cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
avayaguy
New Contributor II

Adtran hacked? Please help

Jump to solution

somehow and someway someone got int my Adtran even with strong password, here is what ive done to stop them from calling the UK. I got hit with a $440.00 bill for just a few days

Any other ideas?

i also removed this little line

voice user 0000.  (I REMOVED THIS)

  password "1234"

  sip-identity Unknown T02

login as: admin

admin@172.99.99.99's password:

ADTRAN>en

Password:

% Incorrect password.

ADTRAN>XXXXXXXXXXXX

% Unrecognized command

ADTRAN>en

Password:

ADTRAN#wr me

Building configuration...

Done. Success!

ADTRAN#conf t

ADTRAN(config)#username enable password xxxxxxxx

ADTRAN(config)#exit

Appropriate commands must be issued to preserve configuration.

ADTRAN#wr me

Building configuration...

Done. Success!

ADTRAN#show run voice

Building configuration...

!

!

voice feature-mode network

voice transfer-mode local

voice forward-mode network

!

!

!

!XXXXXXXXXXXX

!

!

!

!

!

!

!

!

voice codec-list "Codec Options Flowroute"

  codec g711ulaw

!

!

!

voice trunk T01 type sip

  description "flowroutesip"

  sip-server primary 216.115.69.144

  conferencing-uri "t"

  domain "sip.flowroute.com"

  trust-domain

  codec-list "Codec Options Flowroute" both

  authentication username "56789765" password “xxxxxxxxxxxxx”

!

voice trunk T02 type sip

  match dnis "1$" substitute "$"

  sip-server primary 172.xx.xxx.xx

  trust-domain

  grammar from host local

  transfer-mode network

!

!

voice grouped-trunk PSTN

  trunk T01

  accept 1-NXX-NXX-XXXX cost 0

  accept N11 cost 0

  accept NXX-NXX-XXXX cost 0

  accept 011-X$ cost 0

!

!

voice grouped-trunk T02

  trunk T02

  accept 1-NXX-NXX-XXXX cost 0

  accept 011-X$ cost 0

!

!

voice user 0000

  password "1234"

  sip-identity Unknown T02

!

!

!

!

!

!

!

!

!

end

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#conf t

ADTRAN(config)#voice grou

ADTRAN(config)#voice grouped-trunk T02

ADTRAN(config-T02)#no accept 011-X$ cost 0

ADTRAN(config-T02)#exit

ADTRAN(config)#exit

Appropriate commands must be issued to preserve configuration.

ADTRAN#wr me

Building configuration...

Done. Success!

ADTRAN#conf t

ADTRAN(config)#voice gr

ADTRAN(config)#voice grouped-trunk PSTN

ADTRAN(config-PSTN)#no acce

ADTRAN(config-PSTN)#no accept 011-X$ cost 0

ADTRAN(config-PSTN)#exit

ADTRAN(config)#wr me

% Unrecognized command

ADTRAN(config)#exit

Appropriate commands must be issued to preserve configuration.

ADTRAN#wr me

Building configuration...

Done. Success!

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

and here is the config. I removed that voice user 000

login as: admin

admin@172.99.99.99's password:

ADTRAN>en

Password:

% Incorrect password.

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>show run

% Unrecognized command

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>

ADTRAN>en

Password:

ADTRAN#show run

Building configuration...

!

!

! ADTRAN, Inc. OS version R11.2.0.E

! Boot ROM version 14.05.00.SA

! Platform: Total Access 908e (2nd Gen), part number 4242908L1

! Serial number CFG0964538

!

!

hostname "ADTRAN"

enable password xxxx

!

license key esbc-trial

!

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

domain-proxy

name-server 8.8.8.8 4.2.2.2

!

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password “xxxxxx$"

username "enable" password “xxxxxxxx$"

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

qos map Voice 10

  match dscp 46

  priority 800

!

qos map eth0/1QosWizard 20

  match dscp 46

  shape average 4194304

qos map eth0/1QosWizard 21

  match ip list acleth0/1QosWizSignal21

  set dscp 26

!

!

!

!

interface eth 0/1

  description outside

  ip address  xxxxxxxxxx  255.255.255.248

  ip access-policy Public

  media-gateway ip primary

  traffic-shape rate 1000000

  max-reserved-bandwidth 100

  qos-policy out eth0/1QosWizard

  no shutdown

!

!

interface eth 0/2

  description inside

  ip address  172.99.99.99  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no shutdown

!

!

!

!

interface t1 0/1

  shutdown

!

interface t1 0/2

  shutdown

!

interface t1 0/3

  shutdown

!

interface t1 0/4

  shutdown

!

!

interface fxs 0/1

  no shutdown

!

interface fxs 0/2

  no shutdown

!

interface fxs 0/3

  no shutdown

!

interface fxs 0/4

  no shutdown

!

interface fxs 0/5

  no shutdown

!

interface fxs 0/6

  no shutdown

!

interface fxs 0/7

  no shutdown

!

interface fxs 0/8

  no shutdown

!

!

interface fxo 0/0

  shutdown

!

!

!

!

!

!

!

!

ip access-list extended acleth0/1QosWizSignal21

  permit udp any  any eq 5060

!

ip access-list extended Admin

  permit tcp any  any eq ssh

  permit tcp any  any eq https

!

ip access-list extended MatchAll

  permit ip any  any

!

ip access-list extended SIP

  permit udp any  any eq 5060

!

!

!

!

ip policy-class Private

  allow list MatchAll self

  nat source list MatchAll interface eth 0/1 overload

  allow list MatchAll self

  nat source list MatchAll interface eth 0/1 overload

!

ip policy-class Public

  allow list SIP self

  allow list Admin self

!

!

!

ip route 0.0.0.0 0.0.0.0 123123123

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

sip

sip udp 5060

no sip tcp

!

!

!

voice feature-mode network

voice transfer-mode local

voice forward-mode network

!

!

!

!

!

!

!

!

!

!

!

!

voice codec-list "Codec Options Flowroute"

  codec g711ulaw

!

!

!

voice trunk T01 type sip

  description "flowroutesip"

  sip-server primary 216.115.69.144

  conferencing-uri "t"

  domain "sip.flowroute.com"

  trust-domain

  codec-list "Codec Options Flowroute" both

  authentication username "03057332" password “xxxxxxxxxx”

!

voice trunk T02 type sip

  match dnis "1$" substitute "$"

  sip-server primary 172.xx.xxx.xxx

  trust-domain

  grammar from host local

  transfer-mode network

!

!

voice grouped-trunk PSTN

  trunk T01

  accept 1-NXX-NXX-XXXX cost 0

  accept N11 cost 0

  accept NXX-NXX-XXXX cost 0

!

!

voice grouped-trunk T02

  trunk T02

  accept 1-NXX-NXX-XXXX cost 0

!

!

voice user 0000.  (I REMOVED THIS)

  password "1234"

  sip-identity Unknown T02

!

!

!

!

sip privacy

!

!

!

no sip prefer double-reinvite

!

!

!

ip rtp symmetric-filter

ip rtp media-anchoring

!

!

ip rtp quality-monitoring

ip rtp quality-monitoring udp

ip rtp quality-monitoring sip

!

line con 0

  no login

!

line telnet 0 4

  login

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

!

ntp source ethernet 0/2

!

!

!

end

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

ADTRAN#

172.99.99.99

0 Kudos
2 Solutions

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Adtran hacked? Please help

Jump to solution

In your config:

line telnet 0 4

  login

  password password

  no shutdown

You'll want to fix that. Anyone in the world can access the device with the password "password". I would remove the password and shutdown the telnet access, use ssh only.

Also in the config:

no service password-encryption

I recommend enabling password encryption to prevent reading passwords from the configuration.  Issue the command "service password-encryption".

You'll also want to change all passwords on the device including SIP authentication and anything else on your network that uses the same passwords.

Also in the config:

username "admin" password “xxxxxx$"

username "enable" password “xxxxxxxx$"

Did you put the "admin" user there or was it from the default? If it's from the default, it has the password "password". Remove the admin user if you aren't using it.

Keep in mind that the web GUI interface allows changes and full access without enable. (Note to Adtran, please consider changing this to require enable password.)

Create an ACL called "admin-access" containing only the local networks you use to manage the device. Apply this ACL to line ssh, line telnet (if you use it, not recommended) and also http server and http secure-server.

http ip access-class admin-access in

http ip secure-access-class admin-access in

line telnet 0 4

ip access-class admin-access in

line ssh 0 4

ip access-class admin-access in

Create another ACL called "sip-access" containing the just subnets of your SIP provider and internal SIP users and apply that to the SIP process with:

sip access-class ip "sip-access" in

View solution in original post

avayaguy
New Contributor II

Re: Adtran hacked? Please help

Jump to solution

i am kicking myself on the telnet how could I miss this?  the other two are very secure SSH passwords changed post compromise, i put admin in there and its used for shill also do the other items to lock this down thanks so much, it was right in front of me and i kept missing it.  Thank you

View solution in original post

0 Kudos
2 Replies
jayh
Honored Contributor
Honored Contributor

Re: Adtran hacked? Please help

Jump to solution

In your config:

line telnet 0 4

  login

  password password

  no shutdown

You'll want to fix that. Anyone in the world can access the device with the password "password". I would remove the password and shutdown the telnet access, use ssh only.

Also in the config:

no service password-encryption

I recommend enabling password encryption to prevent reading passwords from the configuration.  Issue the command "service password-encryption".

You'll also want to change all passwords on the device including SIP authentication and anything else on your network that uses the same passwords.

Also in the config:

username "admin" password “xxxxxx$"

username "enable" password “xxxxxxxx$"

Did you put the "admin" user there or was it from the default? If it's from the default, it has the password "password". Remove the admin user if you aren't using it.

Keep in mind that the web GUI interface allows changes and full access without enable. (Note to Adtran, please consider changing this to require enable password.)

Create an ACL called "admin-access" containing only the local networks you use to manage the device. Apply this ACL to line ssh, line telnet (if you use it, not recommended) and also http server and http secure-server.

http ip access-class admin-access in

http ip secure-access-class admin-access in

line telnet 0 4

ip access-class admin-access in

line ssh 0 4

ip access-class admin-access in

Create another ACL called "sip-access" containing the just subnets of your SIP provider and internal SIP users and apply that to the SIP process with:

sip access-class ip "sip-access" in

avayaguy
New Contributor II

Re: Adtran hacked? Please help

Jump to solution

i am kicking myself on the telnet how could I miss this?  the other two are very secure SSH passwords changed post compromise, i put admin in there and its used for shill also do the other items to lock this down thanks so much, it was right in front of me and i kept missing it.  Thank you

0 Kudos