Attd bombarded with login violations from unknown extension 1

[dracas]

Hey guys...having a weird issue here. I got a weird call earlier from our Switchboard guy, saying that he kept getting this "Login Violation" issue that kept screwing with his ability to answer calls. Below is a log of the trace

11:50:25 busy attendant 3330 cid 0x1191
11:50:25 idle cid 0x1191
11:50:27 Calling party cid 0x1193
11:50:27 Calling Number & Name 3213 Login Violati
11:50:27 dial 3330
11:50:27 busy attendant 3330 cid 0x1193
11:50:27 idle cid 0x1193
11:50:53 Calling party cid 0x1197
11:50:53 Calling Number & Name 3213 Login Violati
11:50:53 dial 3330
11:50:53 busy attendant 3330 cid 0x1197
11:50:53 idle cid 0x1197

I'm not understanding whats going on here, when I try to look up 3213, it says something like "Assigned to an object other than a station", so I checked VDN, and Hunt groups, and even did a "list usage extension 3213" and it says "No information in system to list"

So I have a phantom extension screwing with my switchboard...anyone know what I should be looking for, or how to identify the unknown extension 3213? Thanks in advance!

 

[Mitch672]

That is the "fake" extension # assigned to your security settings. I believe the cause is an attempt to login to your PBX's Remote acess extension, with the wrong "password". "Display Remote" to see what DID is being called. If you don't need this right now, I would remove the DID or change it to another extension # temporarily while you are under attack.

BTW, "display svn" to see the extensions/messages used for SVNs (Security Violations)



Mitch

AVAYA Certified Expert

 

[AvayaTier3]

This is in realtime:

You can use a "lsvn-halt" button to stop notification to the destination extension.

monitor security-violations login
                          SECURITY VIOLATIONS STATUS
                                             Date:   18:42 THU OCT 15 2009
                                LOGIN VIOLATIONS

                     Date   Time   Login    Port       Ext
                     10/15  18:41  init     INADS
                     08/31  12:13  admin    MGR1
                     08/31  11:47           MGR1
                     04/28  07:48  admin1   INADS
                     04/28  07:30  nortel   INADS
                     04/28  07:30  admin1   INADS
                     11/14  13:55  nortel   INADS
                     11/14  13:55  nortel   INADS
                     04/11  15:24  admin1   INADS
                     04/11  15:23  reston   INADS
                     12/07  14:49  HJg      INADS
                     12/07  14:49  DzwprZ]  INADS
                     12/07  14:48  Dz       INADS
                     10/24  16:49  admin    MGR1

change system-parameters security                               Page   1 of   2
                       SECURITY-RELATED SYSTEM PARAMETERS

 SECURITY VIOLATION NOTIFICATION PARAMETERS

   SVN Login Violation Notification Enabled? y
           Originating Extension: 4888            Referral Destination: 7518
                 Login Threshold: 3                      Time Interval: 0:03
          Announcement Extension:

# This will give you a count for the valid logins
# you can use summary or detail

list measurements security-violations detail                           Page   1


Switch Name: MacLaren/McCann                  Date: 12:42 pm  MON JUN 30, 2008

        SECURITY VIOLATIONS DETAIL REPORT

     Counted Since: system initialization

     Successful   Invalid
Login ID  Port Type   Logins    Passwords

init      MGR1            0           0
          INADS          29          60
          EPN             0           0
          NET             0           0
           Total         29          60
inads     MGR1            0           0
          INADS          16           1
          EPN             0           0
          NET             0           0
           Total         16           1
           Page   1

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[dracas]

Hmm, thanks...looking to monitor security...got this:

monitor security-violations login
SECURITY VIOLATIONS STATUS
Date: 14:47 SAT FEB 27 2010
LOGIN VIOLATIONS

Date Time Login Port Type
02/27 14:46 0004ff0 SYS-PORT
02/27 14:46 6d03ff0 SYS-PORT
02/27 14:46 0005ff0 SYS-PORT
02/27 14:46 'cstatu SYS-PORT
02/27 14:44 'clist SYS-PORT
02/27 14:44 6c0cff0 SYS-PORT
02/27 14:44 6c02ff0 SYS-PORT
02/27 14:44 SYS-PORT
02/27 14:42 0fb9ff0 SYS-PORT
02/27 14:42 0fb5ff1 SYS-PORT
02/27 14:42 1c SYS-PORT
02/27 14:42 6c05ff0 SYS-PORT
02/27 14:42 3e9aff0 SYS-PORT
02/27 14:42 3e92ff0 SYS-PORT
02/27 14:42 'cdispl SYS-PORT
02/27 14:40 0fbbff0 SYS-PORT

 

[nickd87]

Looks like a random system is connecting to your switch erroneously and effectively sending it garbage at the login prompt, causing your login violation notifications at the attendant.

However, the data there "cstatu", "clist" and "cdispl" looks curiously like the beginning of commands in SAT. Do you have any funky applications set up to scrape data from the switch using SAT?

You might like to stroke "SVN Login Violation Notification Enabled?" to 'n' until you can figure out who's got the wrong IP address. If you don't want to turn it off completely, up your notification thresholds.

 

[AvayaTier3]

Those are ossi commands. Something is polling and sending commands to the switch to collect data without logging in first.

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[Mitch672]

If you can't figure out who is dialing into your switch, I have a few ideas:

1) Order Caller ID service for your INADS modem line, put a unit on the line to log the inbound calls

2) Change the INADS line to a new number. They won't have the new # unless you tell them, and you will know who you tell the # to.



Mitch

AVAYA Certified Expert

 

[dracas]

Thanks everyone, after looking in, and looking at the access violations:

list measurements security-violations detail Page 1

Switch Name: Date: 11:16 pm SAT FEB 27, 2010

SECURITY VIOLATIONS DETAIL REPORT

Counted Since: system initialization

Successful Invalid
Login ID Port Type Logins Passwords

init SYSAM-LCL 0 0
SYSAM-RMT 0 0
MAINT 0 0
SYS-PORT 20 0
Total 20 0
inads SYSAM-LCL 0 0
SYSAM-RMT 0 0
MAINT 0 0
SYS-PORT 179 2
Total 179 2

This has me on the right track, the only two companies that can get into our remote access ports are avaya themselves and our Avaya BP, I'll call one of our guys over there and ask him who was trying to get in

Thanks for the same-day responses and all the weekend help haha

 

[AvayaTier3]

SYS-PORT as shown in the security violations is from your network, not your inads line. This is not an attack, it's a device programmed incorrectly to gather data from your switch and it's sitting on your network.

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[AvayaTier3]

If you have access to linux bash shell, try the "last" command to see if any remote logins were connected during the window 14:40 - 14:46 on 02/27
if you show login "rasaccess" then it's Avaya. If you don't show logins during that window, it's going to be a computer with ASA, BCMR, valmanager or some other application that collects data with ossi terminal emulation commands, as it shows on you violations.

The SYS-PORT is monitoring SAT connections to the server and CLAN access.

In my first examples above, there are INADS and MGR1 entries in the monitor securities. This indicates a legacy switch.

You only show SYSAM-LCL, SYSAM-RMT, MAINT, and SYS-PORT and all connections that are valid are via SYS-PORT



A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[dracas]

Looks like this isn't fixed afterall. I took down the server I suspected was responsible, but continue to get LSVN violation errors.

It's a wash of what looks like hex values like "6d01ff0", "0007ff0", and "0fb9ff0", they are occurring every other minute (14:07, 14:09, 14:11, etc.)

'list measurements security-violations detail' this time isn't listing any invalid password attempts of any sort, only successful ones.

Hmm, but 'list measuremets security-violations summary' shows this info:

SYS-PORT
Successful Logins: 34
Invalid Attempts: 12452
Invalid IDS: 12452
Forced Disconnects: 4150
Login Sec Violations: 12395


I have no idea how to identify what is spamming this, chances are its over TCP/IP, but how the heck do I identify which system it might be?

AUDIX/CMS/PMS/CDR all contact back and forth. Any ideas, is there any way to associate a node-name or something with the SYS-PORT access that are failing?

 

[AvayaTier3]

I'm guessing ASA or BCMRD

change the way the switch is accessed and it will go away.

is this g3si or g3r?
do you have netcons or system ports in a hunt-group that are used for access?
Do you access via CLAN?

change extension and IP addresses involved and it will go away.


A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[dracas]

BCMRD is alien to me, so I'm not sure what that is, and I would have thought that if a login violation is coming out of ASA it would show up when monitoring.

The System is S8700 fed (G3r?)...and I'm confused, what do you mean by netcons/system-ports in a hunt group? How would I check that, since I don't think I have before, or if I have "access through the CLAN"

Also, you say to change extensions and IP addresses but I don't know that I can really change the IP addresses in the system without goofing a bunch of stuff up and having to schedule an outage.

Need just a hair more guidance

 

[AvayaTier3]

BCMRD is BCMS remote desktop. It's a cheap version of CMS.
display ip-services for SAT connections through a clan. It could connect via ethernet IP, netcon, system port, dialup.

If you are not using clan for SAT, then you would have to change the IP addresses for the server. If you ASA connects using the server IP address and you don't have clan SAT access programmed on ip-services, the only access would be to your active server IP address.

system ports and netcons were old g3si and g3r data-module SAT access connection ports.

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[dracas]

Disp ip-services-->

display ip-services Page 1 of 3



IP SERVICES

Service Enabled Local Local Remote Remote

Type Node Port Node Port

CDR1 clan2 0 callacctg 5101

PMS clan2 0 iolan 5103

SAT y clan1-vm 5111 any 0

 

[AvayaTier3]

looks like you use clan1-vm IP address and port 5111 for SAT admin.

list node-name to get clan1-vm IP address.

If this is what's used, you can change the IP address.
You may also want to look at display comm link and display comm proc to see if this same clan is used for your voicemail. Changing it will involve voicemail and any others that use this clan resource.

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[dracas]

Wait, I'm changing the IP address of CLAN-VM1??? Because the chances of me getting that approved right now is pretty slim. I'm pretty sure that (yes) this is the CLAN resource that our voicemail uses.

The only entry I see for Clan1-vm is under "disp comm link"

y n 1905 ETHER clan1-vm

 

[AvayaTier3]

SAT y clan1-vm 5111 any 0

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[AvayaTier3]

You can change ip-services to use clan2 and share it instead of the one used for vm.

If you still have issues after changing that, you will need to change your server ip addresses.

active
server1
server2


A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

36 years Bell, AT&T, Lucent, Avaya
Tier 3 for 26 years and counting

http://bshtele.com

 

[mdefedele]

If you have shell access type:
sudo logc lxsec today > ~ftp/pub/lxsec.txt
and also type
loginreport -ud > ~ftp/pub/loginfails.txt

Next go into the /var/home/ftp/pub using an sftp program like winscp and pull the two files to your pc:

loginfails.txt and lxsec.txt

That should give you some positive identity info about the server that is causing this.

Hope this helps.

Matt--Technical Support, Network Operations Center

ACA-Voice Management
ACE-IP Telephony
Converged+ Certified
Linux+ Certified