Security breach on extension

Had a security breach on an extension this morning.

Extension password is a twelve digit alpha-numeric code with a tested working fail2ban process in place.
Thus, brute force intrusion is unlikely.

This PBX has about eight extensions, with only one affected. Looking in the logs, they look clean with no usual activity, or access.

In fact the fail2ban log shows zero password failures in the entire log for that extension, except for today when I changed the password and the legitimate phone tried to authenticate.

So it appears the intruder was able to obtain the password someway.

On a note the extension is in private residence, connected to a router, with the voip phone with he default admin/admin credentials in place.

Any ideas?


I would suggest that the default admin/admin login is your problem, you don’t mention the phone in question or your network configuration at all ends, if the router at the “private residence” forwards udp/5060 connections to the phone, then that is where the problem starts and then gets worse.

This was just a phone which was plugged into the router, nothing more done for port forwarding.

So I am at a loss how they could have gotten the password.

The admin/admin password means that someone connected to the actual phone and started their shenanigans from there. The admin panel on the phone probably has an option to show the password, which in turn gives the attacker carte-blanche to make all the calls from all of their criminal buddies’ phones they want. Once the external 5060 from the router was turned off, the hole was closed, but if you open it up again, expect the same problems to occur.

From a purely administrative perspective, you should avoid putting your server and your phones in a network position to be accessed from outside the local LAN.

Actually I have stated again and again, just don’t listen on 5060 or anything close for your sip connections server or phones . if your provider is not compliant with that then write a rewrite rule on your router for that recalcitrant entity to your new less visible sip bound port.

It’s a Yealink phone and there is no ability to do such a thing as revealing the password.

And for the private residence part, it’s just a phone plugged into the router, no port forwarding done at all, or ever has been done.

Thanks for the responses


When you want to control settings on the Yealink, to acces the web interface:

Are you using
username: admin
password: admin or password

If so, this is most likely how the calls ‘from’ the phone are happening.

Yealink knows about this, and they always suggest changing the web interface password.