Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BCM50 - Brute Force Attack 4

Status
Not open for further replies.

curlycord

Programmer
Sep 22, 2002
14,188
Toronto, Canada
BCM50 R6 with the lastest/last patches.

We are getting about 6 attacks a second trying to log in as admin on the system with various user name names, over and over again, approx 30 different user names.

The BCM froze up, time & date stuck and cannot use buttons, PRI/CP not answering, could not login via front or back.
I think it froze because these alarms filled up the hard drive because this has been going on for weeks.

I replaced the BCM, but did not restore:
Data Services & Network Interface
IP Telephony

Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=admin Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=tomcat Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=foo Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=vagrant Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=service Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=postgres Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=root Host=10.10.10.59 Comp=Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=root Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=skyboxview Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=TANDBERG Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=admin Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=rwa Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=cisco Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=IntraSwitch Host=10.10.10.59 Comp=Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=NETOP Host=10.10.10.59 Comp=Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=recovery Host=10.10.10.59 Comp=Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=superuser Host=10.10.10.59 Comp=Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=superadmin Host=10.10.10.59 Comp=Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=ADVMAIL Host=10.10.10.59 Comp=Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=dhs3mt Host=10.10.10.59 Comp=Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=3comcso Host=10.10.10.59 Comp=Wed Mar 20 06:00:13 EDT 2024 false 30202 minor User failed to login User=manuf Host=10.10.10.59 Comp=Wed Mar 20 06:00:13 EDT 2024 false 30202 minor User failed to login User=MGR Host=10.10.10.59 Comp=Wed Mar 20 06:00:13 EDT 2024 false 30202 minor User failed to login User=OPERATOR Host=10.10.10.59 Comp=
It's coming from IP 10.10.10.49, this is not an IP from the clients network that I can see.
The BCM IP Lan IP is 192.168.143.X
The Modem dial in is 10.10.14.X
The ISDN dial in is 10.10.18.X
DHCP Server S1/2 is 192.168.143.X

I am wondering if the BCM has this IP but I cannot ping it from BCM Utilities or PC.

I tap in via their VPN which is 10.20.221.1, then I connect to the BCM at 192.168.143.X

They say they have only ports 5989 and 443 open per my past request.

So I need to know where this IP address is.




small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
Yes!

Here is when I log in:
Wed Mar 20 07:24:39 EDT 2024 false 30301 information Account updated Account nnadmin User=tpcadmin Comp=CIM systemId=BCM;entityId=bcm50r6;entitySubId=Security

What is CID and or vs WWW, the differences?
It seems to always be CIM for me no matter what system I dial into.


small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
The IP protocol has certain reserved IP address ranges.

10.10.10.x
10.10.11.x
192.168.x.x
And many others.

My thoughts are that a computer on the customer network that is either an internal one or via a VPN has been infected with a virus causing an attack on the BCM. It could that they are attempting via SSH to gain access, hence the "CIM" reference.

The best thing is to gain access to the customers router and check the logs to see if you can match up the times and logs with the BCM.

Does the customer have their own copy of BCM Element Manager installed on a computer and what IP address range are they using.

Do any of their IP equipment use two Network cards per device like the BCM has?.

Does the customer's router need a firmware update?.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
I remember when logging into the main page via web browser
VMAIL would be CallpilotManager, maybe Mailbox Manager too.
SSH is just that, SSH

This I found out on a Linux forum:
CIM = Common Information Model
So...
CIM is Business Element Manager which makes sense.

Port 22 is closed, I cannot access it, only on demand, but now it is confirmed the brute force is via 443 (web browser or other)

They seem tight on security so I can only assume their network is up to snuff but I will ask for them to snoop anyway.
From what I can tell they (IT off site or users onsite) do not have access to the BCM.






small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
The port 443 is used by HTTPS - so typically the GUI login on many devices. For BCM50, that would be the BCM Launcher web page if I am not mistaken.

I would tend to disagree with the assumption that they are tight on security. One of these three options must be correct:
1. The system is directly connected to the Internet and due to that can be attacked from the outside (connecting BCM50 directly to an Internet is not a very good idea)
2. Internet access is via a router. They have a port open on this router that is forwarded to the port 443 on the BCM50 - or they have the BCM50's IP address configured as the DMZ address. This allows the BCM50 to be attacked from the outside.
3. Someone is attacking the BCM50 locally from their LAN

Unless they REALLY need the access to the BCM Launcher page remotely from the outside, they should not allow external access to the port 443 at all.

DMZ would be as bad an idea as it gets. And connecting the BCM50 directly to the internet would be really the same as DMZ. If the attack is from a device on their LAN, they should identify the device and "talk" to the user.

The proper configuration should be - nobody from the outside should be able to reach the port 443 on the BCM50. If the attack is local from their LAN, they should deal with the person doing this.
 
Yes, CIM in this case is Common Information Model, which is basically the BCM database you connect to using BEM and port 5989.

I've used a program called CIM Navigator to connect to BCM's. You use the nnadmin login and designate port 5989. It's mildly interesting to me, but most times I don't really understand what I'm looking at. CIM Navigator would be of more use to someone with knowledge of how the data is organized.

I agree with ucxguy as regards opening port 443. Most companies I connect to remotely only open the ports I need (22 and 5989) on request and close them up when I'm done. Too many bad actors lurking about.

Brian Cox
Georgia Telephone
 
Well we all agree on on everything, I just wanted to make sure BCM did not use 10.10.10.X, this way the blame is on them.
I have asked them to dig deeper on their end.

Thanks for the replies, I will update when I can.


small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
That's good to know Curlycord. I was meant to say in my previous post that were you able to ping the 10.10.10.59 IP address from the BCM system?.

I think the option in in one of the drop down menus in the Administration area.

I've used this a number of times to get connectivity.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Yes I use it all the time when patching or doing my thing remotely so that I know it can see my server offsite before attempting to down/upload....it was the fist thing I did, no replies.

Because I wasn't for sure on 10.10.10. being somewhere in the backend on the BCM50 I had briefly pondered if it could ping part of itself, but it can.
For instance you can ping both the OAM or the LAN ports.

Just one of those when you knew everything mentioned above here, but you second guess yourself.
The IT company did not tell me about this up front until I pressed.

In fact, I have a hilarious update...it was the IP of their server that is dedicated to scan the network for threats daily.
[lol]



small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
At least you are getting some sort of support from the customer's IT dept. That's often the hardest part.

I agree with Exmogger on why it's scanning for threats on the BCM and what programs are they using to do this?.

In the first post, I saw multiple references to different account logins such as cisco, admin, superuser etc. I was wondering if some of them related to the older BCM Enterprise Windows NT accounts and other old IP equipment as "superuser" used to be one of the old NT ones?.

Perhaps this customer had an old BCM 200/400 ?.

Anyway, at least it's not the BCM and no longer needs your involvement. Make sure that you invoice them for all your efforts.



Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
supervisor" (and "visor") is what your thinking of.


I think that server (Arctic Wolf software) is infected with the Brute Force malware of sorts, I guess it does not scan itself, lol.




small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
In the first post, I saw multiple references to different account logins such as cisco, admin, superuser etc. I was wondering if some of them related to the older BCM Enterprise Windows NT accounts and other old IP equipment as "superuser" used to be one of the old NT ones?"

I had similar thoughts about the usernames it was trying. Maybe some of them are default logins built into Linux systems. They were all definitely in the brute force program hitting the BCM50. I don't have a running BCM50 at the moment, but I do remember postgres as one of the BCM50 logins.

Yes, I remember supervisor and visor as one of the default logins on the old Windows NT version BCMs.

Brian Cox
Georgia Telephone
 
Yep!. That was it Curlycord.
Old age is catching up with me.
I doubt if we have any of those old BCM 200/400 still in service on this side of the pond.



Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Final update:

Today they confirmed that the Artic Wolf software was the culprit, not the server it's on.
The software (or an option of it) is designed to periodically try a brute force on it's own devices/servers on the network to keep things in check.

They added the BCM's IP to the exclusion list to avoid filling up the alarm log.

"They seem tight on security so I can only assume their network is up to snuff"
Sometimes, it feels good to be right!
Nyuk Nyuk Nyuk


small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top