Author Topic: Did we just get hacked?  (Read 2015 times)

Offline Mitel3300

  • Contributer
  • *
  • Posts: 6
  • Country: us
  • Karma: +0/-0
    • View Profile
Did we just get hacked?
« on: September 16, 2016, 02:55:42 PM »
Hi,

I am seeing the following types of records in our SMDR data approximately every 20 minutes :

09/16 00:28:20 0000:00:07 X9999 0002 442030930112 79018000 8009 001 442030930112 8000 A0010471 A
09/16 00:28:20 0000:00:08 X9999 0002 442030930112 79018000 8010 001 442030930112 8000 A0011746 A
09/16 00:28:32 0000:00:08 X9999 0001 442030930112 79018000 8011 001 442030930112 8000 A0010475 A
09/16 00:28:32 0000:00:08 X9999 0001 442030930112 79018000 8012 001 442030930112 8000 A0010483 A

I have attached an excel spreadsheet that contains this data parsed out.

Can somebody please help me figure this out. I have received reports of our users seeing that 442.... number show up on their caller ID but there is only dead air when the call is answered.

I'd like to put a stop to this activity. Any suggestions on how to block these calls/activity in the 3300 switch?

Thanks much in advance.


Offline ralph

  • Mitel Forums Admin
  • Hero Member
  • *****
  • Posts: 5767
  • Country: us
  • Karma: +469/-0
  • Published Author: http://amzn.to/2dcYSY5
    • View Profile
Re: Did we just get hacked?
« Reply #1 on: September 16, 2016, 03:50:36 PM »
It's hard to tell if you've been hacked from this report.
It appears the source of the call is coming through another PBX.
Is 8000 your voice mail?
The duration of the call is only ~8 seconds.  That doesn't suggest to me a hack.
Are you showing any outbound calls in your logs?

Ralph


Offline Mitel3300

  • Contributer
  • *
  • Posts: 6
  • Country: us
  • Karma: +0/-0
    • View Profile
Re: Did we just get hacked?
« Reply #2 on: September 16, 2016, 04:47:50 PM »
Hi Ralph,

Thanks for the perceptive questions.

Interesting that you think that the calls are coming from another PBX. What makes you think that and how to find out which, whose PBX?

You absolutely correct that 8000 is our vm. 8001-13 are the vm ports.

I am no expert on the 3300 but this command on the switch impacted:

LOGSYS READ SMDR NEWEST 200 MATCH 442

yields the following :

 09/16 16:19:12  0000:00:08 X9999   0001 442030930112 79018000       8011       
                           001   442030930112         8000               A001356
1 A                                                                             
 09/16 16:19:12  0000:00:08 X9999   0001 442030930112 79018000       8010       
                           001   442030930112         8000               A001227
7 A                                                                             
 09/16 16:19:03  0000:00:08 X9999   0001 442030930112 79018000       8009       
                           001   442030930112         8000               A001355
5 A                                                                             
 09/16 16:19:03  0000:00:08 X9999   0001 442030930112 79018000       8008       
                           001   442030930112         8000               A001482
7 A                                                                             
 09/16 15:56:37  0000:00:08 X9999   0002 442030930112 79018000       8001       
                           001   442030930112         8000               A001086
7 A                                                                             
 09/16 15:56:37  0000:00:07 X9999   0002 442030930112 79018000       8012       
                           001   442030930112         8000               A001595
9 A                                                                             
 09/16 15:48:00  0000:00:11 3560         3560 18004423691          A T32       
                           001   13560                                   A001208
3 A                                                                             
 09/16 15:34:33  0000:00:08 X9999   0002 442030930112 79018000       8007       
                           001   442030930112         8000               A001325
8 A                                                                             
 09/16 15:34:33  0000:00:07 X9999   0002 442030930112 79018000       8006       
                           001   442030930112         8000               A001065
8 A                                                                             
 09/16 15:34:30  0000:00:08 X9999   0002 442030930112 79018000       8004       
                           001   442030930112         8000               A001325
3 A                                                                             
 09/16 15:34:30  0000:00:08 X9999   0002 442030930112 79018000       8003       
                           001   442030930112         8000               A001197
6 A                                                                             
LOGSYS info: READ completed for SMDR log with 200 entries.                     


How to tell whether these are outbound calls?

Thanks much.

Offline ralph

  • Mitel Forums Admin
  • Hero Member
  • *****
  • Posts: 5767
  • Country: us
  • Karma: +469/-0
  • Published Author: http://amzn.to/2dcYSY5
    • View Profile
Re: Did we just get hacked?
« Reply #3 on: September 17, 2016, 09:33:46 AM »
Quote
09/16 15:34:30  0000:00:08 X9999   0002 442030930112 79018000       8003      
                           001   442030930112         8000               A001197

The X9999 is what we show with interPBX traffic.  Unless you have SIP trunks that are flagged with 9999 then this is coming from a different PBX.  You'll have to check the SMDR of each of your systems in order to find the source.

The number highlighted is Red is your destination.  In this case, 8003 is the port that answered the call.

Ralph


 

Sitemap 1 2 3 4 5 6 7 8 9 10