draytel account hack - anyone else?

Discussion in 'UK VOIP' started by tg, Apr 12, 2010.

  1. tg

    tg Guest

    my draytel sip account has been hacked over the last 24 hours starting at
    4:35pm on the 12th April and my credit has been completely used up in that
    time. I've sent an email to draytel and I'm hoping they will confirm the
    hack and restore my credit but I was wondering if anyone else out there has
    had their draytel account hacked?
     
    tg, Apr 12, 2010
    #1
    1. Advertising

  2. In article <4bc3a41c$0$2521$>,
    tg <> wrote:
    >my draytel sip account has been hacked over the last 24 hours starting at
    >4:35pm on the 12th April and my credit has been completely used up in that
    >time. I've sent an email to draytel and I'm hoping they will confirm the
    >hack and restore my credit but I was wondering if anyone else out there has
    >had their draytel account hacked?


    There appears to be large on-going hack/crack attempts on anything that
    vaguely resembles an SIP server right now. I had my home/office box
    attacked - a sutained attack of 200 tests/second for some 36 hours. It
    originated from an Amazon EC3 host. I also know that some of my clients
    have been under attack too - as well as my central peering servers.

    I've also read reports of this happening all over the place - from Amazon
    EC2's over the weekend, but maybe they've moved on now.

    Do you know the numbers they called once they got the passwords?

    Gordon
     
    Gordon Henderson, Apr 13, 2010
    #2
    1. Advertising

  3. tg

    tg Guest

    >
    > Do you know the numbers they called once they got the passwords?


    thanks for your response Gordon.
    some of the numbers that were called using my credit were:
    0022462310923
    0022468299222
    0022462427585
    0022468459504...etc

    what I also noticed is that during this same hack period (the last 24 hours)
    I've had about 30-odd missed calls on the display of my sip phone, and all
    of them start with 00224...
    I'm also spitting blood right now because draytel came back to me saying it
    was basically 'my problem', they weren't going to restore my credit and that
    I need to change my sip password. What a bunch of maggots. I'm now taking
    the matter up with ofcom. I'm so angry with draytel over this, they just
    don't give a damn.
     
    tg, Apr 13, 2010
    #3
  4. Gordon Henderson <> wrote in <hq18du$2u5q$>:
    > There appears to be large on-going hack/crack attempts on anything that
    > vaguely resembles an SIP server right now. I had my home/office box
    > attacked - a sutained attack of 200 tests/second for some 36 hours. It
    > originated from an Amazon EC3 host.


    Like this one?

    [Apr 10 16:45:36] NOTICE[6890] chan_sip.c: Registration from '"9999"<sip:>' failed for '184.73.12.46' - No matching peer found

    I have 24253 entries that look like that one.

    Interestingly, another asterisk I run has no recent attempts.

    Koos

    --
    Koos van den Hout, PGP keyid DSS/1024 0xF0D7C263 via keyservers
    4all.nl
    Weather maps from free sources at
    http://idefix.net/ http://weather.idefix.net/
     
    Koos van den Hout, Apr 13, 2010
    #4
  5. In article <hq1ssn$gof$4all.nl>,
    Koos van den Hout <4all.nl> wrote:
    >Gordon Henderson <> wrote in
    ><hq18du$2u5q$>:
    >> There appears to be large on-going hack/crack attempts on anything that
    >> vaguely resembles an SIP server right now. I had my home/office box
    >> attacked - a sutained attack of 200 tests/second for some 36 hours. It
    >> originated from an Amazon EC3 host.

    >
    >Like this one?
    >
    >[Apr 10 16:45:36] NOTICE[6890] chan_sip.c: Registration from
    >'"9999"<sip:>' failed for '184.73.12.46' - No matching
    >peer found
    >
    >I have 24253 entries that look like that one.


    Yes, but for a different account.

    >Interestingly, another asterisk I run has no recent attempts.


    I run many but only one that I know of so-far been hit with this attack,
    but it's only a matter of time.

    Make sure you have alwaysauthreject=yes in your sip.conf file.

    Gordon
     
    Gordon Henderson, Apr 13, 2010
    #5
  6. tg

    alexd Guest

    On 13/04/10 13:05, tg wrote:

    > I'm also spitting blood right now because draytel came back to me saying it
    > was basically 'my problem', they weren't going to restore my credit and
    > that
    > I need to change my sip password. What a bunch of maggots. I'm now taking
    > the matter up with ofcom. I'm so angry with draytel over this, they just
    > don't give a damn.


    What have Draytel done wrong, exactly?

    --
    <http://ale.cx/> (AIM:troffasky) ()
    18:09:23 up 4 days, 7:17, 2 users, load average: 0.03, 0.20, 0.17
    It is better to have been wasted and then sober
    than to never have been wasted at all
     
    alexd, Apr 13, 2010
    #6
  7. tg

    tg Guest

    "alexd" <> wrote in message
    news:hq28jp$l78$...
    > On 13/04/10 13:05, tg wrote:
    >
    >> I'm also spitting blood right now because draytel came back to me saying
    >> it
    >> was basically 'my problem', they weren't going to restore my credit and
    >> that
    >> I need to change my sip password. What a bunch of maggots. I'm now taking
    >> the matter up with ofcom. I'm so angry with draytel over this, they just
    >> don't give a damn.

    >
    > What have Draytel done wrong, exactly?


    draytel have had a security breach into THEIR server and someone is running
    amock with my paid credit. They're making out this is my problem, it's not.
    I trusted them with the money I paid them, my username and password have
    remained safe at my end and they've allowed my credit to be squandered by
    some hacker who is obviously making numerous calls to Guinea. This is
    betrayal by draytel and I'm justified in being furious, and I'm referring
    the matter to ofcom.
     
    tg, Apr 13, 2010
    #7
  8. On Tue, 13 Apr 2010 08:02:06 +0000, Gordon Henderson wrote:

    > In article <4bc3a41c$0$2521$>, tg
    > <> wrote:
    >>my draytel sip account has been hacked over the last 24 hours starting
    >>at 4:35pm on the 12th April and my credit has been completely used up in
    >>that time. I've sent an email to draytel and I'm hoping they will
    >>confirm the hack and restore my credit but I was wondering if anyone
    >>else out there has had their draytel account hacked?

    >
    > There appears to be large on-going hack/crack attempts on anything that
    > vaguely resembles an SIP server right now. I had my home/office box
    > attacked - a sutained attack of 200 tests/second for some 36 hours. It
    > originated from an Amazon EC3 host. I also know that some of my clients
    > have been under attack too - as well as my central peering servers.
    >
    > I've also read reports of this happening all over the place - from
    > Amazon EC2's over the weekend, but maybe they've moved on now.
    >
    > Do you know the numbers they called once they got the passwords?
    >
    > Gordon

    It's nothing uncommon to see a log littered with this:

    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8119"<sip:>' failed for '89.255.8.160' - No matching peer
    found
    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8120"<sip:>' failed for '89.255.8.160' - No matching peer
    found
    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8121"<sip:>' failed for '89.255.8.160' - No matching peer
    found
    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8122"<sip:>' failed for '89.255.8.160' - No matching peer
    found

    and tools like sipvicious make it very easy and fast to find suitable
    weak targets for toll fraud. It's been happening since the beginning of
    time.

    What a surprise that it's Draytek's VoIP service. Toy devices, toy
    services. Probably 'protected' by their own kit LOL.

    Gordon, I am not sure if rate controlling connections on 5060 in iptables
    would be sufficient to stop the serious hacking attempts - what are your
    views?
     
    Vicktor Whieste, Apr 13, 2010
    #8
  9. tg

    tg Guest


    >
    > Can you not tell your credit card company?


    I don't see that working, they'll just tell me I have to sort it out with my
    provider - draytel, which is proving extremely difficult. They're
    stonewalling me like crazy.
     
    tg, Apr 13, 2010
    #9
  10. tg

    alexd Guest

    On 13/04/10 20:08, Vicktor Whieste wrote:

    > Gordon, I am not sure if rate controlling connections on 5060 in iptables
    > would be sufficient to stop the serious hacking attempts - what are your
    > views?


    http://www.voip-info.org/wiki/view/Fail2Ban (with iptables) And Asterisk

    Probably easier to permit the stuff you want and block everything else,
    although that depends who/where your endpoints are.

    IMO, you should do the obvious and simple things first, like setting
    sensible passwords, before getting into complicated and potentially
    self-DoSing stuff like fail2ban.

    And run sipvicious against your own kit - no sense letting the bad guys
    keep the interesting and useful tools to themselves.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    21:08:12 up 4 days, 10:17, 2 users, load average: 0.09, 0.15, 0.11
    It is better to have been wasted and then sober
    than to never have been wasted at all
     
    alexd, Apr 13, 2010
    #10
  11. tg

    alexd Guest

    On 13/04/10 18:39, tg wrote:

    > "alexd" <> wrote in message


    >> What have Draytel done wrong, exactly?


    > draytel have had a security breach into THEIR server and someone is running
    > amock with my paid credit. They're making out this is my problem, it's not.


    Ah OK. Your original post implied you had set some obvious password on
    your Draytel account, and someone had brute forced it and spent your
    credit.

    If you can't find anyone else who's had a problem, then you're going to
    have a hard time proving to Draytel [or anyone else for that matter]
    that some sort of insecurity in their systems has caused your account to
    be breached. Of course you'll need to rule your own systems out too [eg
    CallManager, if you're still using that].

    --
    <http://ale.cx/> (AIM:troffasky) ()
    21:48:32 up 4 days, 10:57, 2 users, load average: 0.02, 0.09, 0.12
    It is better to have been wasted and then sober
    than to never have been wasted at all
     
    alexd, Apr 13, 2010
    #11
  12. In article <hq2ff7$37j$>,
    Vicktor Whieste <> wrote:

    >What a surprise that it's Draytek's VoIP service. Toy devices, toy
    >services. Probably 'protected' by their own kit LOL.
    >
    >Gordon, I am not sure if rate controlling connections on 5060 in iptables
    >would be sufficient to stop the serious hacking attempts - what are your
    >views?


    (a) I like, use and sell Draytek routers, but not their VoIP service,
    obviously. You seem to have a problem with them, but that's fine by me.

    (b) Rate limiting probably will work, (iptables, fail2ban, etc.) but
    needs careful tuning - some phones stupidly will retry once a second
    when you put the wrong password into the phone (Snom!) and some of my
    servers have 1000's of SIP accounts on them, sometimes with a dozen or
    so behind the same IP address, so that also needs a little care.
    (either by parsing log-files or using the string search rules in iptables
    to look for SIP REGISTERs)

    (c) For Asterisk, put alwaysauthreject=yes in sip.conf. It breaks the
    SIP RFC, but not in any way that'll hurt it, but it will stop crackers
    finding a valid account.

    And Read this:

    http://blogs.digium.com/2009/03/28/sip-security/

    Gordon
     
    Gordon Henderson, Apr 14, 2010
    #12
  13. tg

    tg Guest

    "alexd" <> wrote in message
    news:hq2m60$ecr$...
    > On 13/04/10 18:39, tg wrote:


    > Ah OK. Your original post implied you had set some obvious password on
    > your Draytel account, and someone had brute forced it and spent your
    > credit.


    no I've always used the password originally supplied by draytel. My sip
    password resides in a cisco router and to telnet into the router you need to
    know two different passwords.

    > If you can't find anyone else who's had a problem, then you're going to
    > have a hard time proving to Draytel [or anyone else for that matter]


    yes I know but I'm positive there's been no security leak at my end, thus
    the breach happened at draytels end, therefore there might be more draytel
    customers out there who have experienced the same as me. If I can locate
    other draytel customers who's credit has been hacked I can prove my point.
     
    tg, Apr 14, 2010
    #13
  14. tg

    tg Guest

    > What a surprise that it's Draytek's VoIP service.

    drayTEL, not draytek, afaik they're two completely seperate things.
     
    tg, Apr 14, 2010
    #14
  15. On Wed, 14 Apr 2010 11:50:12 +0100, tg wrote:

    >> What a surprise that it's Draytek's VoIP service.

    >
    > drayTEL, not draytek, afaik they're two completely seperate things.


    Of course they are, but are you not aware of the common link? (Other than
    'being of toy quality'?
     
    Vicktor Whieste, Apr 14, 2010
    #15
  16. tg

    alexd Guest

    On 14/04/10 11:44, tg wrote:

    > yes I know but I'm positive there's been no security leak at my end, thus
    > the breach happened at draytels end, therefore there might be more draytel
    > customers out there who have experienced the same as me. If I can locate
    > other draytel customers who's credit has been hacked I can prove my point.


    Ask them for a record of what IP address(es) the calls were made from.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    16:11:11 up 5 days, 5:21, 2 users, load average: 0.32, 0.27, 0.21
    It is better to have been wasted and then sober
    than to never have been wasted at all
     
    alexd, Apr 14, 2010
    #16
  17. tg

    tg Guest

    >
    > Ask them for a record of what IP address(es) the calls were made from.


    I've done that, whether or not they provide those I don't know. Is there any
    way I can legally force them to provide this info? the reason I ask is
    because they're being unco-operative.
     
    tg, Apr 14, 2010
    #17
  18. tg

    tg Guest

    no what is the common link?
     
    tg, Apr 14, 2010
    #18
  19. tg

    Graham. Guest

    Graham., Apr 14, 2010
    #19
  20. tg

    tg Guest

    I get more foggy with each reply from you Graham
    just state your point and be clear.
     
    tg, Apr 14, 2010
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Zoom X5v with Draytel?

    , Jun 20, 2005, in forum: UK VOIP
    Replies:
    1
    Views:
    1,257
    Martin²
    Jun 22, 2005
  2. Alex

    DrayTel service relaunched

    Alex, Dec 13, 2005, in forum: UK VOIP
    Replies:
    12
    Views:
    1,351
    Ivor Jones
    Dec 15, 2005
  3. the hamiltons

    Problem setting up SPA2000 & Draytel

    the hamiltons, Feb 21, 2006, in forum: UK VOIP
    Replies:
    4
    Views:
    764
    the hamiltons
    Feb 22, 2006
  4. tony p

    Anyone used SPA2000 with Draytel

    tony p, Apr 7, 2006, in forum: UK VOIP
    Replies:
    0
    Views:
    472
    tony p
    Apr 7, 2006
  5. Blah McBlah

    Constantly engaged using Draytel

    Blah McBlah, Aug 30, 2006, in forum: UK VOIP
    Replies:
    1
    Views:
    593
    Colin Forrester
    Aug 30, 2006
Loading...

Share This Page