My Open VFX connection hacked!!!

Forums › VoIP › My Open VFX connection hacked!!!

scoopy

33 posts

Geek

Topic # 99838 28-Mar-2012 12:28
AHHH my Open VFX connection was hacked - used some by turkeys in Lithuania! Advice needed how to secure my VoIP device. Would the hack be initiated on my YeaLink T20 or on my Router? And most importantly . . . how do I close the hole? Got that sinking feeling! Scoopy

1 | 2

2432 posts

Uber Geek

Trusted

Subscriber

Reply # 601188 28-Mar-2012 12:30
Oh guts mate. happened to me before. How much did they rack up? How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?

maverick

3477 posts

Uber Geek

Trusted

WorldxChange

Reply # 601193 28-Mar-2012 12:41
Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client, Timestamp : 12:22:21.417 2012-03-28 Direction : RX Remote IP/Port: 37.8.21.126/14045 Transport : UDP ---------------------------------------- INVITE sip:0037xxxxx612@ SIP/2.0 To: From:49xxxx76 ;tag=4f345044 Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport Call-ID: 230a0a0b9c28a75c CSeq: 1 INVITE Contact: Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam release 3006o stamp 17551 Content-Length: 269 v=0 o=- 87336883 87336903 IN IP4 37.8.21.126 s=eyeBeam c=IN IP4 37.8.21.126 t=0 0 m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101 a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328 a=fmtp:101 0-15 a=rtpmap:100 speex/16000 a=rtpmap:101 telephone-event/8000 a=sendrecv Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

scoopy

33 posts

Geek

Reply # 601195 28-Mar-2012 12:41
Zeon: Oh guts mate. happened to me before. How much did they rack up? How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance? $400+ Do you mean passwords on my VoIP account on, the VoIP phone or on my Wireless Device? I don't have SIP port on my router forwarding to my phone. Just heard from my supplier that somehow the hacker got my credentials.

scoopy

33 posts

Geek

Reply # 601196 28-Mar-2012 12:44
maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client, Timestamp : 12:22:21.417 2012-03-28 Direction : RX Remote IP/Port: 37.8.21.126/14045 Transport : UDP ---------------------------------------- INVITE sip:0037xxxxx612@ SIP/2.0 To: From: ;tag=4f345044 Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport Call-ID: 230a0a0b9c28a75c CSeq: 1 INVITE Contact: Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam release 3006o stamp 17551 Content-Length: 269 v=0 o=- 87336883 87336903 IN IP4 37.8.21.126 s=eyeBeam c=IN IP4 37.8.21.126 t=0 0 m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101 a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328 a=fmtp:101 0-15 a=rtpmap:100 speex/16000 a=rtpmap:101 telephone-event/8000 a=sendrecv What does that mean?

Ragnor

6939 posts

Uber Geek

Trusted

Subscriber

Reply # 601199 28-Mar-2012 12:50
WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use. If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers. Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.

scoopy

33 posts

Geek

Reply # 601201 28-Mar-2012 12:52
Ragnor: WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use. If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers. Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature. Thank Ragnor I'll contact My ISP and ask about static IP.

Ragnor

6939 posts

Uber Geek

Trusted

Subscriber

Reply # 601210 28-Mar-2012 12:55
scoopy: What does that mean? The hacker either: A) Knew your exact login/password/number to access your account, in which case you likely have a compromised/infected computer on your network. Do you have your openVFX login details in a plain text doc or txt file on your computer or network? Is your email account compromised? Scan all computers with anti virus and malwarebytes, change all passwords for everything. OR B) They tried different combinations of username/password/number till they gained access. I would say A sounds more likely, account would be locked out after a few failed attempts so B shouldn't be possible as Open VFX uses three way auth (hacker has to get the right number, auth id and password).

maverick

3477 posts

Uber Geek

Trusted

WorldxChange

Reply # 601211 28-Mar-2012 12:56
It is Option A Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

maverick

3477 posts

Uber Geek

Trusted

WorldxChange

Reply # 601213 28-Mar-2012 12:59
scoopy: maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client, Timestamp : 12:22:21.417 2012-03-28 Direction : RX Remote IP/Port: 37.8.21.126/14045 Transport : UDP ---------------------------------------- INVITE sip:0037xxxxx612@ SIP/2.0 To: From: ;tag=4f345044 Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport Call-ID: 230a0a0b9c28a75c What does that mean? What that means is the actual SIP invite coming from the person using your Credentials , he has them exactly including your Authid and Password which as you know is 2 rather long and random string, this account was not brute forced and would be next to impossible to brute force, your Open VFX details have been obtained by someone Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

Kiwipixter

242 posts

Master Geek

Reply # 601214 28-Mar-2012 12:59
Time to get a POTs line me thinks.

Ragnor

6939 posts

Uber Geek

Trusted

Subscriber

Reply # 601215 28-Mar-2012 13:01
maverick: It is Option A I'd advise Scoopy unplug all computers from the internet and the local network until you have verified they are clean from keyloggers/trojans/virus.

maverick

3477 posts

Uber Geek

Trusted

WorldxChange

Reply # 601216 28-Mar-2012 13:01
Kiwipixter: Time to get a POTs line me thinks. Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

scoopy

33 posts

Geek

Reply # 601217 28-Mar-2012 13:02
Roger that will do.

scoopy

33 posts

Geek

Reply # 601219 28-Mar-2012 13:02
maverick: Kiwipixter: Time to get a POTs line me thinks. Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well Thanks for making my day you guys!!!!

scoopy

33 posts

Geek

Reply # 601225 28-Mar-2012 13:09
Is there anyway of nailing down where the breach was?

1 | 2