draytel account hack - anyone else?

Discussion in 'UK VOIP' started by tg, Apr 12, 2010.

  1. tg

    tg Guest

    my draytel sip account has been hacked over the last 24 hours starting at
    4:35pm on the 12th April and my credit has been completely used up in that
    time. I've sent an email to draytel and I'm hoping they will confirm the
    hack and restore my credit but I was wondering if anyone else out there has
    had their draytel account hacked?
     
    tg, Apr 12, 2010
    #1
    1. Advertisements

  2. There appears to be large on-going hack/crack attempts on anything that
    vaguely resembles an SIP server right now. I had my home/office box
    attacked - a sutained attack of 200 tests/second for some 36 hours. It
    originated from an Amazon EC3 host. I also know that some of my clients
    have been under attack too - as well as my central peering servers.

    I've also read reports of this happening all over the place - from Amazon
    EC2's over the weekend, but maybe they've moved on now.

    Do you know the numbers they called once they got the passwords?

    Gordon
     
    Gordon Henderson, Apr 13, 2010
    #2
    1. Advertisements

  3. tg

    tg Guest

    thanks for your response Gordon.
    some of the numbers that were called using my credit were:
    0022462310923
    0022468299222
    0022462427585
    0022468459504...etc

    what I also noticed is that during this same hack period (the last 24 hours)
    I've had about 30-odd missed calls on the display of my sip phone, and all
    of them start with 00224...
    I'm also spitting blood right now because draytel came back to me saying it
    was basically 'my problem', they weren't going to restore my credit and that
    I need to change my sip password. What a bunch of maggots. I'm now taking
    the matter up with ofcom. I'm so angry with draytel over this, they just
    don't give a damn.
     
    tg, Apr 13, 2010
    #3
  4. Like this one?

    [Apr 10 16:45:36] NOTICE[6890] chan_sip.c: Registration from '"9999"<sip:>' failed for '184.73.12.46' - No matching peer found

    I have 24253 entries that look like that one.

    Interestingly, another asterisk I run has no recent attempts.

    Koos
     
    Koos van den Hout, Apr 13, 2010
    #4
  5. Yes, but for a different account.
    I run many but only one that I know of so-far been hit with this attack,
    but it's only a matter of time.

    Make sure you have alwaysauthreject=yes in your sip.conf file.

    Gordon
     
    Gordon Henderson, Apr 13, 2010
    #5
  6. tg

    alexd Guest

    What have Draytel done wrong, exactly?
     
    alexd, Apr 13, 2010
    #6
  7. tg

    tg Guest

    draytel have had a security breach into THEIR server and someone is running
    amock with my paid credit. They're making out this is my problem, it's not.
    I trusted them with the money I paid them, my username and password have
    remained safe at my end and they've allowed my credit to be squandered by
    some hacker who is obviously making numerous calls to Guinea. This is
    betrayal by draytel and I'm justified in being furious, and I'm referring
    the matter to ofcom.
     
    tg, Apr 13, 2010
    #7
  8. It's nothing uncommon to see a log littered with this:

    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8119"<sip:>' failed for '89.255.8.160' - No matching peer
    found
    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8120"<sip:>' failed for '89.255.8.160' - No matching peer
    found
    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8121"<sip:>' failed for '89.255.8.160' - No matching peer
    found
    [2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
    '"8122"<sip:>' failed for '89.255.8.160' - No matching peer
    found

    and tools like sipvicious make it very easy and fast to find suitable
    weak targets for toll fraud. It's been happening since the beginning of
    time.

    What a surprise that it's Draytek's VoIP service. Toy devices, toy
    services. Probably 'protected' by their own kit LOL.

    Gordon, I am not sure if rate controlling connections on 5060 in iptables
    would be sufficient to stop the serious hacking attempts - what are your
    views?
     
    Vicktor Whieste, Apr 13, 2010
    #8
  9. tg

    tg Guest

    I don't see that working, they'll just tell me I have to sort it out with my
    provider - draytel, which is proving extremely difficult. They're
    stonewalling me like crazy.
     
    tg, Apr 13, 2010
    #9
  10. tg

    alexd Guest

    http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

    Probably easier to permit the stuff you want and block everything else,
    although that depends who/where your endpoints are.

    IMO, you should do the obvious and simple things first, like setting
    sensible passwords, before getting into complicated and potentially
    self-DoSing stuff like fail2ban.

    And run sipvicious against your own kit - no sense letting the bad guys
    keep the interesting and useful tools to themselves.
     
    alexd, Apr 13, 2010
    #10
  11. tg

    alexd Guest

    Ah OK. Your original post implied you had set some obvious password on
    your Draytel account, and someone had brute forced it and spent your
    credit.

    If you can't find anyone else who's had a problem, then you're going to
    have a hard time proving to Draytel [or anyone else for that matter]
    that some sort of insecurity in their systems has caused your account to
    be breached. Of course you'll need to rule your own systems out too [eg
    CallManager, if you're still using that].
     
    alexd, Apr 13, 2010
    #11
  12. (a) I like, use and sell Draytek routers, but not their VoIP service,
    obviously. You seem to have a problem with them, but that's fine by me.

    (b) Rate limiting probably will work, (iptables, fail2ban, etc.) but
    needs careful tuning - some phones stupidly will retry once a second
    when you put the wrong password into the phone (Snom!) and some of my
    servers have 1000's of SIP accounts on them, sometimes with a dozen or
    so behind the same IP address, so that also needs a little care.
    (either by parsing log-files or using the string search rules in iptables
    to look for SIP REGISTERs)

    (c) For Asterisk, put alwaysauthreject=yes in sip.conf. It breaks the
    SIP RFC, but not in any way that'll hurt it, but it will stop crackers
    finding a valid account.

    And Read this:

    http://blogs.digium.com/2009/03/28/sip-security/

    Gordon
     
    Gordon Henderson, Apr 14, 2010
    #12
  13. tg

    tg Guest

    no I've always used the password originally supplied by draytel. My sip
    password resides in a cisco router and to telnet into the router you need to
    know two different passwords.
    yes I know but I'm positive there's been no security leak at my end, thus
    the breach happened at draytels end, therefore there might be more draytel
    customers out there who have experienced the same as me. If I can locate
    other draytel customers who's credit has been hacked I can prove my point.
     
    tg, Apr 14, 2010
    #13
  14. tg

    tg Guest

    What a surprise that it's Draytek's VoIP service.

    drayTEL, not draytek, afaik they're two completely seperate things.
     
    tg, Apr 14, 2010
    #14
  15. Of course they are, but are you not aware of the common link? (Other than
    'being of toy quality'?
     
    Vicktor Whieste, Apr 14, 2010
    #15
  16. tg

    alexd Guest

    Ask them for a record of what IP address(es) the calls were made from.
     
    alexd, Apr 14, 2010
    #16
  17. tg

    tg Guest

    I've done that, whether or not they provide those I don't know. Is there any
    way I can legally force them to provide this info? the reason I ask is
    because they're being unco-operative.
     
    tg, Apr 14, 2010
    #17
  18. tg

    tg Guest

    no what is the common link?
     
    tg, Apr 14, 2010
    #18
  19. tg

    Graham. Guest

    Graham., Apr 14, 2010
    #19
  20. tg

    tg Guest

    I get more foggy with each reply from you Graham
    just state your point and be clear.
     
    tg, Apr 14, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.