somehow and someway someone got int my Adtran even with strong password, here is what ive done to stop them from calling the UK. I got hit with a $440.00 bill for just a few days
Any other ideas?
i also removed this little line
voice user 0000. (I REMOVED THIS)
password "1234"
sip-identity Unknown T02
login as: admin
admin@172.99.99.99's password:
ADTRAN>en
Password:
% Incorrect password.
ADTRAN>XXXXXXXXXXXX
% Unrecognized command
ADTRAN>en
Password:
ADTRAN#wr me
Building configuration...
Done. Success!
ADTRAN#conf t
ADTRAN(config)#username enable password xxxxxxxx
ADTRAN(config)#exit
Appropriate commands must be issued to preserve configuration.
ADTRAN#wr me
Building configuration...
Done. Success!
ADTRAN#show run voice
Building configuration...
!
!
voice feature-mode network
voice transfer-mode local
voice forward-mode network
!
!
!
!XXXXXXXXXXXX
!
!
!
!
!
!
!
!
voice codec-list "Codec Options Flowroute"
codec g711ulaw
!
!
!
voice trunk T01 type sip
description "flowroutesip"
sip-server primary 216.115.69.144
conferencing-uri "t"
domain "sip.flowroute.com"
trust-domain
codec-list "Codec Options Flowroute" both
authentication username "56789765" password “xxxxxxxxxxxxx”
!
voice trunk T02 type sip
match dnis "1$" substitute "$"
sip-server primary 172.xx.xxx.xx
trust-domain
grammar from host local
transfer-mode network
!
!
voice grouped-trunk PSTN
trunk T01
accept 1-NXX-NXX-XXXX cost 0
accept N11 cost 0
accept NXX-NXX-XXXX cost 0
accept 011-X$ cost 0
!
!
voice grouped-trunk T02
trunk T02
accept 1-NXX-NXX-XXXX cost 0
accept 011-X$ cost 0
!
!
voice user 0000
password "1234"
sip-identity Unknown T02
!
!
!
!
!
!
!
!
!
end
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#conf t
ADTRAN(config)#voice grou
ADTRAN(config)#voice grouped-trunk T02
ADTRAN(config-T02)#no accept 011-X$ cost 0
ADTRAN(config-T02)#exit
ADTRAN(config)#exit
Appropriate commands must be issued to preserve configuration.
ADTRAN#wr me
Building configuration...
Done. Success!
ADTRAN#conf t
ADTRAN(config)#voice gr
ADTRAN(config)#voice grouped-trunk PSTN
ADTRAN(config-PSTN)#no acce
ADTRAN(config-PSTN)#no accept 011-X$ cost 0
ADTRAN(config-PSTN)#exit
ADTRAN(config)#wr me
% Unrecognized command
ADTRAN(config)#exit
Appropriate commands must be issued to preserve configuration.
ADTRAN#wr me
Building configuration...
Done. Success!
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
and here is the config. I removed that voice user 000
login as: admin
admin@172.99.99.99's password:
ADTRAN>en
Password:
% Incorrect password.
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>show run
% Unrecognized command
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>
ADTRAN>en
Password:
ADTRAN#show run
Building configuration...
!
!
! ADTRAN, Inc. OS version R11.2.0.E
! Boot ROM version 14.05.00.SA
! Platform: Total Access 908e (2nd Gen), part number 4242908L1
! Serial number CFG0964538
!
!
hostname "ADTRAN"
enable password xxxx
!
license key esbc-trial
!
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
domain-proxy
name-server 8.8.8.8 4.2.2.2
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password “xxxxxx$"
username "enable" password “xxxxxxxx$"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
qos map Voice 10
match dscp 46
priority 800
!
qos map eth0/1QosWizard 20
match dscp 46
shape average 4194304
qos map eth0/1QosWizard 21
match ip list acleth0/1QosWizSignal21
set dscp 26
!
!
!
!
interface eth 0/1
description outside
ip address xxxxxxxxxx 255.255.255.248
ip access-policy Public
media-gateway ip primary
traffic-shape rate 1000000
max-reserved-bandwidth 100
qos-policy out eth0/1QosWizard
no shutdown
!
!
interface eth 0/2
description inside
ip address 172.99.99.99 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
!
!
!
interface t1 0/1
shutdown
!
interface t1 0/2
shutdown
!
interface t1 0/3
shutdown
!
interface t1 0/4
shutdown
!
!
interface fxs 0/1
no shutdown
!
interface fxs 0/2
no shutdown
!
interface fxs 0/3
no shutdown
!
interface fxs 0/4
no shutdown
!
interface fxs 0/5
no shutdown
!
interface fxs 0/6
no shutdown
!
interface fxs 0/7
no shutdown
!
interface fxs 0/8
no shutdown
!
!
interface fxo 0/0
shutdown
!
!
!
!
!
!
!
!
ip access-list extended acleth0/1QosWizSignal21
permit udp any any eq 5060
!
ip access-list extended Admin
permit tcp any any eq ssh
permit tcp any any eq https
!
ip access-list extended MatchAll
permit ip any any
!
ip access-list extended SIP
permit udp any any eq 5060
!
!
!
!
ip policy-class Private
allow list MatchAll self
nat source list MatchAll interface eth 0/1 overload
allow list MatchAll self
nat source list MatchAll interface eth 0/1 overload
!
ip policy-class Public
allow list SIP self
allow list Admin self
!
!
!
ip route 0.0.0.0 0.0.0.0 123123123
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
sip
sip udp 5060
no sip tcp
!
!
!
voice feature-mode network
voice transfer-mode local
voice forward-mode network
!
!
!
!
!
!
!
!
!
!
!
!
voice codec-list "Codec Options Flowroute"
codec g711ulaw
!
!
!
voice trunk T01 type sip
description "flowroutesip"
sip-server primary 216.115.69.144
conferencing-uri "t"
domain "sip.flowroute.com"
trust-domain
codec-list "Codec Options Flowroute" both
authentication username "03057332" password “xxxxxxxxxx”
!
voice trunk T02 type sip
match dnis "1$" substitute "$"
sip-server primary 172.xx.xxx.xxx
trust-domain
grammar from host local
transfer-mode network
!
!
voice grouped-trunk PSTN
trunk T01
accept 1-NXX-NXX-XXXX cost 0
accept N11 cost 0
accept NXX-NXX-XXXX cost 0
!
!
voice grouped-trunk T02
trunk T02
accept 1-NXX-NXX-XXXX cost 0
!
!
voice user 0000. (I REMOVED THIS)
password "1234"
sip-identity Unknown T02
!
!
!
!
sip privacy
!
!
!
no sip prefer double-reinvite
!
!
!
ip rtp symmetric-filter
ip rtp media-anchoring
!
!
ip rtp quality-monitoring
ip rtp quality-monitoring udp
ip rtp quality-monitoring sip
!
line con 0
no login
!
line telnet 0 4
login
password password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
ntp source ethernet 0/2
!
!
!
end
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
ADTRAN#
172.99.99.99
In your config:
line telnet 0 4
login
password password
no shutdown
You'll want to fix that. Anyone in the world can access the device with the password "password". I would remove the password and shutdown the telnet access, use ssh only.
Also in the config:
no service password-encryption
I recommend enabling password encryption to prevent reading passwords from the configuration. Issue the command "service password-encryption".
You'll also want to change all passwords on the device including SIP authentication and anything else on your network that uses the same passwords.
Also in the config:
username "admin" password “xxxxxx$"
username "enable" password “xxxxxxxx$"
Did you put the "admin" user there or was it from the default? If it's from the default, it has the password "password". Remove the admin user if you aren't using it.
Keep in mind that the web GUI interface allows changes and full access without enable. (Note to Adtran, please consider changing this to require enable password.)
Create an ACL called "admin-access" containing only the local networks you use to manage the device. Apply this ACL to line ssh, line telnet (if you use it, not recommended) and also http server and http secure-server.
http ip access-class admin-access in
http ip secure-access-class admin-access in
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
Create another ACL called "sip-access" containing the just subnets of your SIP provider and internal SIP users and apply that to the SIP process with:
sip access-class ip "sip-access" in
i am kicking myself on the telnet how could I miss this? the other two are very secure SSH passwords changed post compromise, i put admin in there and its used for shill also do the other items to lock this down thanks so much, it was right in front of me and i kept missing it. Thank you
In your config:
line telnet 0 4
login
password password
no shutdown
You'll want to fix that. Anyone in the world can access the device with the password "password". I would remove the password and shutdown the telnet access, use ssh only.
Also in the config:
no service password-encryption
I recommend enabling password encryption to prevent reading passwords from the configuration. Issue the command "service password-encryption".
You'll also want to change all passwords on the device including SIP authentication and anything else on your network that uses the same passwords.
Also in the config:
username "admin" password “xxxxxx$"
username "enable" password “xxxxxxxx$"
Did you put the "admin" user there or was it from the default? If it's from the default, it has the password "password". Remove the admin user if you aren't using it.
Keep in mind that the web GUI interface allows changes and full access without enable. (Note to Adtran, please consider changing this to require enable password.)
Create an ACL called "admin-access" containing only the local networks you use to manage the device. Apply this ACL to line ssh, line telnet (if you use it, not recommended) and also http server and http secure-server.
http ip access-class admin-access in
http ip secure-access-class admin-access in
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
Create another ACL called "sip-access" containing the just subnets of your SIP provider and internal SIP users and apply that to the SIP process with:
sip access-class ip "sip-access" in
i am kicking myself on the telnet how could I miss this? the other two are very secure SSH passwords changed post compromise, i put admin in there and its used for shill also do the other items to lock this down thanks so much, it was right in front of me and i kept missing it. Thank you