Author Topic: Mitel 5000 Hacked  (Read 7520 times)

Offline jmarcwsp1

  • Full Member
  • ***
  • Posts: 144
  • Country: us
  • Karma: +0/-1
    • View Profile
Mitel 5000 Hacked
« on: March 17, 2014, 02:42:36 PM »
Our v5.1 5000 was hacked earlier this month.  The scumbags racked up $1,800 worth of calls about a week ago- between 9pm and 3am. 

Any thoughts how this happened?

We have PRI, 20 CAT D, 15 digital, 3 CAT F, vm...
« Last Edit: March 17, 2014, 03:12:17 PM by jmarcwsp1 »


Offline Hovus

  • Jr. Member
  • **
  • Posts: 77
  • Country: us
  • Karma: +3/-0
    • View Profile
Re: Mitel 5000 Hacked
« Reply #1 on: March 17, 2014, 03:19:13 PM »
Likely through SIP. If you guys have a public IP forwarding port 5060 to the 5000's internal IP, people with no lives (a.k.a hackers), have the ability to scan the internet for IPs with that port open and will continually try to register a phone to your system thereby giving them the ability to use your lines to call out to international numbers and so forth. Lock that outside access to only certain IPs you approve of to eliminate this issue.

Offline Tech Electronics

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2984
  • Country: us
  • Karma: +89/-1
    • View Profile
Re: Mitel 5000 Hacked
« Reply #2 on: March 17, 2014, 03:32:35 PM »
Jmarcwsp1,

First of all did you look in your Reports section of the System Administration and Diagnostic program to see what extension(s) were making those calls and at what time they were doing it?

Did you make sure your IP and SIP phones were not using the same password as the extension?

There are a lot of things we can do to help, but there is some information we will need to help out. The system does not just grant access to anyone who wants to make a call, but if the implementation did not have security in mind it may not be implemented as well as it should be. I also understand where Hovus is coming from, but I am not so sure you want to start changing your Firewall rules if there are other options out there, especially if some of the users are working from home and they do not have a static IP address associated with their internet access or if they are traveling users who do not connect up through "known" connects such as hotels or customer sites. Let's try to implement some easier security measures and see if that works first and then get into more complicated ones once we reach that point with no success.

Thanks,

TE

Offline jmarcwsp1

  • Full Member
  • ***
  • Posts: 144
  • Country: us
  • Karma: +0/-1
    • View Profile
Re: Mitel 5000 Hacked
« Reply #3 on: March 17, 2014, 04:20:25 PM »
We are an interconnect...One sip trunk and 3 sip endpoints for testing...

Offline jmarcwsp1

  • Full Member
  • ***
  • Posts: 144
  • Country: us
  • Karma: +0/-1
    • View Profile
Re: Mitel 5000 Hacked
« Reply #4 on: March 17, 2014, 04:22:23 PM »
Thanks Tech Electronics and Hovus!!!

Offline Tech Electronics

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2984
  • Country: us
  • Karma: +89/-1
    • View Profile
Re: Mitel 5000 Hacked
« Reply #5 on: March 17, 2014, 08:49:02 PM »
Jmarcwsp1,

Your welcome, but has your issue been resolved and if so what did you have to do to fix it?

Thanks,

TE

Offline chrismitel

  • Jr. Member
  • **
  • Posts: 42
  • Country: gb
  • Karma: +0/-0
    • View Profile
Re: Mitel 5000 Hacked
« Reply #6 on: March 18, 2014, 04:26:17 AM »
Hi,

The only hacking on the 5000 we have had really has always been through SIP.  We have a strict policy now where we simply will not support SIP users outside of the customers LAN.  Secure passwords etc is just not good enough.

Mitel only SIP softphones they support/recommend outside of the LAN is UCA mobile SIP softphones with MBG.

Offline NTEDave

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 502
  • Country: gb
  • Karma: +11/-0
    • View Profile
Re: Mitel 5000 Hacked
« Reply #7 on: March 19, 2014, 11:38:46 AM »
Same here, we have seen a load of Hack attempts but no actual success as we lock down the CAT F endpoints :)

Offline MJI

  • New Member
  • *
  • Posts: 1
  • Country: us
  • Karma: +0/-0
    • View Profile
Re: Mitel 5000 Hacked
« Reply #8 on: March 24, 2014, 12:11:10 PM »
I am not quite sure if we are having a hacking problem. My general voicemail box keeps getting filled up with voicemail messages from random telephone numbers (all local). I am looking at my CPU utilization and (at the lowest point in the day) it reads 100%. Looking at the breakdown it shows that applications are taking the majority of the resources.

I am looking at the reporting section in Mitel System Administration & Diagnostics. I am trying to run a report showing what extension are dialing out. I did notice that a user who is not in the office was showing off-hook. I cannot find were to run this report though, I am just reading the generic/standard reports (All Extensions, Call Routing Tables, ..., Timers & Limits, and Trunks).

I did download the reporting data... where should I be going to get the report you are referencing.

By the way, I also looking into the DB Programming and see I have port 5060 listening for SIP UDP. Should I NOT have this port listening?

Thanks,
Erin




Jmarcwsp1,

First of all did you look in your Reports section of the System Administration and Diagnostic program to see what extension(s) were making those calls and at what time they were doing it?

Did you make sure your IP and SIP phones were not using the same password as the extension?

There are a lot of things we can do to help, but there is some information we will need to help out. The system does not just grant access to anyone who wants to make a call, but if the implementation did not have security in mind it may not be implemented as well as it should be. I also understand where Hovus is coming from, but I am not so sure you want to start changing your Firewall rules if there are other options out there, especially if some of the users are working from home and they do not have a static IP address associated with their internet access or if they are traveling users who do not connect up through "known" connects such as hotels or customer sites. Let's try to implement some easier security measures and see if that works first and then get into more complicated ones once we reach that point with no success.

Thanks,

TE

Offline Tech Electronics

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2984
  • Country: us
  • Karma: +89/-1
    • View Profile
Re: Mitel 5000 Hacked
« Reply #9 on: March 24, 2014, 05:33:21 PM »
Erin,

First of all Reporting for Trunks is under the System Administration and Diagnostics program under the System Monitor Drop Down after you connect it up to the System there will be a Play Button > that you can press and it will allow you to do reports on the PSTN Call Records. This is not pressing the phone symbol and getting into Database Programming where you are now, but your vendor could have blocked this from your account so you may need them to access this.

If you are having problems figuring this out then hit the (?v) button on your System Administration and Diagnostics and select Help and type in the search bar. Using System Monitoring Tools and then look for PSTN Call Records.

Also, if you want your SIP devices to continue working then you need to make sure the system is listening on port 5060.

Are there actual messages left in your voicemail box or are they just messages saying someone called and didn't leave a message, but here is there ANI. That can be turned off at the mailbox by going to:

Voice Processor > Devices > Mailboxes > nnnn > Deliver Hangup Messages (when ANI is available) set this to NO

If it is a long message with dead air and no audio it could be that they hung up from the call prior to or right after the mailbox answered and there isn't a positive disconnect on the line. This is common on Central Office lines known as POTS  (Plain Old Telephone Service) which is what you get delivered to your house. You could have them changed to Trunks, which is more expensive, or just get a CPC (Calling Party Control) device to monitor for disconnects and put in between the Line and the 5000. There are some steps you can take inside the phone system if the technician hears the positive disconnect and the line stays up, but that would require a technician to verify and make sure there were no Loop Current issues as well.

Thanks,

TE

Thanks,

TE


 

Sitemap 1 2 3 4 5 6 7 8 9 10