Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IP phones dialing International calls by themselves.

Status
Not open for further replies.
raist3001

raist3001

Technical User
Jun 11, 2013
150
US
Kindly request some help in this matter. I have searched google looking for an answer as to why IP phones are dialing international calls by themselves. They go off hook and begin dialing without any human interaction. I would think something was hacked. I have been looking over the configuration but nothing seems to jump out at me. The only thing I do not recognize in the short codes is a RELAY OFF. My thoughts are to delete this short code?

RELAY_OFF_erfhbs.png


The system is behind a firewall, and the digital phones do not display this behavior. This is only happening to the IP phones. The customer needs to be able to dial international calls. And the IPO is set up to allow such.

Any one ever experience this? If the system was hacked, would it only be the IP phones? Or would the IPO be the equipment hacked?
 
Sort by date Sort by votes
What do your incoming call routes say are any of them different?
 
Upvote 0 Downvote
You're assumption is correct, you've been hacked.
But that relay thing is not your problem here...someone has access to your system.

PhoneManager or One-X Portal is a popular choice for the hackers, so take a look at your internal network.
You can use those applications on any kind of phones, not only IP.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Upvote 0 Downvote
My call routes are all proper. No unusual destinations, and nothing new added.

I am looking into One-X Portal now. Just changed the password.
 
Upvote 0 Downvote
Changing pwds is just going to hold off the intruders a short period of time.
If they can reach the IPO with PMP or One-X, they'll keep on digging.

Best guess - Infected company computer.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Upvote 0 Downvote
In my Users list for One-X Portal I see the following I do not recognize:

csta_provider_user
dsml_ipo_provider_user
dsml_ldap_provider_user
indoda_user
inyama_user
izwi_user

Roles are set to APPLICATION, but their creation date says 12/3/12, which is when I set up all the actual users.
 
Upvote 0 Downvote
Those are one-x portal provider users.
Is your system connected directly to the WAN for something like management or SIP Trunks?

-Austin
ACE: Implement IP Office
qrcode.png
 
Upvote 0 Downvote
The IPO is connected to an internal network behind a firewall. There are no SIP trunks.
 
Upvote 0 Downvote
Is the one-x portal accessible from the outside? Someone may have logged into it. Passwords are usually easy to guess.

-Austin
ACE: Implement IP Office
qrcode.png
 
Upvote 0 Downvote
One-X is only accessible from the inside. I have changed all passwords at the moment.
 
Upvote 0 Downvote
And that's why you should take a good look around on your computer side.
A firewall may be useless if an invite/backdoor is initiated from the inside

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Upvote 0 Downvote
Could you explain the purpose of the 8N short code from your screen shot? Do you have a quad-zero route in the IP route tab? (0.0.0.0 0.0.0.0) with a gateway of your local firewall/router?
 
Upvote 0 Downvote
^I was curious about that as well, that's why I asked about the SIP Trunks.

-Austin
ACE: Implement IP Office
qrcode.png
 
Upvote 0 Downvote
The 8N shortcode was used at one time to press 8 to grab SIP trunks.
 
Upvote 0 Downvote
And that's why you should take a good look around on your computer side.
A firewall may be useless if an invite/backdoor is initiated from the inside
Click to expand...

We are looking into a network breach as we speak. Wouldn't I see an unrecognized user in 1-X?
 
Upvote 0 Downvote
Not if they sniffed out the login/pwd. A simple key-logger is enough.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Upvote 0 Downvote
Not if they sniffed out the login/pwd. A simple key-logger is enough.
Click to expand...

Hmmmm...no one on site has the username and Password to log into 1-X. As a matter of fact, there is only one Server that is used to log into 1-X by our staff. I would wager this server has been compromised.
 
Upvote 0 Downvote
Well, then you have something meaningful to attend:)

I would put in barring on all country codes not used (who needs to call everyone?)
Middle east, Balkans, Africa...

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

2cnvimggcac8ua2fg.jpg
 
Upvote 0 Downvote
Indeed I do Gunnaro :)

Thank you kindly to all who have offered their time here in this thread with their help. I am very grateful.





 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ipcom123
  • Locked
  • Question
Missed calls logs in Avaya Phones
Replies
7
Views
1K
gkittelson
gkittelson
Richard_Harrow
  • Locked
  • Question
Avaya J139 phone showing "dialing" continuously when dialing to SIP trunk.
Replies
2
Views
395
IamaSherpa
IamaSherpa
w33mhz
  • Locked
  • Question
Avaya IP Phone LLDP Neighbor Information
Replies
3
Views
253
derfloh
derfloh
Scuzzie2k
  • Locked
  • Question
IP Office 500 and Avaya Workplace 1
Replies
6
Views
449
derfloh
derfloh
sbankscharles
  • Locked
  • Question
International Dialing 2
Replies
17
Views
831
Westi
Westi

Part and Inventory Search

Sponsor

Back
Top