have an older 3300 rel 6 with the PER nodes for analog and digital sets as well IP sets the site has 2 controllers in a cluster with SDS. they have had some alarms since the IT dept is scanning for vulnerabilities but with in the last 2 months the alarms are getting worse and the system has locked up on certain occassions since they have started scanning for the apache log4j vulnerability . the controller with the PER nodes would loose connection to all of the per nodes . running the logs we saw an IP address trying to access the shell and ESM . we asked them to stop scanning all the ip addresses of the mitel controllers , e2t , layer 2 and the ESM IP . the system was reset and nodes came back online but every other day the system would loose and regain connection to 1 per node in a rotation cabinet 2 then 7 then 8 then 2 then 8 and then 7 . we tracked down some logs that showed a generic sip phone trying to FTP into the controller like someone was in the GUI of the phone issuing commands. this went on for weeks in Jan and Feb on Feb 16 I asked them to stop scanning everything in the voice subnet ( all the phone ip addresses) since that time not one alarm or error . I asked what the scanner is doing and if it was just scanning or trying to access with credentials. I got a round about answer with the terms sometimes it tries brute force. they will stop the scans for another week and then reactivate them is there a way I can check if they are scanning ? we also had an issue with the webserver locking up on the controllers every other week that has gone away to just looking for a way to prove it is the scans
Thanks
Thanks