Author Topic: HT701 with mallware / botnet ?  (Read 327 times)

MDries

  • Newbie
  • *
  • Posts: 1
    • View Profile
HT701 with mallware / botnet ?
« on: April 20, 2017, 03:01:54 PM »
A few months ago, an external company installed a HT701 on our VOIP network as ATA adapter between our VOIP system and an analog gate-intercom. (fully internal wired)

Since a few days, some disturbing messages are showing up on our firewall:

Code: [Select]
[15/Apr/2017 18:22:32] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2404076 ET CNC Shadowserver Reported CnC Server TCP group 39, proto:UDP, ip/port:< IP of HT701 >:52710 -> 74.120.81.219Every minute for around 1 hour non-stop

Code: [Select]
[17/Apr/2017 21:38:32] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2522976 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 489, proto:UDP, ip/port:< IP of HT701 >:57870 -> 66.228.58.20Every minute for around 30mins non-stop

We have a local VOIP system (3CX based), it is LAN only, there are no external internet connections to this network or PBX, no portmappings no portforwarders.
SIP trunks are on a private VLAN to our phonecompany, so there is no access from the 'outside' to our local VOIP network.
However, for firmware updates etc, devices in the VOIP lan, are allowed to connect to internet by NAT.

As i haven't checked the device (and no clue how), any chance it could it be infected with some malware ?
« Last Edit: April 20, 2017, 03:04:39 PM by MDries »

Feivre

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: HT701 with mallware / botnet ?
« Reply #1 on: July 22, 2017, 09:03:55 AM »
It's disturing because I've been getting similar messages too. What does this mean?

CyFo

  • Beta Club Members
  • Hero Member
  • *
  • Posts: 1353
  • CyFo Solutions
    • View Profile
    • CyFo Solutions
    • Email
Re: HT701 with mallware / botnet ?
« Reply #2 on: July 25, 2017, 05:53:35 PM »
The ATA does a couple of things with the Internet, such as getting the time (NTP), configuration provisioning, STUN and syslog if enabled, and maybe more.

On the other hand, those IP looks very suspicious. Your safest bet is to reflash the firmware again in the ATA (put an older one and then again the latest one, since GS devices don’t “re-install” a firmware with the same version that is already installed.) And then a factory reset.

A couple of network captures and port scans of the ATA might be very useful for analysis. Since the HT701 still uses telnet instead of SSH, I doubt it has the ability to perform forwards for other devices (I recall that even the GS endpoints that have SSH do not allow to create tunnels), but it might be interesting to disable its telnet access.

And of course, check if it’s a real HT701, because it can be a malicious device disguised as one.

You can also take again its “gateway” info and it won’t bother your other network devices and might just simple do its job.
Certified Grandstream Reseller
www.cyfosol.com
Boston, MA