL CAN SEND CALLS EVENIF I CHANGED THE PWD?
In the alarm history I found logs like as bellow with diferent Channel numbers:
xxx.xxx.xxx.xxx:858445:RPT:4:Miscellaneous Information (PriTermCall: Channel 31 on slot=2 device=0 line=1 rejected by the peer.):0:0:0:0:SUN APR 18 13:40:23 2010
Any comment would be appreicated.
Thanks and regards
HAL30th April 2010 at 14:29 #31981MikeM to HalGuest
There is much confusion on this and I believe Quintum is adding some additional language in their reference guide.
1. All Gen 2 quintums will support both H323 and SIP for term calls. You do not have to enable anything special for this.
2. EPAD is ONLY FOR H323 and ONLY if the quintum is its own gatekeeper (this is by default).
3. SIP calls will be allowed from anyone unless you set the Allow Only Proxy Calls under the SIP Signaling Group to enable (sipsg–>set aopc 1–>submit). By doing this, no sip calls will be allowed unless you have a sip server/proxy setup and that the provider’s IP address is configured into that proxy/server.
Give that a try.
firstname.lastname@example.org July 2010 at 16:46 #31982frank ditlefsenGuest
Did you get any answer??
Weve just noticed the same, as you describe. But we manage to blok the IP adresse out, of our network.1st August 2010 at 02:08 #31983LinzGuest
Who is this dude on 126.96.36.199 and why hasn’t he/she been shut down ?
A customer of mine has just had the thing happen to him.
Quite simply, 188.8.131.52 is a Red Hat Linux host with Asterisk running on it which is actively exploiting VoIP PBX servers that have hairpin call routing inadvertently enabled.
I’m actually surprised that this has been going on for so long.