Author Topic: HT701 with mallware / botnet ?  (Read 19 times)

MDries

  • Newbie
  • *
  • Posts: 1
    • View Profile
HT701 with mallware / botnet ?
« on: April 20, 2017, 02:01:54 PM »
A few months ago, an external company installed a HT701 on our VOIP network as ATA adapter between our VOIP system and an analog gate-intercom. (fully internal wired)

Since a few days, some disturbing messages are showing up on our firewall:

Code: [Select]
[15/Apr/2017 18:22:32] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2404076 ET CNC Shadowserver Reported CnC Server TCP group 39, proto:UDP, ip/port:< IP of HT701 >:52710 -> 74.120.81.219Every minute for around 1 hour non-stop

Code: [Select]
[17/Apr/2017 21:38:32] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2522976 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 489, proto:UDP, ip/port:< IP of HT701 >:57870 -> 66.228.58.20Every minute for around 30mins non-stop

We have a local VOIP system (3CX based), it is LAN only, there are no external internet connections to this network or PBX, no portmappings no portforwarders.
SIP trunks are on a private VLAN to our phonecompany, so there is no access from the 'outside' to our local VOIP network.
However, for firmware updates etc, devices in the VOIP lan, are allowed to connect to internet by NAT.

As i haven't checked the device (and no clue how), any chance it could it be infected with some malware ?
« Last Edit: April 20, 2017, 02:04:39 PM by MDries »