Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.




33 posts

Geek


Topic # 99838 28-Mar-2012 12:28 Send private message

AHHH my Open VFX connection was hacked - used some by turkeys in Lithuania!

Advice needed how to secure my VoIP device.

Would the hack be initiated on my YeaLink T20 or on my Router?

And most importantly . . .  how do I close the hole? 

Got that sinking feeling! Frown

Scoopy 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
3047 posts

Uber Geek
+1 received by user: 223

Trusted
Subscriber

  Reply # 601188 28-Mar-2012 12:30 Send private message

Oh guts mate. happened to me before. How much did they rack up?

How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?





3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 601193 28-Mar-2012 12:41 Send private message

Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From:49xxxx76 ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 3006o stamp 17551
Content-Length: 269

v=0
o=- 87336883 87336903 IN IP4 37.8.21.126
s=eyeBeam
c=IN IP4 37.8.21.126
t=0 0
m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101
a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328
a=fmtp:101 0-15
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



33 posts

Geek


  Reply # 601195 28-Mar-2012 12:41 Send private message



Zeon: Oh guts mate. happened to me before. How much did they rack up?

How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?


$400+

Do you mean passwords on my VoIP account on, the VoIP phone or on my Wireless Device?

I don't have SIP port on my router forwarding to my phone.   

Just heard from my supplier that somehow the hacker got my credentials.   



33 posts

Geek


  Reply # 601196 28-Mar-2012 12:44 Send private message

maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From: ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 3006o stamp 17551
Content-Length: 269

v=0
o=- 87336883 87336903 IN IP4 37.8.21.126
s=eyeBeam
c=IN IP4 37.8.21.126
t=0 0
m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101
a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328
a=fmtp:101 0-15
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv


What does that mean?

7780 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 601199 28-Mar-2012 12:50 Send private message

WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use.

If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers.

Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.



33 posts

Geek


  Reply # 601201 28-Mar-2012 12:52 Send private message

Ragnor: WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use.

If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers.

Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.


Thank Ragnor

I'll contact My ISP and ask about static IP. 

7780 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 601210 28-Mar-2012 12:55 Send private message

scoopy:

What does that mean?


The hacker either:

A) Knew your exact login/password/number to access your account, in which case you likely have a compromised/infected computer on your network. Do you have your openVFX login details in a plain text doc or txt file on your computer or network? Is your email account compromised?  

Scan all computers with anti virus and malwarebytes, change all passwords for everything.

OR

B) They tried different combinations of username/password/number till they gained access. 

I would say A sounds more likely, account would be locked out after a few failed attempts so B shouldn't be possible as Open VFX uses three way auth (hacker has to get the right number, auth id and password).

3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 601211 28-Mar-2012 12:56 Send private message

It is Option A




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 601213 28-Mar-2012 12:59 Send private message

scoopy:
maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From: ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c



What does that mean?


What that means is the actual SIP invite coming from the person using your Credentials , he has them exactly including your Authid and Password which as you know is 2 rather long and random string, this account was not brute forced and would be next to impossible to brute force, your Open VFX details have been obtained by someone  




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

246 posts

Master Geek
+1 received by user: 1


  Reply # 601214 28-Mar-2012 12:59 Send private message

Time to get a POTs line me thinks.

7780 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 601215 28-Mar-2012 13:01 Send private message

maverick: It is Option A


I'd advise Scoopy unplug all computers from the internet and the local network until you have verified they are clean from keyloggers/trojans/virus.


 

3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 601216 28-Mar-2012 13:01 Send private message

Kiwipixter: Time to get a POTs line me thinks.


Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



33 posts

Geek


  Reply # 601217 28-Mar-2012 13:02 Send private message

Roger that will do.



33 posts

Geek


  Reply # 601219 28-Mar-2012 13:02 Send private message

maverick:
Kiwipixter: Time to get a POTs line me thinks.


Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well


Thanks for making my day you guys!!!! 



33 posts

Geek


  Reply # 601225 28-Mar-2012 13:09 Send private message

Is there anyway of nailing down where the breach was?  

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Police Camera Van Disguise
Created by Reanalyse, last reply by oxnsox on 19-Dec-2014 21:59 (26 replies)
Pages... 2


Has Spark (Telecom) locked their iphone 6 ?
Created by anewguy2014, last reply by michaelmurfy on 17-Dec-2014 14:32 (25 replies)
Pages... 2


forgot how to unlock a car door
Created by joker97, last reply by joker97 on 19-Dec-2014 19:10 (49 replies)
Pages... 2 3 4


In defence of cats
Created by Rikkitic, last reply by DarthKermit on 17-Dec-2014 15:40 (68 replies)
Pages... 3 4 5


Slaughter of Innocents
Created by networkn, last reply by networkn on 19-Dec-2014 17:46 (64 replies)
Pages... 3 4 5


Lightbox launches on PlayStation 4
Created by freitasm, last reply by sultanoswing on 19-Dec-2014 20:56 (39 replies)
Pages... 2 3


How is iParcel these days?
Created by peejayw, last reply by surfisup1000 on 18-Dec-2014 21:45 (19 replies)
Pages... 2


Spray Foam Insulation
Created by AACTech, last reply by timbosan on 19-Dec-2014 16:58 (36 replies)
Pages... 2 3



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.