Author Topic: Mitel 5000 Hacked (Read 7218 times)

jmarcwsp1 · « **on:** March 17, 2014, 02:42:36 PM »

Our v5.1 5000 was hacked earlier this month. The scumbags racked up $1,800 worth of calls about a week ago- between 9pm and 3am.

Any thoughts how this happened?

We have PRI, 20 CAT D, 15 digital, 3 CAT F, vm...

Hovus · « **Reply #1 on:** March 17, 2014, 03:19:13 PM »

Likely through SIP. If you guys have a public IP forwarding port 5060 to the 5000's internal IP, people with no lives (a.k.a hackers), have the ability to scan the internet for IPs with that port open and will continually try to register a phone to your system thereby giving them the ability to use your lines to call out to international numbers and so forth. Lock that outside access to only certain IPs you approve of to eliminate this issue.

Tech Electronics · « **Reply #2 on:** March 17, 2014, 03:32:35 PM »

Jmarcwsp1,

First of all did you look in your Reports section of the System Administration and Diagnostic program to see what extension(s) were making those calls and at what time they were doing it?

Did you make sure your IP and SIP phones were not using the same password as the extension?

There are a lot of things we can do to help, but there is some information we will need to help out. The system does not just grant access to anyone who wants to make a call, but if the implementation did not have security in mind it may not be implemented as well as it should be. I also understand where Hovus is coming from, but I am not so sure you want to start changing your Firewall rules if there are other options out there, especially if some of the users are working from home and they do not have a static IP address associated with their internet access or if they are traveling users who do not connect up through "known" connects such as hotels or customer sites. Let's try to implement some easier security measures and see if that works first and then get into more complicated ones once we reach that point with no success.

Thanks,

TE

jmarcwsp1 · « **Reply #3 on:** March 17, 2014, 04:20:25 PM »

We are an interconnect...One sip trunk and 3 sip endpoints for testing...

jmarcwsp1 · « **Reply #4 on:** March 17, 2014, 04:22:23 PM »

Thanks Tech Electronics and Hovus!!!

Tech Electronics · « **Reply #5 on:** March 17, 2014, 08:49:02 PM »

Jmarcwsp1,

Your welcome, but has your issue been resolved and if so what did you have to do to fix it?

Thanks,

TE

chrismitel · « **Reply #6 on:** March 18, 2014, 04:26:17 AM »

Hi,

The only hacking on the 5000 we have had really has always been through SIP. We have a strict policy now where we simply will not support SIP users outside of the customers LAN. Secure passwords etc is just not good enough.

Mitel only SIP softphones they support/recommend outside of the LAN is UCA mobile SIP softphones with MBG.

NTEDave · « **Reply #7 on:** March 19, 2014, 11:38:46 AM »

Same here, we have seen a load of Hack attempts but no actual success as we lock down the CAT F endpoints

MJI · « **Reply #8 on:** March 24, 2014, 12:11:10 PM »

I am not quite sure if we are having a hacking problem. My general voicemail box keeps getting filled up with voicemail messages from random telephone numbers (all local). I am looking at my CPU utilization and (at the lowest point in the day) it reads 100%. Looking at the breakdown it shows that applications are taking the majority of the resources.

I am looking at the reporting section in Mitel System Administration & Diagnostics. I am trying to run a report showing what extension are dialing out. I did notice that a user who is not in the office was showing off-hook. I cannot find were to run this report though, I am just reading the generic/standard reports (All Extensions, Call Routing Tables, ..., Timers & Limits, and Trunks).

I did download the reporting data... where should I be going to get the report you are referencing.

By the way, I also looking into the DB Programming and see I have port 5060 listening for SIP UDP. Should I NOT have this port listening?

Thanks,
Erin

Quote from: Tech Electronics on March 17, 2014, 03:32:35 PM

Jmarcwsp1,

First of all did you look in your Reports section of the System Administration and Diagnostic program to see what extension(s) were making those calls and at what time they were doing it?

Did you make sure your IP and SIP phones were not using the same password as the extension?

There are a lot of things we can do to help, but there is some information we will need to help out. The system does not just grant access to anyone who wants to make a call, but if the implementation did not have security in mind it may not be implemented as well as it should be. I also understand where Hovus is coming from, but I am not so sure you want to start changing your Firewall rules if there are other options out there, especially if some of the users are working from home and they do not have a static IP address associated with their internet access or if they are traveling users who do not connect up through "known" connects such as hotels or customer sites. Let's try to implement some easier security measures and see if that works first and then get into more complicated ones once we reach that point with no success.

Thanks,

TE

Tech Electronics · « **Reply #9 on:** March 24, 2014, 05:33:21 PM »

Erin,

First of all Reporting for Trunks is under the System Administration and Diagnostics program under the System Monitor Drop Down after you connect it up to the System there will be a Play Button > that you can press and it will allow you to do reports on the PSTN Call Records. This is not pressing the phone symbol and getting into Database Programming where you are now, but your vendor could have blocked this from your account so you may need them to access this.

If you are having problems figuring this out then hit the (?v) button on your System Administration and Diagnostics and select Help and type in the search bar. Using System Monitoring Tools and then look for PSTN Call Records.

Also, if you want your SIP devices to continue working then you need to make sure the system is listening on port 5060.

Are there actual messages left in your voicemail box or are they just messages saying someone called and didn't leave a message, but here is there ANI. That can be turned off at the mailbox by going to:

Voice Processor > Devices > Mailboxes > nnnn > Deliver Hangup Messages (when ANI is available) set this to NO

If it is a long message with dead air and no audio it could be that they hung up from the call prior to or right after the mailbox answered and there isn't a positive disconnect on the line. This is common on Central Office lines known as POTS (Plain Old Telephone Service) which is what you get delivered to your house. You could have them changed to Trunks, which is more expensive, or just get a CPC (Calling Party Control) device to monitor for disconnects and put in between the Line and the 5000. There are some steps you can take inside the phone system if the technician hears the positive disconnect and the line stays up, but that would require a technician to verify and make sure there were no Loop Current issues as well.

Thanks,

TE

Thanks,

TE

Mitel Forums - The Unofficial Source

News:

Author Topic: Mitel 5000 Hacked (Read 7218 times)

jmarcwsp1

Mitel 5000 Hacked

Hovus

Re: Mitel 5000 Hacked

Tech Electronics

Re: Mitel 5000 Hacked

jmarcwsp1

Re: Mitel 5000 Hacked

jmarcwsp1

Re: Mitel 5000 Hacked

Tech Electronics

Re: Mitel 5000 Hacked

chrismitel

Re: Mitel 5000 Hacked

NTEDave

Re: Mitel 5000 Hacked

MJI

Re: Mitel 5000 Hacked

Tech Electronics

Re: Mitel 5000 Hacked