Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




638 posts

Ultimate Geek
+1 received by user: 227


Topic # 173284 18-May-2015 10:27
Send private message

One of my 2talk phone lines was compromised yesterday with a few calls being made to some unusual countries. I've changed all the passwords on the account and devices although it was also suggested that I disallow SIP or web access to your device from the Internet.

I'm using Yealink devices and can't figure out how to do this - any most ideas welcome?




Amanon

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1306995 18-May-2015 10:33
Send private message

Can you see the IP address that it came from?

27663 posts

Uber Geek
+1 received by user: 7143

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1307001 18-May-2015 10:35
One person supports this post
Send private message

Do you have any form of port forwarding enabled either on SIP ports or HTTP ports to your phone? You should under no circumstances have either that are public facing.




 
 
 
 




638 posts

Ultimate Geek
+1 received by user: 227


  Reply # 1307006 18-May-2015 10:38
Send private message

johnr: Can you see the IP address that it came from?


No - actually I wouldn't know where to look for that.




Amanon



638 posts

Ultimate Geek
+1 received by user: 227


  Reply # 1307009 18-May-2015 10:40
Send private message

sbiddle: Do you have any form of port forwarding enabled either on SIP ports or HTTP ports to your phone? You should under no circumstances have either that are public facing.




No port forwarding has been set up. The phones just have their default set up and are plugged into an ethernet cable and connect directly to 2talk.co.nz via port 5060




Amanon

27663 posts

Uber Geek
+1 received by user: 7143

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1307020 18-May-2015 10:45
Send private message

Dulouz:
sbiddle: Do you have any form of port forwarding enabled either on SIP ports or HTTP ports to your phone? You should under no circumstances have either that are public facing.




No port forwarding has been set up. The phones just have their default set up and are plugged into an ethernet cable and connect directly to 2talk.co.nz via port 5060


And you definitely didn't set up a port forward for port 5060 or any other port for SIP traffic?




638 posts

Ultimate Geek
+1 received by user: 227


  Reply # 1307027 18-May-2015 10:50
Send private message

sbiddle:
Dulouz:
sbiddle: Do you have any form of port forwarding enabled either on SIP ports or HTTP ports to your phone? You should under no circumstances have either that are public facing.




No port forwarding has been set up. The phones just have their default set up and are plugged into an ethernet cable and connect directly to 2talk.co.nz via port 5060


And you definitely didn't set up a port forward for port 5060 or any other port for SIP traffic?



No - I've only ever set up port forwarding in my life once before and that was for a NAS device.




Amanon

BDFL - Memuneh
62969 posts

Uber Geek
+1 received by user: 13549

Administrator
Trusted
Geekzone
Lifetime subscriber



638 posts

Ultimate Geek
+1 received by user: 227


  Reply # 1307201 18-May-2015 14:10
Send private message

freitasm: Possible this NAS device is compromised?


Possibly - one thing I have noticed is if I enter my network IP address into the browser address bar it takes me to the Yealink device login page. This seems strange as it as has its own internal IP address. Why would it also be accessible via my network IP address?




Amanon

Awesome
4841 posts

Uber Geek
+1 received by user: 1097

Trusted
Subscriber

  Reply # 1307213 18-May-2015 14:15
Send private message

Dulouz:
freitasm: Possible this NAS device is compromised?


Possibly - one thing I have noticed is if I enter my network IP address into the browser address bar it takes me to the Yealink device login page. This seems strange as it as has its own internal IP address. Why would it also be accessible via my network IP address?


That will be it.

Any chance the internal IP address you port forwarded to your NAS has now been reassigned to the Yealink? Another possible cause is that the Yealink is setting up it's own port forward using UPnP - but that seems less likely.




Twitter: ajobbins




638 posts

Ultimate Geek
+1 received by user: 227


  Reply # 1307233 18-May-2015 14:44
Send private message

ajobbins:
Dulouz:
freitasm: Possible this NAS device is compromised?


Possibly - one thing I have noticed is if I enter my network IP address into the browser address bar it takes me to the Yealink device login page. This seems strange as it as has its own internal IP address. Why would it also be accessible via my network IP address?


That will be it.

Any chance the internal IP address you port forwarded to your NAS has now been reassigned to the Yealink? Another possible cause is that the Yealink is setting up it's own port forward using UPnP - but that seems less likely.


I had set up set up port forwarding for the MyCloud over a year ago as it was causing issues with my internet connection on mt TG589vn v2. For some reason the UPnP has applied it's self to the Yealink device. I notice that the device ip addresses seems to change so wonder if the game/service applies it's self to the ip address rather than the device. I've now removed the game/service from the Yealink device and when I enter the network IP I get the following message which I assume is normal.

Forbidden You don't have permission to access /cgi-bin/ConfigManApp.com on this server.




Amanon

Awesome
4841 posts

Uber Geek
+1 received by user: 1097

Trusted
Subscriber

  Reply # 1307235 18-May-2015 14:49
One person supports this post
Send private message

Port forwarding is usually set up to the IP not to a device MAC address, so if the IPs are changing (likley, unless you have set Static IPs for each device), I suspect your Yealink has assumed the IP you had port forwarded for your NAS.

Have your router set your NAS and VoIP devices static IPs based on their MAC address, then port forward to the static NAS IP (if you really have to). If you router doesn't let you set static IPs by device, you should be able to configure it at the device end (but make sure you set it to something outside your DHCP pool and on the same subnet).




Twitter: ajobbins




638 posts

Ultimate Geek
+1 received by user: 227


Reply # 1307238 18-May-2015 14:53
Send private message

ajobbins: Port forwarding is usually set up to the IP not to a device MAC address, so if the IPs are changing (likley, unless you have set Static IPs for each device), I suspect your Yealink has assumed the IP you had port forwarded for your NAS.

Have your router set your NAS and VoIP devices static IPs based on their MAC address, then port forward to the static NAS IP (if you really have to). If you router doesn't let you set static IPs by device, you should be able to configure it at the device end (but make sure you set it to something outside your DHCP pool and on the same subnet).

Thanks - I may no longer need the port forwarding as it seems it hasn't been working for a while anyway and I've had no internet issues. Thanks for your help.




Amanon

3899 posts

Uber Geek
+1 received by user: 1616

Subscriber

  Reply # 1307271 18-May-2015 15:36
2 people support this post
Send private message

Set a toll bar PIN on your 2Talk account too. You can have it set so that no international calls can be made without entering the PIN, but local, national, mobile etc do not require the PIN.

224 posts

Master Geek
+1 received by user: 22


  Reply # 1307298 18-May-2015 16:33
Send private message

2Talk voip account will be hack is annoying and potentially costly. 

It appears that you don't have port forwarding or devices with a public IP.  This suggests that your PC may have a keylogger or another device on your internal network may of been compromised.

First thing, I would run an online antivirus scan on your PC/Mac.  I normally use Eset Nod 32 online scanner even if you have an antivirus program I would run this just to check.  I would run this on all PC's on your network and remove any found viruses.

Once you have done that I would do the following

Change your 2Talk phone number password again (esp if it found some viruses)
Change or add a password onto your Yealink device (esp if it found some viruses)
Turn on 2Talk Authorisation Pin Code for Expensive Overseas Destinations
Also, you may want to turn off automatic credit card charging while you have this issue.  As I have heard horror stories from people that come to work on Monday morning and have a $2,000 phone bill from a hacked voip line over the weekend.

If you do all that you should be pretty sorted.










638 posts

Ultimate Geek
+1 received by user: 227


  Reply # 1307311 18-May-2015 16:51
Send private message

cyberhub: 2Talk voip account will be hack is annoying and potentially costly. 

It appears that you don't have port forwarding or devices with a public IP.  This suggests that your PC may have a keylogger or another device on your internal network may of been compromised.

First thing, I would run an online antivirus scan on your PC/Mac.  I normally use Eset Nod 32 online scanner even if you have an antivirus program I would run this just to check.  I would run this on all PC's on your network and remove any found viruses.

Once you have done that I would do the following

Change your 2Talk phone number password again (esp if it found some viruses)
Change or add a password onto your Yealink device (esp if it found some viruses)
Turn on 2Talk Authorisation Pin Code for Expensive Overseas Destinations
Also, you may want to turn off automatic credit card charging while you have this issue.  As I have heard horror stories from people that come to work on Monday morning and have a $2,000 phone bill from a hacked voip line over the weekend.

If you do all that you should be pretty sorted.





Thanks for that - I've updated all passwords. My suspicion though is that is is a brute force attack and the port forwarding left the device open to be accessed.




Amanon

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.