Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsVoIPMy Open VFX connection hacked!!!
scoopy

33 posts

Geek


#99838 28-Mar-2012 12:28
Send private message

AHHH my Open VFX connection was hacked - used some by turkeys in Lithuania!

Advice needed how to secure my VoIP device.

Would the hack be initiated on my YeaLink T20 or on my Router?

And most importantly . . .  how do I close the hole? 

Got that sinking feeling! Frown

Scoopy 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Zeon
3916 posts

Uber Geek

Trusted

  #601188 28-Mar-2012 12:30
Send private message

Oh guts mate. happened to me before. How much did they rack up?

How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?




Speedtest 2019-10-14



maverick
3594 posts

Uber Geek

Trusted
WorldxChange

  #601193 28-Mar-2012 12:41
Send private message

Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From:49xxxx76 ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 3006o stamp 17551
Content-Length: 269

v=0
o=- 87336883 87336903 IN IP4 37.8.21.126
s=eyeBeam
c=IN IP4 37.8.21.126
t=0 0
m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101
a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328
a=fmtp:101 0-15
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

scoopy

33 posts

Geek


  #601195 28-Mar-2012 12:41
Send private message



Zeon: Oh guts mate. happened to me before. How much did they rack up?

How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?


$400+

Do you mean passwords on my VoIP account on, the VoIP phone or on my Wireless Device?

I don't have SIP port on my router forwarding to my phone.   

Just heard from my supplier that somehow the hacker got my credentials.   



scoopy

33 posts

Geek


  #601196 28-Mar-2012 12:44
Send private message

maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From: ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 3006o stamp 17551
Content-Length: 269

v=0
o=- 87336883 87336903 IN IP4 37.8.21.126
s=eyeBeam
c=IN IP4 37.8.21.126
t=0 0
m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101
a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328
a=fmtp:101 0-15
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv


What does that mean?

Ragnor
8222 posts

Uber Geek

Trusted

  #601199 28-Mar-2012 12:50
Send private message

WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use.

If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers.

Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.

scoopy

33 posts

Geek


  #601201 28-Mar-2012 12:52
Send private message

Ragnor: WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use.

If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers.

Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.


Thank Ragnor

I'll contact My ISP and ask about static IP. 

Ragnor
8222 posts

Uber Geek

Trusted

  #601210 28-Mar-2012 12:55
Send private message

scoopy:

What does that mean?


The hacker either:

A) Knew your exact login/password/number to access your account, in which case you likely have a compromised/infected computer on your network. Do you have your openVFX login details in a plain text doc or txt file on your computer or network? Is your email account compromised?  

Scan all computers with anti virus and malwarebytes, change all passwords for everything.

OR

B) They tried different combinations of username/password/number till they gained access. 

I would say A sounds more likely, account would be locked out after a few failed attempts so B shouldn't be possible as Open VFX uses three way auth (hacker has to get the right number, auth id and password).

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
maverick
3594 posts

Uber Geek

Trusted
WorldxChange

  #601211 28-Mar-2012 12:56
Send private message

It is Option A




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

maverick
3594 posts

Uber Geek

Trusted
WorldxChange

  #601213 28-Mar-2012 12:59
Send private message

scoopy:
maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From: ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c



What does that mean?


What that means is the actual SIP invite coming from the person using your Credentials , he has them exactly including your Authid and Password which as you know is 2 rather long and random string, this account was not brute forced and would be next to impossible to brute force, your Open VFX details have been obtained by someone  




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

Kiwipixter
246 posts

Master Geek


  #601214 28-Mar-2012 12:59
Send private message

Time to get a POTs line me thinks.

Ragnor
8222 posts

Uber Geek

Trusted

  #601215 28-Mar-2012 13:01
Send private message

maverick: It is Option A


I'd advise Scoopy unplug all computers from the internet and the local network until you have verified they are clean from keyloggers/trojans/virus.


 

maverick
3594 posts

Uber Geek

Trusted
WorldxChange

  #601216 28-Mar-2012 13:01
Send private message

Kiwipixter: Time to get a POTs line me thinks.


Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

scoopy

33 posts

Geek


  #601217 28-Mar-2012 13:02
Send private message

Roger that will do.

scoopy

33 posts

Geek


  #601219 28-Mar-2012 13:02
Send private message

maverick:
Kiwipixter: Time to get a POTs line me thinks.


Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well


Thanks for making my day you guys!!!! 

scoopy

33 posts

Geek


  #601225 28-Mar-2012 13:09
Send private message

Is there anyway of nailing down where the breach was?  

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright