Ucm 6204 security issue

Strizh · 2018-09-30 18:42:39 UTC

Hi, i have a question. I have been find in operation log login from name of admin unknown IPs. It’s not showing any log like system event log, login log itc.

cyfo · 2018-09-30 21:46:53 UTC

If you really need to have the admin page open to the Internet without filters, then I recommend changing its public port. If you don’t want to mess with the UCM settings, then do a port forward on your router with different port numbers. That will help a lot.

lstutesman · 2018-10-01 13:43:59 UTC

Turn on Fail2ban and it should start banning these IPs that are trying to log in.

Strizh · 2018-10-01 16:29:38 UTC

Do you have an any recommendation for ports numbers?

Strizh · 2018-10-01 16:30:37 UTC

LOL, thank you, that was funny!)))

cyfo · 2018-10-02 05:29:45 UTC

Any port (higher than 1024 recommended) will do. There is no technical reason to choose one number over another. Remember that it’s just for the web interface.

And like lstutesman said, enabling the Fail2ban will help. It works wonders.

Strizh · 2018-10-03 05:01:22 UTC

Thank you.

Of course all settings was turning on, Fail2ban, dynamic itc. i guess it was quiet clear. and my question was for security of this protocols, not how setup pbx, problem with security protocols, Fail2ban not working on this way, not for this guy, changes of password has stop him/her for 6 seconds or 3 try (but settings max. for 2 and password 16 random letters, digits, symbols) port changes also was useless for 10 random ports he/she was delayed for 3 second for each port.

Just one guess, factory has back door, and someone using it.

And no access to root, I can’t do anything.
Is there programers from Grandstream? Please I need your help!

lpneblett · 2018-10-03 20:52:26 UTC

Is SSH enabled. Also, what firmware version is running and have you also looked at these:

Strizh · 2018-10-04 04:21:36 UTC

No, SSH disabled.
All settings more harder that recommended.
firmware - 1.0.18.12

romush.tuladhar · 2018-10-04 05:25:59 UTC

Could you please check if there is some unusual login credentials created in User Management.

Earlier our UCM was also hacked and someone named j2ck was created which had access to administrator.

regards,
romush

Strizh · 2018-10-04 15:44:06 UTC

I got a collection in Login Banned User List from staff like this:
ja2ck
ja3ck
ja4ck
omegax
from IPs:
5.79.66.122
37.49.231.104
45.55.8.60
173.78.131.194
166.171.248.158

lstutesman · 2018-10-04 16:01:19 UTC

So prior to firmware 1.0.14.24 there was a security hole that allowed a hacker to create their own admin user and then log in as it. As long as you are on firmware 1.0.18.12 as you indicated, all you will see are attempts. Do make sure these usernames do not exist on your system along with any others that are not familiar to you.

Strizh · 2018-10-04 16:32:09 UTC

No any accounts was created.
just login with name admin, but that login i see only in operation log.

Strizh · 2018-10-05 18:27:37 UTC

Hi everyone after I was change phone numbers in the bpx to 7 digit numbers, I don’t know how, why, this is unexplainable but firewall decide to move Ip to black list, finally, and login was blocked. I can’t say that this is solution, but for some reason somehow it worked.

P.S. I willing to try make numbers shorter, I don’t like so long numbers, and everyone blame me, but…