Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BCM50 Hacked, trying to plug the hole 1

Status
Not open for further replies.

tubdub

IS-IT--Management
Jan 5, 2012
38
GB
Hi,

A BCM50 system that I look after was hacked overnight and a large bill racked up on international premium rate numbers before the provider was able to put a block in place.

After doing some research I believe the method used was to make an external call from within callpilot once the auto attendant had picked up the call.

I've since removed the ability to make external calls from all COS. I've also put mailbox restrictions in place on all mailboxes and had users change their PINs, as well as PINs for the System Manager and General Pickup mailboxes. I suspect that the System Manager or General Pickup mailbox PIN had been reset by the client and not set to something secure.

My questions are, is there anything else I should do to ensure this cannot be repeated and how is it possible to create an external call from within the voicemail system? Is it a case of dialing specific codes once the auto-attendant has picked up the call? I would like to attempt it myself to ensure all external calls are blocked.

Many thanks for any info.

Tubdub

 
Here is a extract from the callpilot event log, as you can see there is a failed attempt to log in as the System Manager (102) then a bunch of external calls are initiated. My main concern is it seems that they were unable to guess the PIN for the mailbox, and there is no log of another mailbox being accessed, yet the external calls were still possible.

2017-05-14T23:56:58.094 [INFO ] {STLog} (0) - MyPhone: Bad Password: 102 by 188.161.244.180 rc=1(0x1)
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Daily statistics ..
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - One call FOD 0 Two Call FOD 0 FOV 0 FAX Print 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Incoming AMIS 0 Outgoing AMIS 0 VPorts Busy 0 FPorts Busy 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - F980 Sess 0 F981 Sess 0 F982 Sess 0 F983 Sess 0 F985 Sess 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - F986 Sess 0 F987 Sess 0 F988 Sess 0 F989 Sess 0 F930 Sess 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Call Ans 0 AA/CCR 0 OPN 0 PAGE 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Ext Trans 0 Ctx Trans 0 Broadcast Msgs 0 Group List Msgs 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - SMTP Receive 0 SMTP Send 0 NVM Manager 0 Call Screening 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Dsktp Logins 0 Dsktp Open Msgs 0 Text Bodies 0
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - Shell 5: AsLogic, unexpected event rc=75(0x4b)
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - Internal call from DN .
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - Dump: Shell 5
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - 2017/05/15 00:16:12 TVSStart Called DN Answered
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - 2017/05/15 00:16:12 TVSMain init event
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 00:17:10 TVSMain call disconnect
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 00:17:10 TVSShellDone init event
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 00:17:10 Idle State init event
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 Idle State TVS start
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 TVSStart init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 AsOriginate init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 OriginateExtCal init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 OriginateExtCal 1st timeout
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 CompleteExtCall init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 CompleteExtCall 1st timeout
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 TVSStart Called DN Answered
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 TVSMain init event
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 TVSMain call disconnect
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 TVSShellDone init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 Idle State init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 Idle State TVS start
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 TVSStart init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 AsOriginate init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 OriginateExtCal init event
2017-05-15T02:00:41.880 [INFO ] {STLog} (0) - 2017/05/15 02:00:40 OriginateExtCal call answered
2017-05-15T02:00:41.880 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 OriginateExtCal TVS hangup
2017-05-15T02:00:41.881 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 AsLogic TVS hangup
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - Shell 5: AsLogic, unexpected event rc=75(0x4b)
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - Internal call from DN .
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - Dump: Shell 5
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 TVSShellDone init event
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 Idle State init event
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 Idle State TVS start
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 TVSStart init event
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 AsOriginate init event
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 OriginateExtCal init event
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:40 OriginateExtCal call answered
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 OriginateExtCal TVS hangup
2017-05-15T02:00:50.250 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 AsLogic TVS hangup
2017-05-15T02:00:50.250 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 OriginateExtCal 1st timeout
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 CompleteExtCall init event
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 CompleteExtCall 1st timeout
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 TVSStart Called DN Answered
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 TVSMain init event
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:45 TVSMain TVS hangup
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:45 TVSShellDone init event
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:46 Idle State init event
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 Idle State TVS start
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 TVSStart init event
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 AsOriginate init event
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal init event
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal call answered
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 OriginateExtCal TVS hangup
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 AsLogic TVS hangup
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - Shell 5: AsLogic, unexpected event rc=75(0x4b)
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - Internal call from DN .
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - Dump: Shell 5
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - 2017/05/15 02:00:45 TVSShellDone init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:46 Idle State init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 Idle State TVS start
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 TVSStart init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 AsOriginate init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal init event
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal call answered
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 OriginateExtCal TVS hangup
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 AsLogic TVS hangup
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 OriginateExtCal 1st timeout
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 CompleteExtCall init event
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 CompleteExtCall 1st timeout
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 TVSStart Called DN Answered
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 TVSMain init event
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:53 TVSMain TVS hangup
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:53 TVSShellDone init event
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:53 Idle State init event
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 Idle State TVS start
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 TVSStart init event
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 AsOriginate init event
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 OriginateExtCal init event
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 OriginateExtCal call answered
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:57 OriginateExtCal TVS hangup
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:57 AsLogic TVS hangup
 
I knew of a BCM that was hacked via Call Pilot Manager and port 443 was forwarded onto the BCM system. The hackers used Call Pilot Manager to get in via the browser tool and able to create a dial out path.

I'd remove all ports onto the BCM from the router except for essential ones such as 7000 for IP phones. Check that the BCM isn't in any router's DMZ.

Go through all mailbox activity and I think you will find where the breach is.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
I agree a mailbox most likely penterated, could be trivial password like 1234 and they have outbound transfer allowed.

Look at Mailbox Activity log and look for the dialed sting that called out....the one the carrier stated they used.
Ctl-F to find it.

Also see our FAQ's




________________________________________

Add me to LinkedIN

**New Allworx Forum**

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Hi, thanks for the responses.

With regard to the Mailbox Activity log, do you mean the one that is available from the CallPilot admin login, under Reports? All this shows is the number of mailbox accesses and the amount of messages left.

Is there another log somewhere with more info?

Thanks
 
Mailbox Information

Here is an edited sample from mine:

201 SUB *Service,TelcoPC 255 15 0 0 0 0 0 0 R All
PAGE BOTH - PAGE ZONE 1 - PAGE RETRIES: 1 - PAGE INTERVAL: 15
XFERS Screened
OPN/RNPHONE 944169535XXXX
OPN/RNSTATUS Inactive START 12:01 am STOP 11:59 pm
MSGFWD Active me@myemail.XXX
ATTACHMENT WAV
ORIGINAL MSG Do Nothing
TRANSF 944169535XXXX

The outbound dialing string is usualy at the bottom of info of the mailbox.
94 is my Dest code in this example.

This helps find the culprit mailbox and person with the weak password.

________________________________________

Add me to LinkedIN

**New Allworx Forum**

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Sorry to say, but that hack was your fault.

You should have had a remote restriction in place that disallowed long distance calls when someone dialed in to the system.
 
If he's the PBX admin, ultimately he's responsible.

A remote restriction would stop anyone who called in from dialing out a toll call. Let them dial out local when they are remoting in but block 0-, 011+, 411, 611, 911, 1+NPA, except 1-888 1-877 1-866 1-855 1-844. Centrex Link Transfers should be blocked if incoming calls can come on in those (nobody uses analog Centrex anymore though).

They did it through Call Pilot. Outdial route in CP is none by default so it must have been enabled.
 
f he's the PBX admin, ultimately he's responsible."
Perhaps but based on what happend and training provided etc but regardless thats not for you or anyone else to say or scold.

"A remote restriction would stop anyone who called in from dialing out a toll call"
Yes but only on an Auto Answer Line (Disa), not for sets/callpilot.

"Outdial route in CP is none by default so it must have been enabled."
Of course, thats how you use External Transfer from Mailboxes.

Note that you would need to rectrict the ports that Callpilot uses by using Set Restrictions or Line Restrictions but only if Long Distance is not required by any of the users.

"Centrex Link Transfers should be blocked if incoming calls can come on in those (nobody uses analog Centrex anymore though)."
Centrex is not the only package using Link.


________________________________________

Add me to LinkedIN

**New Allworx Forum**

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
As I am the current admin I suppose the blame is mine, but in my defence I wasn't the original admin/installer and am no expert. I have only made minor config changes as and when needed.

Several of the COS had external transfer from call pilot enabled. This must have been done by the previous admin, no idea why and I have now disabled it.

Once again, thanks for the responses.
 
Tubdub: The first line of your log is the culprit:

[tt]MyPhone: Bad Password: 102 by 188.161.244.180 rc=1(0x1)[/tt]

This shows a public ip address accessing your system. Ooohhh... nasty.
There is a known, and quite simple hack to gain access to poorly initialised
mailboxes on the BCM50. They use the web based user-login page, and just throw
a script at it; This method does *NOT* key-up the failed-attempts counter, sadly.

Never ever open port 443 (or 80 for that matter) to the public internet on any
BCM50; I've had the exact same whallop a Rel 3 system, and to the tune of £1500 odd
before the carrier clobbered the ISDN lines as a courtessy.

From where you manage externally, obtain a static IP address, and in the customer
premises, set up a firewall rule on their router that *only* allows your ip address
in, or others you trust, and denies everything else. My laziness caused a lot of
grief, and the hackers knew exactly what to do, once they found a system that
answered back as a BCM...

In the apache logs on the bcm, the line starts like:

[tt]GET /Voicemail-cgi-bin/MyPhone.exe?SecCon=m_rmi(and a load of mmmmmm's and a long url)[/tt]

 
Thanks for that info, I have indeed since closed port 443, although I never made use of this myself, it was all set up prior to me taking over. Since the system had not had any problems in the past I left everything as it was..... won't make that mistake again.

Out of interest, if the COS had not had external transfer from CallPilot enabled, would that have prevented the outgoing calls? Or does this hack circumvent that setting as well?
 
hey use the web based user-login page, and just throw
a script at it; This method does *NOT* key-up the failed-attempts counter"

This means the Mailbox Manager will not lock you out after X amount of password tries like the telephone does.
So the script will keep trying passwords until it's in.

Callpilot Manager page however is where COS is controlled, unless they figured out your user name and your password then they cannot change the COS.

So otherwise yes if the mailbox was in a COS that did not allow External Transfer then it would have not worked.

Best to also deny all other COS's 1 through 15 if nobody requires External Transfer.






________________________________________

Add me to LinkedIN

**New Allworx Forum**

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Also go through all your application DN's and remove any reference to line pools which id usually "A". Why Nortel had them in there must have been historical before IP came along when the DID template was used.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top