Yealink Forums

Hello,

Will explain this situation because it has freeze my mind!

Some body somehow configured a inconditional forward to this number: 0048717357850 in one customer's phone, it's a T22P with firmware version 7.73.0.50, this is not the weird thing... the phone is in a normal LAN and there's no open ports forwarded to the phone so nobody can enter to the webui to change that.
The hac*er who make this also changed other things because in our server's log can see that changed the callerid to try beat the security of the voip server and make the call hence all call were rejected, but he/she could make a big hole in the wallet of the customer.
Of course the password in the phone was changed in admin and user accounts before that hack, and no ha*k or vir** was detected in the customer's LAN so the a*tack was performed from internet and don't know how it is posible without access to the phone by the ui or by anothe open port forwarded to the phone

Maybe somebody can tellme how they do this, and how to protect my customers

Thank you

(10-01-2020 03:11 PM)Dario Wrote: [ -> ]Hello,

Will explain this situation because it has freeze my mind!

Some body somehow configured a inconditional forward to this number: 0048717357850 in one customer's phone, it's a T22P with firmware version 7.73.0.50, this is not the weird thing... the phone is in a normal LAN and there's no open ports forwarded to the phone so nobody can enter to the webui to change that.
The hac*er who make this also changed other things because in our server's log can see that changed the callerid to try beat the security of the voip server and make the call hence all call were rejected, but he/she could make a big hole in the wallet of the customer.
Of course the password in the phone was changed in admin and user accounts before that hack, and no ha*k or vir** was detected in the customer's LAN so the a*tack was performed from internet and don't know how it is posible without access to the phone by the ui or by anothe open port forwarded to the phone

Maybe somebody can tellme how they do this, and how to protect my customers

Thank you

Hi Dario,

I don’t know if this will help to prevent future hacks, but try these settings:
Features > Gen Info > …
- Accept SIP Trust Server Only: Enabled
- Allow IP Call: Disabled

Hope this will help.

Hello,

Thank for your answer, but all the phones we install in our customers already have the configuration you say. No one suffer from phantom calls since that config dissallows it.

This is another thing, is a forward configured in the phone, so mandatory they have had access somehow to the UI.

Also the ActionURL is disabled, so they supposedly cannot do by this way

I'm researching in the dark zones of internet to find how they do this, but unluckly by the moment....

(10-08-2020 07:23 AM)Dario Wrote: [ -> ]Hello,

Thank for your answer, but all the phones we install in our customers already have the configuration you say. No one suffer from phantom calls since that config dissallows it.

This is another thing, is a forward configured in the phone, so mandatory they have had access somehow to the UI.

Also the ActionURL is disabled, so they supposedly cannot do by this way

I'm researching in the dark zones of internet to find how they do this, but unluckly by the moment....

Hi,

It's a strange and annoying problem.
Have you ever reset the device to factory settings, re-provision it and test it again?

Hope this will help.