Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsVoIPMy Open VFX connection hacked!!!
scoopy

33 posts

Geek


#99838 28-Mar-2012 12:28
Send private message

AHHH my Open VFX connection was hacked - used some by turkeys in Lithuania!

Advice needed how to secure my VoIP device.

Would the hack be initiated on my YeaLink T20 or on my Router?

And most importantly . . .  how do I close the hole? 

Got that sinking feeling! Frown

Scoopy 




Wellington Web Design - Vision Web Design

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #601188 28-Mar-2012 12:30
Send private message

Oh guts mate. happened to me before. How much did they rack up?

How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?




Speedtest 2019-10-14



maverick
3594 posts

Uber Geek
+1 received by user: 80

Trusted
WorldxChange

  #601193 28-Mar-2012 12:41
Send private message

Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From:49xxxx76 ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 3006o stamp 17551
Content-Length: 269

v=0
o=- 87336883 87336903 IN IP4 37.8.21.126
s=eyeBeam
c=IN IP4 37.8.21.126
t=0 0
m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101
a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328
a=fmtp:101 0-15
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

scoopy

33 posts

Geek


  #601195 28-Mar-2012 12:41
Send private message



Zeon: Oh guts mate. happened to me before. How much did they rack up?

How strong are your passwords? Have you port forwarded the SIP port on your rotuer to your phone by any chance?


$400+

Do you mean passwords on my VoIP account on, the VoIP phone or on my Wireless Device?

I don't have SIP port on my router forwarding to my phone.   

Just heard from my supplier that somehow the hacker got my credentials.   




Wellington Web Design - Vision Web Design



scoopy

33 posts

Geek


  #601196 28-Mar-2012 12:44
Send private message

maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From: ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 3006o stamp 17551
Content-Length: 269

v=0
o=- 87336883 87336903 IN IP4 37.8.21.126
s=eyeBeam
c=IN IP4 37.8.21.126
t=0 0
m=audio 21598 RTP/AVP 100 6 0 8 3 18 5 101
a=alt:1 1 : 2B37DE3D 00000061 192.168.1.6 8328
a=fmtp:101 0-15
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv


What does that mean?




Wellington Web Design - Vision Web Design

Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #601199 28-Mar-2012 12:50
Send private message

WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use.

If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers.

Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.

scoopy

33 posts

Geek


  #601201 28-Mar-2012 12:52
Send private message

Ragnor: WxC/Xnet will probably be able to tell you whether it was brute forced (ie: hacker tried common passwords) from their logs or knew the exact details to use.

If the attacker knew the exact details I would be scanning all your computers with anti virus and malwarebytes to check for any trojan's/keyloggers.

Also for additional security: You could get a static ip address for your internet connection and ask WxC to lock down the account to only accept connections to your account from that address, assuming they offer this feature.


Thank Ragnor

I'll contact My ISP and ask about static IP. 




Wellington Web Design - Vision Web Design

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #601210 28-Mar-2012 12:55
Send private message

scoopy:

What does that mean?


The hacker either:

A) Knew your exact login/password/number to access your account, in which case you likely have a compromised/infected computer on your network. Do you have your openVFX login details in a plain text doc or txt file on your computer or network? Is your email account compromised?  

Scan all computers with anti virus and malwarebytes, change all passwords for everything.

OR

B) They tried different combinations of username/password/number till they gained access. 

I would say A sounds more likely, account would be locked out after a few failed attempts so B shouldn't be possible as Open VFX uses three way auth (hacker has to get the right number, auth id and password).

maverick
3594 posts

Uber Geek
+1 received by user: 80

Trusted
WorldxChange

  #601211 28-Mar-2012 12:56
Send private message

It is Option A




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

maverick
3594 posts

Uber Geek
+1 received by user: 80

Trusted
WorldxChange

  #601213 28-Mar-2012 12:59
Send private message

scoopy:
maverick: Your actual box is fine , the problem appears are that someone has your Open VFX credentials and someone is using them to make the calls , the account is auto suspended but your credentials are in use by someone else using an eyebeam client,

Timestamp : 12:22:21.417 2012-03-28
Direction : RX
Remote IP/Port: 37.8.21.126/14045
Transport : UDP
----------------------------------------
INVITE sip:0037xxxxx612@ SIP/2.0
To:
From: ;tag=4f345044
Via: SIP/2.0/UDP 37.8.21.126:14045;branch=z9hG4bK-d87543-288256747-1--d87543-;rport
Call-ID: 230a0a0b9c28a75c



What does that mean?


What that means is the actual SIP invite coming from the person using your Credentials , he has them exactly including your Authid and Password which as you know is 2 rather long and random string, this account was not brute forced and would be next to impossible to brute force, your Open VFX details have been obtained by someone  




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

Kiwipixter
246 posts

Master Geek
+1 received by user: 1


  #601214 28-Mar-2012 12:59
Send private message

Time to get a POTs line me thinks.

Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #601215 28-Mar-2012 13:01
Send private message

maverick: It is Option A


I'd advise Scoopy unplug all computers from the internet and the local network until you have verified they are clean from keyloggers/trojans/virus.


 

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
maverick
3594 posts

Uber Geek
+1 received by user: 80

Trusted
WorldxChange

  #601216 28-Mar-2012 13:01
Send private message

Kiwipixter: Time to get a POTs line me thinks.


Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

scoopy

33 posts

Geek


  #601217 28-Mar-2012 13:02
Send private message

Roger that will do.




Wellington Web Design - Vision Web Design

scoopy

33 posts

Geek


  #601219 28-Mar-2012 13:02
Send private message

maverick:
Kiwipixter: Time to get a POTs line me thinks.


Time to stop online banking / shopping as well ?, if they have these details from an infected machine quite possibly they will have other online details as well


Thanks for making my day you guys!!!! 




Wellington Web Design - Vision Web Design

scoopy

33 posts

Geek


  #601225 28-Mar-2012 13:09
Send private message

Is there anyway of nailing down where the breach was?  




Wellington Web Design - Vision Web Design

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright