Mitel Forums - The Unofficial Source

Mitel Forums => Mitel MiVoice Business/MCD/3300 => Topic started by: Mitel3300 on September 16, 2016, 02:55:42 PM

Title: Did we just get hacked?
Post by: Mitel3300 on September 16, 2016, 02:55:42 PM: Hi,

I am seeing the following types of records in our SMDR data approximately every 20 minutes :

09/16 00:28:20 0000:00:07 X9999 0002 442030930112 79018000 8009 001 442030930112 8000 A0010471 A
09/16 00:28:20 0000:00:08 X9999 0002 442030930112 79018000 8010 001 442030930112 8000 A0011746 A
09/16 00:28:32 0000:00:08 X9999 0001 442030930112 79018000 8011 001 442030930112 8000 A0010475 A
09/16 00:28:32 0000:00:08 X9999 0001 442030930112 79018000 8012 001 442030930112 8000 A0010483 A

I have attached an excel spreadsheet that contains this data parsed out.

Can somebody please help me figure this out. I have received reports of our users seeing that 442.... number show up on their caller ID but there is only dead air when the call is answered.

I'd like to put a stop to this activity. Any suggestions on how to block these calls/activity in the 3300 switch?

Thanks much in advance.
Title: Re: Did we just get hacked?
Post by: ralph on September 16, 2016, 03:50:36 PM: It's hard to tell if you've been hacked from this report.
It appears the source of the call is coming through another PBX.
Is 8000 your voice mail?
The duration of the call is only ~8 seconds. That doesn't suggest to me a hack.
Are you showing any outbound calls in your logs?

Ralph
Title: Re: Did we just get hacked?
Post by: Mitel3300 on September 16, 2016, 04:47:50 PM: Hi Ralph,

Thanks for the perceptive questions.

Interesting that you think that the calls are coming from another PBX. What makes you think that and how to find out which, whose PBX?

You absolutely correct that 8000 is our vm. 8001-13 are the vm ports.

I am no expert on the 3300 but this command on the switch impacted:

LOGSYS READ SMDR NEWEST 200 MATCH 442

yields the following :

09/16 16:19:12 0000:00:08 X9999 0001 442030930112 79018000 8011
001 442030930112 8000 A001356
1 A
09/16 16:19:12 0000:00:08 X9999 0001 442030930112 79018000 8010
001 442030930112 8000 A001227
7 A
09/16 16:19:03 0000:00:08 X9999 0001 442030930112 79018000 8009
001 442030930112 8000 A001355
5 A
09/16 16:19:03 0000:00:08 X9999 0001 442030930112 79018000 8008
001 442030930112 8000 A001482
7 A
09/16 15:56:37 0000:00:08 X9999 0002 442030930112 79018000 8001
001 442030930112 8000 A001086
7 A
09/16 15:56:37 0000:00:07 X9999 0002 442030930112 79018000 8012
001 442030930112 8000 A001595
9 A
09/16 15:48:00 0000:00:11 3560 3560 18004423691 A T32
001 13560 A001208
3 A
09/16 15:34:33 0000:00:08 X9999 0002 442030930112 79018000 8007
001 442030930112 8000 A001325
8 A
09/16 15:34:33 0000:00:07 X9999 0002 442030930112 79018000 8006
001 442030930112 8000 A001065
8 A
09/16 15:34:30 0000:00:08 X9999 0002 442030930112 79018000 8004
001 442030930112 8000 A001325
3 A
09/16 15:34:30 0000:00:08 X9999 0002 442030930112 79018000 8003
001 442030930112 8000 A001197
6 A
LOGSYS info: READ completed for SMDR log with 200 entries.

How to tell whether these are outbound calls?

Thanks much.
Title: Re: Did we just get hacked?
Post by: ralph on September 17, 2016, 09:33:46 AM: Quote
09/16 15:34:30 0000:00:08 X9999 0002 442030930112 79018000 8003
001 442030930112 8000 A001197

The X9999 is what we show with interPBX traffic. Unless you have SIP trunks that are flagged with 9999 then this is coming from a different PBX. You'll have to check the SMDR of each of your systems in order to find the source.

The number highlighted is Red is your destination. In this case, 8003 is the port that answered the call.

Ralph