Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
5
Helpful
2
Replies

Security concern on VCS 7.2

RICHARD MESSINGER
Level 7
Level 7

‎02-04-2013 08:05 AM - edited ‎03-18-2019 12:32 AM

Customer has VCS Controller running 7.2 which is on the Internet (do not ask.  it is how it has to be.)

They were questioned on what seems to be a network abuse where the VCS seems to be scanning its subnet with packets with a source port of 5061 and a destination port of 5060.

Anyone heard of this being a problem?

Admin password is not the standard but they have had the snmp string set to public.

what additionally should I be looking for on the VCS?

Thank you.

Labels:
0 Helpful
2 Replies 2

aostense
Level 1
Level 1

‎02-11-2013 08:25 AM

Hi Richard,

With the information you provided, it could be someone (from the internet side) that attempts to find an ISDN gateway or similar on your network, to perform toll fraud.

If you look in the VCS search history, you should be able to identify which IP address the LRQ/SIP INVITES comes from, and then perhaps contact its ISP to stop this.

To prevent toll frauds (if an ISDN GW, or similar, is attached to the VCS), check out the VCS deployment guides, or check this post:

https://supportforums.cisco.com/message/3601931#3601931

CPL is also a good way to prevent toll frauds.

Hope this helps,

Arne

0 Helpful

Martin Koch
VIP Alumni
VIP Alumni

‎02-11-2013 02:29 PM

In addition on what Arne said.

It would be more interesting to see what is going on here.

If its still going on and they have the capability to mirror the switchport it might be interesting to see what happens.

If its some history stuff it might be interesting to know how that was detected.

src 5061 and dst 5060 sounds a bit strange.

Just out of interest, is sip-udp enabled or disabled, any non standard port configuration used?

There are at least some vectors which you can try to use to exploit the vcs.

* access via ssh, admin, more likely root access, so check that secure passwords are set for root and the admin user

* exploit additional services, use vulnerabilities (not aware if there are any with x7.2), typical services would be snmp, ldap (provisioning), but please check the bug toolkit

* try to exploit the voip (sip/h323) serivce as an open proxy

* reconfigure by exploiting the admin / api web accounts

* there might be more, ...

some basic rules

* use secure passwords

* properly configure your system

* use authentication

* disable unsused ports / services / users

* use a firewall upfront

* use the integrated firewall in addition

* define zones who shall access what

* monitor log files

* ...

Please remember to rate helpful responses and identify

Customers Also Viewed These Support Documents