Hi
I noticed malicious outbound calls being attempted on my 2820 IP PBX in the call logs. They were failing because it was from an unregistered extension number, and possibly because of a price cap on my outbound SIP trunk. Alarmingly the number being dialled appeared to be a premium rate Israeli phone number!
I called customer support who gave me a firmware patch which seems to have stopped this (something about responding to an invitation to call that number?).
There was one other detail about the attack, though. The attacker seemed to be clearing my call logs to cover their tracks. I'm not sure how it was doing this but I'm guessing they had a trick to restart the router remotely, which has the affect of clearing the call log.
This restarting continued to happen after I patched, until I set "Disable remote registration", which seems to have resolved the issue. This is annoying, though, because I was connecting to the VPN and then to the IP PBX from remote locations prior to that.
As far as I can see, my VPN has not been compromised, nor the router itself, otherwise there would have been more damage done. It's a little alarming, though, and I wondered if Draytek have anything to say about the remote resets that I was experiencing.
Thanks
Nick
Model Name : VigorIPPBX 2820
Firmware Version : 3.5.9_PB3a (upgraded a couple of days ago from the supplied variation of 3.5.9)
