Hacked for International calls? 1

[grcampb]

HI,

We have a BCM400 and use the auto-attendant to transfer to 4 skillsets and over 50 mailboxes.

Yesterday we got a call from our telco saying they've noticed "hundreds of international calls" coming from our line. (we have two 23 channel PRIs connected to the BCM.

I noticed the option for outgoing transfers in the voicemail class setup was checked so I disabled that.

Is there anything else I should change to prevent this from happening?

Thanks,
Graham

 

[curlycord]

Check any disa is disabled
Check any sets that have Redirect DN on
Restrict the vmail ports
Restrict the lines if need and create a COS password to bypass the restriction.

=----(((((((((()----=
curlycord

http://www.curlycord.com

 

[curlycord]

Check Remote Access...sorry



=----(((((((((()----=
curlycord

http://www.curlycord.com

 

[fireeater]

tell people not to use 1234 or 1111 (or any thing else simple) as passwords to their mailboxes

HALLOWED ARE THE ORI

mike

http://www.ics-on.ca

 

[snowman50]

enable "trival password" in generalproperties so as they cant use 1234 ,1111 etc

 

[gberger]

Run the mailbox information report in call pilot manager and you'll see which mailbox got hacked and the password is probably 1234.

 

[grcampb]

I think I found it - Mailbox100 showed:
OPN/RNPAGER 500
OPN/RNSTATUS Inactive
TRANSF 90115352472029

It isn't a mailbox that is referenced anywhere but it shows as "General Delivery" and doesn't have the option to delete so I assume it is needed. I'll be changing the password on it and enabling no-trivial password checking.

Thank you very much guys. As always you are a valuable resource.

Graham

 

[gberger]

You should remove the "outbound transfer" option from all the mailboxes that dont need it(in the class of service),
remove the access to "route" in all the mailboxes that do not need it and finally assign a restriction filter of any
"011" to your pri's if overseas calls are not needed.

 

[grcampb]

Thanks again.
I've disabled outbound transfer for everyone - I can enable it later if anyone needs it. I also removed route from all voicemail boxes. Unfortunately we do need to make international calls so we can not block 011 from the PRIs - we did have the telco block them over the weekend until we figured out what happened.

Thanks again for all your help. Hopefully others will read this post and secure their systems before they get caught like we did.

 

[hawks]

If you do not use 1010 codes you need to let your carrier know that also. Because if they stop 011 on the weekends the Hacker will just use 1010 and go around your carrier.