2 Replies Latest reply on Mar 4, 2018 7:15 PM by avayaguy

    Adtran hacked?  Please help

    avayaguy New Member

      somehow and someway someone got int my Adtran even with strong password, here is what ive done to stop them from calling the UK. I got hit with a $440.00 bill for just a few days

       

      Any other ideas?

       

       

      i also removed this little line

       

      voice user 0000.  (I REMOVED THIS)

        password "1234"

        sip-identity Unknown T02

       

       

       

      login as: admin

      admin@172.99.99.99's password:

      ADTRAN>en

      Password:

      % Incorrect password.

      ADTRAN>XXXXXXXXXXXX

      % Unrecognized command

      ADTRAN>en

      Password:

      ADTRAN#wr me

      Building configuration...

      Done. Success!

      ADTRAN#conf t

      ADTRAN(config)#username enable password xxxxxxxx

      ADTRAN(config)#exit

      Appropriate commands must be issued to preserve configuration.

      ADTRAN#wr me

      Building configuration...

      Done. Success!

      ADTRAN#show run voice

      Building configuration...

      !

      !

      voice feature-mode network

      voice transfer-mode local

      voice forward-mode network

      !

      !

      !

      !XXXXXXXXXXXX

      !

      !

      !

      !

      !

      !

      !

      !

      voice codec-list "Codec Options Flowroute"

        codec g711ulaw

      !

      !

      !

      voice trunk T01 type sip

        description "flowroutesip"

        sip-server primary 216.115.69.144

        conferencing-uri "t"

        domain "sip.flowroute.com"

        trust-domain

        codec-list "Codec Options Flowroute" both

        authentication username "56789765" password “xxxxxxxxxxxxx”

      !

      voice trunk T02 type sip

        match dnis "1$" substitute "$"

        sip-server primary 172.xx.xxx.xx

        trust-domain

        grammar from host local

        transfer-mode network

      !

      !

      voice grouped-trunk PSTN

        trunk T01

        accept 1-NXX-NXX-XXXX cost 0

        accept N11 cost 0

        accept NXX-NXX-XXXX cost 0

        accept 011-X$ cost 0

      !

      !

      voice grouped-trunk T02

        trunk T02

        accept 1-NXX-NXX-XXXX cost 0

        accept 011-X$ cost 0

      !

      !

      voice user 0000

        password "1234"

        sip-identity Unknown T02

      !

      !

      !

      !

      !

      !

      !

      !

      !

      end

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#conf t

      ADTRAN(config)#voice grou

      ADTRAN(config)#voice grouped-trunk T02

      ADTRAN(config-T02)#no accept 011-X$ cost 0

      ADTRAN(config-T02)#exit

      ADTRAN(config)#exit

      Appropriate commands must be issued to preserve configuration.

      ADTRAN#wr me

      Building configuration...

      Done. Success!

      ADTRAN#conf t

      ADTRAN(config)#voice gr

      ADTRAN(config)#voice grouped-trunk PSTN

      ADTRAN(config-PSTN)#no acce

      ADTRAN(config-PSTN)#no accept 011-X$ cost 0

      ADTRAN(config-PSTN)#exit

      ADTRAN(config)#wr me

      % Unrecognized command

      ADTRAN(config)#exit

      Appropriate commands must be issued to preserve configuration.

      ADTRAN#wr me

      Building configuration...

      Done. Success!

      ADTRAN#

       

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

       

       

       

       

       

       

       

       

       

       

       

       

      and here is the config. I removed that voice user 000

       

      login as: admin

      admin@172.99.99.99's password:

      ADTRAN>en

      Password:

      % Incorrect password.

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>show run

      % Unrecognized command

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>

      ADTRAN>en

      Password:

      ADTRAN#show run

      Building configuration...

      !

      !

      ! ADTRAN, Inc. OS version R11.2.0.E

      ! Boot ROM version 14.05.00.SA

      ! Platform: Total Access 908e (2nd Gen), part number 4242908L1

      ! Serial number CFG0964538

      !

      !

      hostname "ADTRAN"

      enable password xxxx

      !

      license key esbc-trial

      !

      !

      ip subnet-zero

      ip classless

      ip routing

      ipv6 unicast-routing

      !

      !

      domain-proxy

      name-server 8.8.8.8 4.2.2.2

      !

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      no logging email

      !

      no service password-encryption

      !

      username "admin" password “xxxxxx$"

      username "enable" password “xxxxxxxx$"

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      !

      !

      !

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      qos map Voice 10

        match dscp 46

        priority 800

      !

      qos map eth0/1QosWizard 20

        match dscp 46

        shape average 4194304

      qos map eth0/1QosWizard 21

        match ip list acleth0/1QosWizSignal21

        set dscp 26

      !

      !

      !

      !

      interface eth 0/1

        description outside

        ip address  xxxxxxxxxx  255.255.255.248

        ip access-policy Public

        media-gateway ip primary

        traffic-shape rate 1000000

        max-reserved-bandwidth 100

        qos-policy out eth0/1QosWizard

        no shutdown

      !

      !

      interface eth 0/2

        description inside

        ip address  172.99.99.99  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        no shutdown

      !

      !

      !

      !

      interface t1 0/1

        shutdown

      !

      interface t1 0/2

        shutdown

      !

      interface t1 0/3

        shutdown

      !

      interface t1 0/4

        shutdown

      !

      !

      interface fxs 0/1

        no shutdown

      !

      interface fxs 0/2

        no shutdown

      !

      interface fxs 0/3

        no shutdown

      !

      interface fxs 0/4

        no shutdown

      !

      interface fxs 0/5

        no shutdown

      !

      interface fxs 0/6

        no shutdown

      !

      interface fxs 0/7

        no shutdown

      !

      interface fxs 0/8

        no shutdown

      !

      !

      interface fxo 0/0

        shutdown

      !

      !

      !

      !

      !

      !

      !

      !

      ip access-list extended acleth0/1QosWizSignal21

        permit udp any  any eq 5060

      !

      ip access-list extended Admin

        permit tcp any  any eq ssh

        permit tcp any  any eq https

      !

      ip access-list extended MatchAll

        permit ip any  any

      !

      ip access-list extended SIP

        permit udp any  any eq 5060

      !

      !

      !

      !

      ip policy-class Private

        allow list MatchAll self

        nat source list MatchAll interface eth 0/1 overload

        allow list MatchAll self

        nat source list MatchAll interface eth 0/1 overload

      !

      ip policy-class Public

        allow list SIP self

        allow list Admin self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 123123123

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      sip

      sip udp 5060

      no sip tcp

      !

      !

      !

      voice feature-mode network

      voice transfer-mode local

      voice forward-mode network

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      voice codec-list "Codec Options Flowroute"

        codec g711ulaw

      !

      !

      !

      voice trunk T01 type sip

        description "flowroutesip"

        sip-server primary 216.115.69.144

        conferencing-uri "t"

        domain "sip.flowroute.com"

        trust-domain

        codec-list "Codec Options Flowroute" both

        authentication username "03057332" password “xxxxxxxxxx”

      !

      voice trunk T02 type sip

        match dnis "1$" substitute "$"

        sip-server primary 172.xx.xxx.xxx

        trust-domain

        grammar from host local

        transfer-mode network

      !

      !

      voice grouped-trunk PSTN

        trunk T01

        accept 1-NXX-NXX-XXXX cost 0

        accept N11 cost 0

        accept NXX-NXX-XXXX cost 0

      !

      !

      voice grouped-trunk T02

        trunk T02

        accept 1-NXX-NXX-XXXX cost 0

      !

      !

      voice user 0000.  (I REMOVED THIS)

        password "1234"

        sip-identity Unknown T02

      !

       

      !

      !

      !

      sip privacy

      !

      !

       

      !

      no sip prefer double-reinvite

      !

       

      !

      !

      ip rtp symmetric-filter

      ip rtp media-anchoring

      !

      !

      ip rtp quality-monitoring

      ip rtp quality-monitoring udp

      ip rtp quality-monitoring sip

      !

      line con 0

        no login

      !

      line telnet 0 4

        login

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      !

      ntp source ethernet 0/2

      !

      !

      !

      end

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      ADTRAN#

      172.99.99.99

        • Re: Adtran hacked?  Please help
          jayh Hall_of_Fame

          In your config:

           

          line telnet 0 4

            login

            password password

            no shutdown

           

          You'll want to fix that. Anyone in the world can access the device with the password "password". I would remove the password and shutdown the telnet access, use ssh only.

           

          Also in the config:

           

          no service password-encryption

           

          I recommend enabling password encryption to prevent reading passwords from the configuration.  Issue the command "service password-encryption".

           

          You'll also want to change all passwords on the device including SIP authentication and anything else on your network that uses the same passwords.

           

          Also in the config:

           

          username "admin" password “xxxxxx$"

          username "enable" password “xxxxxxxx$"

           

          Did you put the "admin" user there or was it from the default? If it's from the default, it has the password "password". Remove the admin user if you aren't using it.

           

          Keep in mind that the web GUI interface allows changes and full access without enable. (Note to Adtran, please consider changing this to require enable password.)

           

          Create an ACL called "admin-access" containing only the local networks you use to manage the device. Apply this ACL to line ssh, line telnet (if you use it, not recommended) and also http server and http secure-server.

           

          http ip access-class admin-access in

          http ip secure-access-class admin-access in

           

          line telnet 0 4

          ip access-class admin-access in

           

          line ssh 0 4

          ip access-class admin-access in

           

           

           

          Create another ACL called "sip-access" containing the just subnets of your SIP provider and internal SIP users and apply that to the SIP process with:

           

          sip access-class ip "sip-access" in

            • Re: Adtran hacked?  Please help
              avayaguy New Member

              i am kicking myself on the telnet how could I miss this?  the other two are very secure SSH passwords changed post compromise, i put admin in there and its used for shill also do the other items to lock this down thanks so much, it was right in front of me and i kept missing it.  Thank you