Hacked


#1

I can’t keep this hacker out of my UCM. I changed the password today and deleted all user accounts except extensions and my super user account. Less than 10 hours later he’s back in and his user "Omega” is back and he’s configured crap so he can call internationally. How do I harder my box so he can’t get in? This is crazy


#2

Off the top:

  1. Are you running the latest firmware?

  2. Check you firewall rules - no one should be able to access the UCM GUI remotely.

  3. Turn on Fail2Ban - Login Attack Defence

  4. Turn on Alert Events List and turn on User login failed (and perhaps User login success). Turn on the email notification option and monitor - AFAIK this will give you the IP address inside the network being used to access the UCM GUI and logging in.

  5. Change the all Admin passwords to something long and complicated.

Anyways, that is where I would start given the information you’ve given us.


#3

This is an important one.

First make sure you don’t have international calling on(or anything else you can be charged for), that’s what they want.

This is because of the security issue, read more at firmware.grandstream.com

IMPORTANT SECURITY BULLETIN CONCERNING THE UCM SERIES IP PBX - Please upgrade your UCM firmware to version 1.0.14.24 or 1.0.15.14 to install a fix to a recent security issue discovered on previous firmware versions. Please read the special security bulletin here for more information.

Out of the last 20 units I’ve looked at 6 have had Omega as a user. 2 have had tucsan as a user.
I believe these to be two separate organizations/people that know about the vulnerability.

You must get on firmware 1.0.14.24 or newer to block them from getting in.

They started showing up shortly after Grandstream posted this, but in force over the last 4 weeks.

to everyone: If your UCM is exposed to the internet you MUST upgrade to be safe!!
to everyone else: Meh, you’re probably fine…but I’d upgrade anyway…

On that note, I just made a video on how to upgrade if you are pre 1.0.9.x firmware and will be posting it today I hope.
If anyone reading this doesn’t know how to upgrade, contact us for support if you need it! Or I’m sure helpdesk.grandstream.com could offer pointers.


#4

I have upgraded my units that use sip trunks to 10.24 and work well, though after reading about issues with analog trunks in 10.24 and newer, have left them on 13.14, with no adverse issues…keeping in mind, none of my units are exposed to the internet (behind firewall/router).


#6

Sorry about that buddy :slight_smile:


#7

especially never use user = authid

Damiano


#8

This is exactly what the issue is. We noticed this some months ago, saw the security advisory and upgraded. Never seen it since. Get your unit to 1.0.14.24 or later asap