[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
GOT HACKED... THERES AN ENTRYPOINT in W52P
Author Message
frankc Offline
Junior Member
**

Posts: 3
Joined: Sep 2013
Reputation: 0
Post: #1
GOT HACKED... THERES AN ENTRYPOINT in W52P
I have strong passwords
i have pin.

i got hacked.. some asshole got in and made a redirect on line 1 to 011970597377755 on always....

so there seems to be a problem with W52P

Firmware Version 25.30.0.20
Hardware Version 25.0.0.0.0.0.0

PLEASE be carefull,

also i think they are bruteforcing as the BASE gets unresponsive till i do a base restart every day.

they also added custom in prhone -> tones.

country -> custom
dial -> 011970597377755

also what is user var ?

they added a user var
(This post was last modified: 09-21-2013 11:28 PM by frankc.)
09-21-2013 11:21 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #2
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Hi Frank,
Sorry for this issue, i already transferred this issue to our special engineer, and they are dealing with this issue as highest priority, any update they will contact you ASAP.
09-23-2013 10:50 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
fseesink Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #3
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
This isn't restricted to the W52P. I have a Yealink SIP-T28P which apparently has suffered a similar fate. I just noticed this tonight, which eventually had me Googling and landing on this thread. Only in my case, line 1 was forwarded to 011970597202522. If I read this right, that's an international number (011) in Palestine (country code 970).

As for my SIP-T28P, it's running

Firmware Version 2.70.0.150
Hardware Version 1.0.0.4

The unit sits on a publicly accessible IP address, but much like frankc, I use rather cryptic passwords.

It would be very nice if Yealink would not only address the issue, but inform its customers as to the exact nature of this hack.
10-23-2013 08:02 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #4
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Hi freesink,

Sorry for this issue, i already transferred this issue to our special engineer, and they are dealing with this issue as highest priority, any update they will contact you ASAP.
Could you please send a email to our support@yealink.com?
Sorry again for the inconvenience.
10-23-2013 10:11 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
fseesink Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #5
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Tried to email support as you requested from my email client, but received following. (Not heartwarming from a support perspective.)

[undefined=undefined]This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of
its recipients. The following addresses failed:

<support@yealink.com>

SMTP error from remote server after DATA command:
host mail.yealink.com[117.28.234.38]:
553 refused, the IP(74.208.4.194) is listed in cblless.anti-spam.org.cn(Mail from 74.208.4.194 refused, see http://anti-spam.org.cn/Rbl/Query/Result...208.4.194)
[/undefined]

Next, tried using the email support feature in this forum software. Even though all I could type in was a subject line and message, I still ended up receiving rejection messages at my email address with the following.

Seriously, who is responsible for your support setup?? It's like amateur hour here.


----

Hi,

Your message can not deliver to the following addresses. Error information:

<12support@yealink.com>, no mailbox here by that name


--- Below this line is the post message information
To: 12support@yealink.com
Subject: V71 has issues showing 'Advanced' settings
Date: Wed, 23 Oct 2013 03:08:10 +0000

Received: from mail.yealink.com ([50.57.40.192])
(envelope-sender <MYEMAILADDRESS_HERE>)
by 192.168.1.100 with ESMTP
for <12support@yealink.com>; Wed, 23 Oct 2013 11:05:50 +0800
Date: Wed, 23 Oct 2013 03:08:10 +0000
To: 12support@yealink.com
Subject: V71 has issues showing 'Advanced' settings
From: MYEMAILADDRESS_HERE
Return-Path: MYEMAILADDRESS_HERE
Reply-To: MYEMAILADDRESS_HERE
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: MyBB
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8



--- Enclosed, the attachment is the posted message

In dealing with the hacking issue, I upgraded my SIP-T28P from V70 to V71 (2.71.0.140). However, there are clearly some bugs in the new Web UI.

For example, any attempt to visit the 'Account' tab | 'Advanced' results in a blank page. The same goes for 'Network' tab | 'Advanced'. All other tabs and subsections come up fine.

Other than these glitches, though, it's a very nice looking UI.


(Oh, and whoever configured the editor for this forum, none of the formatting buttons like bold or italic work. Just one more red flag.)
(This post was last modified: 10-23-2013 11:17 AM by fseesink.)
10-23-2013 11:10 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #6
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Hi fseesink,

Could you send me your email address and where are you come from?
Then i will let my colleaue to contact with you directly.
Thanks
10-23-2013 03:01 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
fseesink Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #7
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
(10-23-2013 03:01 PM)Yealink Support Wrote:  Hi fseesink,

Could you send me your email address and where are you come from?
Then i will let my colleaue to contact with you directly.
Thanks

Well, your support setup is a royal pain. The forum is a mess as far as reaching you, and asking for a direct email is nice and all, but it's no good when I send a detailed email to you and here's what I get back:

________________________________________

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of
its recipients. The following addresses failed:

<ailsa@yealink.com>
<mike@yealink.com>
<Flora@yealink.com>
<tony@yealink.com>

SMTP error from remote server after DATA command:
host mail.yealink.com[117.28.234.38]:
553 refused, the IP(74.208.4.194) is listed in cblless.anti-spam.org.cn(Mail from 74.208.4.194 refused, see http://anti-spam.org.cn/Rbl/Query/Result...208.4.194)


--- The header of the original message is following. ---
...
________________________________________


In short, I have a hosted account at 1&1, where I maintain an IMAP email account and use their authenticated mail server. 1&1 owns IP 74.208.4.194. So my attempt to email you was blocked because my email host is apparently being blacklisted by an organization you use to prevent spam. The only problem is, the link referenced above is in Chinese and I haven't a clue what I can do about this. I've forwarded the info to 1&1 in hopes they can resolve it, but seriously, can you people PLEASE for heaven's sake clean up the communications interfaces you have with customers? It's a royal p.i.t.a. to simply try and help you with your security issues. It shouldn't be like that.

If I can't email you, I will simply have to post my detailed response here in the forum. If you don't want that kind of information in the open, FIX THIS.
10-26-2013 02:14 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
fseesink Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #8
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Ok, no luck getting a response about the black listing. So here's what I tried to email you and the others you listed (Tony, Mike, and Flora) the other night regarding this. And since your forum editor is crap, as none of the toolbar buttons work (showing "undefined" tags for everything), I'm manually doing things to format this for now. Apologies if you didn't want this posted publicly, but Yealink left me little choice since your support infrastructure leaves much to be desired. Hopefully this post will actually work.


Quote:On Oct 24, 2013, at 2:36 AM, Ailsa <ailsa@yealink.com> wrote:

Hi fseesink,

I am ailsa from yealink technical support team. We treat your hacker attack as highest priority.
I want to check about the attack issue scenario with you.
1. You phone has an public address
2. You have strong admin password and user password
3. The hacker forward line 1 to 011970597202522
4. And remote control line 1 to call out?

Correct on 1-3. I'm not sure I understand what you mean by 4. The phone's configuration was compromised, but I found nothing in my ITSP logs to indicate any outbound calls were made, if that's what you're asking. I simply noticed that the phone was set to forward (arrow indicator in upper right corner) and the odd number, clearly neither of which I did.

Quote: In order to debug and avoid this kind of issue, Please try below steps:
1. To disable some settings in remote control and fill the ip address of allow
<image003.jpg>

Ok, before we go much further, I need to make sure we are clear on something. The screenshot you reference is clearly to a phone running V71 firmware. At the time when my phone was compromised, it was running V70 (2.70.0.150) firmware. I have since updated the firmware to V71 (2.71.0.140), so it does NOW look like the screenshot you provided.

Quote:2. Get strong and complex password about admin and user
3. Keep your password secret and set a firewall at best.

Already done other than firewall bit. Note the point of reporting this was that while best practice in a production environment would be to keep your VoIP phones behind a firewall on a segmented VLAN, this particular phone is my personal one used to connect to an ITSP for my use. And this is not an uncommon circumstance, hence my notifying Yealink of the issue as clearly there are problems with security as outlined online:

http://www.securityfocus.com/archive/1/529420
http://www.youtube.com/watch?v=2yN_-g-0PAk
http://www.youtube.com/watch?v=BjI5gkFUzOo
https://www.dropbox.com/s/hp5fj7e7o1mdny...sucks.pptx

Quote:4. Please set syslog level 6 and export the sysylog after the hacker does something in your phone. Then we can debug in yealink.
Thanks for your cooperation.
<image005.png>

Just a note here. It would be helpful if you explained where these particular settings are located, as your screenshot does not make that clear. It took me awhile to find it under 'Settings' tab, 'Configuration' submenu.

Quote: For the issue of V71, Please reset to factory and try again.

??? I'm not sure you are understanding what I have posted. Again, at the time when my phone was compromised, it was running V70 (2.70.0.150) firmware. I have since removed the forwarding number, changed the admin password on the phone to be safe, and updated the firmware to V71 (2.71.0.140). Thus far the issue has not re-occurred. I simply posted to inform Yealink of the issue. Googling later revealed what I found above in those links. My posts were a courtesy to Yealink that they have an issue that they need to address, as I'm sure many people have your phones and are still using vulnerable firmware versions.

Quote:1. Do you upgrade version using auto-provisioning?

No. I upgrade manually using the Web UI.

Quote:2. Do you use a latest template of common.cfg? You can refer to below files.
http://www.yealink.com/Upload/T2X/T2X-V7...ioning.zip
http://www.yealink.com/Upload/T2X/T2X-V7...71_141.pdf

Not sure if this applies since I'm using this particular T28 as an individual phone. It's not part of a larger set or being auto provisioned, etc.

Quote:3. If the issue is still on, please supply us config.bin and syslog level 6.
Before you export the syslog, please set log level as 6, and reboot the phone, then click Start,and reproduce the issue, then click Stop, and export syslog, config,bin to us.
You can also refer to below guide.
ftp://Ailsa@ftp.yealink.com/How_to_get_t..._Trace.pdf

<image006.png>

Ailsa,

Do you need me to turn on the logging now that my phone is running V71 code? That is, is Yealink still having issues with this for users with V71 code installed? Or was all of this related to the fact that RPS was enabled by default in V70 firmware as indicated on slide 6 of the PowerPoint file referenced above? If there is still a security issue, I will do as you ask IF I ever find the phone compromised again.

For the moment, my phone is fine. It's running V71, has a new admin password, but for the rest is sitting exactly where it was when I found it compromised; i.e., it's on a public IPv4 address. So far, nothing has happened to the phone.

A VoIP phone SHOULD be safe in such a config. If this issue is as bad as it seems to be, Yealink needs to make it clear to customers what's involved and what needs to be done to secure the phones. While best practice is to layer security and protect the phones behind firewalls, that's no excuse for vulnerable firmware.

Finally, my comments below about my experience with the Web UI after upgrading to V71 (2.71.0.140) are not about security, but simply software bugs. The 'Advanced' submenus are coming up with blank pages. I suspect that's not what I should be seeing.


Quote:Best Regards

Ailsa Wu
Technical Support Engineer
Yealink Network Technology Co., Ltd.
Tel: +86-592-5702 000 ext:8519
Skype: ailsa.wu2
Email: ailsa@yealink.com
Website: http://www.yealink.com
Follow us on Twitter/Facebook for Yealink latest news!
<image001.png>

http://forum.yealink.com:81/forum/showth...hp?tid=812
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

In dealing with the hacking issue, I upgraded my SIP-T28P from V70 to V71 (2.71.0.140). However, there are clearly some bugs in the new Web UI.

For example, any attempt to visit the 'Account' tab | 'Advanced' results in a blank page. The same goes for 'Network' tab | 'Advanced'. All other tabs and subsections come up fine.

Other than these glitches, though, it's a very nice looking UI.


(Oh, and whoever configured the editor for this forum, none of the formatting buttons like bold or italic work. Just one more red flag.)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This isn't restricted to the W52P. I have a Yealink SIP-T28P which apparently has suffered a similar fate. I just noticed this tonight, which eventually had me Googling and landing on this thread. Only in my case, line 1 was forwarded to 011970597202522. If I read this right, that's an international number (011) in Palestine (country code 970).

As for my SIP-T28P, it's running

Firmware Version 2.70.0.150
Hardware Version 1.0.0.4

The unit sits on a publicly accessible IP address, but much like frankc, I use rather cryptic passwords.

It would be very nice if Yealink would not only address the issue, but inform its customers as to the exact nature of this hack.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10-27-2013 12:23 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #9
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Hi fseesink,

Sorry for the inconvenience.
1. About the IP address limition of email issue, you can enable English interface in the link http://anti-spam.org.cn/?Locale=en_US.
Please inform your mail service provider and they will deal with it. I have submitted an application to this organization.
BTW, you can send a gmail or others to us if it does not work all the same.

2. Because your version of T28 isn't a RPS version, it is not related to RPS version.
We can't debug what is the reason of your issue now unfortunately because we don't get enough information to troubleshooting.
What we can do is to prevent the issue happen again at this stage.
We are trying our best to improve user experience and give users the utmost assurance of their privacy.
We do add some settings in the new version and hope you can use them to provent attacks in the future.(attachment)

3. If your phone is fine, you don't need to set LOG as 6 now. But if the issue happens again unfortunately, please help to export the Syslog level 6,config.bin and trace for us.

4. For 'Advanced' blank issue in V71, please reset to factory and try again. I think it should be OK after reseting to factory.


Attached File(s) Thumbnail(s)
   
(This post was last modified: 10-28-2013 11:24 AM by Yealink Support.)
10-28-2013 11:23 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  W52P not working after change of broadband supplier Jasibansel 1 2,201 01-22-2024 07:15 PM
Last Post: complex1
Sad W52P not picking up IP Burkni 4 6,290 09-19-2023 06:22 PM
Last Post: Burkni
  W56H with W52P Base dmvcomms 7 11,149 03-06-2023 04:39 PM
Last Post: poznaniak
  W73H handset with W52P problem reboot Paco Brufal 2 4,726 03-03-2023 01:21 AM
Last Post: nolto
  W52P Repeater RT10/rt20/RT30 schnell-yealink 3 10,330 04-20-2022 10:17 PM
Last Post: complex1
  W52P Firmware upgrade aunijaffer@gmail.com 5 14,790 09-07-2021 11:42 PM
Last Post: complex1
  W52P 2 handsets DAZZLING 1 7,922 06-01-2021 09:55 PM
Last Post: complex1
  W52P Openvpn with mikrotik info@quantiss.com 4 19,037 04-11-2021 06:25 AM
Last Post: Harms_Kubiak
  Is there no call history in web management panel in W52P? poznaniak 1 8,526 08-10-2020 12:49 PM
Last Post: complex1
  W52P factory reset without password ralph 1 11,101 04-02-2020 03:05 AM
Last Post: Yisroel_MongoTEL

Forum Jump:


User(s) browsing this thread:

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication