cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
720
Views
15
Helpful
2
Replies
Fabian Tscherner
Beginner

Hacked MXP - Edge95 making secure

Hi all,

a customer runs a Edge 95 directly on a S-DSL Line - without any FW in front of it.

The MXP also has some BRI connections.

It seems that the system has been hacked and caused to dial out telephone numbers in south american area.

What he can do make the Edge 95 secure as possible (F6.4)?

admin and root password was 10 characters long and includes big and small characters and digits.

Is it correct, that admin and root password are the same on this device?

Is there any "access-log" on the Edge95 which we could check, when and from which account, which port, from which ip adress etc. the access happend?

Regards,

Fabian

2 REPLIES 2
Martin Koch
Advocate

Hi Fabian!

There are some bugs like: CSCtq46488 or CSCtq46500 .

I do not want to exclude that there are other (remote) vulnurabilities in older

software versions as well. I think the 6.4 is like 3-4 years old.

Also snmp mitght be an entry point as well to remote control the system.

Do you know how it was exploitet? Does the system have multisite, so that they

did one IP call and bridged it with a ISDN call, or did they just call out to a expensive

number to generate traffic?

I am not aware that there is some kind of service or real root account present to access

the file system / core. So from what I remember the root account is like you said a mapped admin acount

(or vice versa).

It might be interesting to check the call history, but this only shows something unless it was rebooted.

I am not aware that there are any other logs, If you had it connected to TMS or some SNMP trap host

you might find some more details there.

The best would have been to debug it while the exploit was still running.

So what I would do:

* place a firewall upfront the system to block the management ports (snmp, ftp, telnet, ssh, http, https, ...)

* reset the ip password to something secure

* upgrade the endpoint to F9.3

* enable secure management (https / ssh) and disable ftp, telnet, http, snmp

* if sip is not needed, disable sip (many anoying scans which let the system ring happen on sip)

An other option is to connect it to a VCS-E, that allows the system to be behind a firewall

wich only needs oubound connections and their answers back in, but not inbound connections to the system itself.

Please remember to rate helpful responses and identify

Hi Martin,

thank you very much for your fast reply.

There are very usefull hints to make a VC device as secure as possible in such a easy scenario.

My contact can't say anything about how it was exploited. He also turned the system off after they recogniced the attack - so we also haven't a callhistory which could be interesting.

With your help I was able to give some good hints to make this system more secure.

Thanks again!

Best regards,

Fabian

Create
Recognize Your Peers
Content for Community-Ad