Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

3300 rel 6 having issues with active scanning for vulnerabilities

Status
Not open for further replies.

Matty269

Systems Engineer
Nov 20, 2017
20
US
have an older 3300 rel 6 with the PER nodes for analog and digital sets as well IP sets the site has 2 controllers in a cluster with SDS. they have had some alarms since the IT dept is scanning for vulnerabilities but with in the last 2 months the alarms are getting worse and the system has locked up on certain occassions since they have started scanning for the apache log4j vulnerability . the controller with the PER nodes would loose connection to all of the per nodes . running the logs we saw an IP address trying to access the shell and ESM . we asked them to stop scanning all the ip addresses of the mitel controllers , e2t , layer 2 and the ESM IP . the system was reset and nodes came back online but every other day the system would loose and regain connection to 1 per node in a rotation cabinet 2 then 7 then 8 then 2 then 8 and then 7 . we tracked down some logs that showed a generic sip phone trying to FTP into the controller like someone was in the GUI of the phone issuing commands. this went on for weeks in Jan and Feb on Feb 16 I asked them to stop scanning everything in the voice subnet ( all the phone ip addresses) since that time not one alarm or error . I asked what the scanner is doing and if it was just scanning or trying to access with credentials. I got a round about answer with the terms sometimes it tries brute force. they will stop the scans for another week and then reactivate them is there a way I can check if they are scanning ? we also had an issue with the webserver locking up on the controllers every other week that has gone away to just looking for a way to prove it is the scans

Thanks
 
Is this system used in a hospitality environment? Is this system connected to a PMS via ip to serial convertors? I have seen scans that detect vulnerabilities against these devices. Since they have no connection to the internet (usually) the scan alarms could be ignored. There are no patches or upgrades available for the iPocket brand of these devices and none planned according to my inquiries on the subject.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.
 

MCD 6 was released in 2013.

You could upgrade to the latest release compatible with your system. Newer software will be more resistant to problems during scanning.

In recent software (I don't know when this started) there are logs generated when the 3300 thinks it is being scanned / attacked. Entries will have something like "Possible use of network/hacking scanning tools" in them.
 
this is a large health care campus we are at the latest supported version that is compatible with the FIM cards and PER nodes a lot of analog and digital phones going to a newer version would mean going all IP and ATA's an expense they are not ready for. It does have an ACD with contact center with 15 agents the PER nodes are spread out all over the campus and they have UPS on each node I am wondering now if the UPS are connected to the lan and if they are being scanned that may cause an issue?

here is the last log happened over the weekend right after the system synced with the AMC also wondering if the scan monitors outgoing traffic and then return fire so to speak

 
 https://files.engineering.com/getfile.aspx?folder=c003f2cb-8d7b-4d78-81f4-5fdddf410e19&file=AllLog_Cc33_202202281425_CC2.csv
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top