Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations dencom on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacking or is someone making the calls?? 2

Status
Not open for further replies.
M1north

M1north

IS-IT--Management
Sep 28, 2007
357
CA
WE have 3 different users in different companies that have experienced hacking on the same night. They are all shared on the same OPT81c.

In each occurance, our CDR is showing the calls were made from each of their extensions.

In one case, a call was made at 12:00am and then at 12:06am on the same extension.

CDR shows:
(526) 111-90000140000007 3000min
(526) 121-90000440000007 480min

Does anyone have any clue on how this is happening? Customers claim they did not have anyone in the suite at this time.

Thx

 
Sort by date Sort by votes
I would guess no calls lasted two days (3000 minutes), nor was any call exactly 8 hours. Since it was the same PBX, your CDR PC probably rebooted or had some "event". Those durations are just too "even" to be real in my opinion.

The text you quoted isn't the PBX's output, it is the CDR's formatted/calculated record of the call. I'd want to see the raw record from the PBX behind that before I made any further guesses. The CDR system probably has a raw record file for some time before it is purged to make room for the next mopnth or something.

--
GHTROUT.com - Help for Nortel Meridian/CS1000 System Administrators
--
 
Upvote 0 Downvote
More acurate information...3000min was approx.

2.2 1S05/26/2010 01:23:00 4342 126110500015800000074 5520


05/26/2010 12:00:00 AM 1S 55 SL025:3701 52611190000140000007 TELEPHONE CALL XX 187920

05/26/2010 12:06:00 AM 1S 55 SL025:3701-34573 52612190000440000007 TELEPHONE CALL XX 28800
 
Upvote 0 Downvote
That still isn't the raw record from the PBX. What do you get when you call the number?

--
GHTROUT.com - Help for Nortel Meridian/CS1000 System Administrators
--
 
Upvote 0 Downvote
What number are they dialing? I dont see the 011...is it stripped from the records?

2.2 1S05/26/2010 00:00:00 3701 052611190000140000007 3132


2.2 1S05/26/2010 00:06:00 3701 152612190000440000007 480


2.2 1S05/26/2010 00:00:00 3140 123052620360000080000 51.47
 
Upvote 0 Downvote
Not sure, that isn't the record from the PBX.

--
GHTROUT.com - Help for Nortel Meridian/CS1000 System Administrators
--
 
Upvote 0 Downvote
The CDR company is telling me that this is the information received from the PBX to the buffer. THey consider this their raw data.

There was a number of other calls made from other extensions at approx the same time (give or take a few min) but all the calls were 1-5min long.

This is very strange...
 
Upvote 0 Downvote
We use Tapit for CDR collecting and your format looks similar - yes our Tapit does not show the 'access codes' such as 9 (for outbound) 011 (for international) so consider that stripped.

As for the hacking/ toll fraud have you seen repeat offenses then? I only see records from 5-26. I would pull some other dates/times for comparison.

Also, what brought up the suspicion? Just normal reports that you run?
 
Upvote 0 Downvote
Not saying this is what's happening but we've had issues with cleaning crews making lots of simular calls after hours.
I can't imagine someones phone being tied up for a couple of days without anyone noticing though.
 
Upvote 0 Downvote
My question to them is:

How can the call register for 3000 minutes then another call a couple minutes later go for 480 minutes?

Then call the carrier and have them check the LD records. This has got to be bad data.
 
Upvote 0 Downvote
The call records provided do not fit any call record that I have seen from a Nortel. Will stand corrected if someone can show the references.

For the sake of the exercise, you should set your maintenance port as a CDR port as well and look at the raw data from the switch. That seems to be the best comparision.

My feel is that you should be approaching the carrier looking for the call records. Durations that high, and if you can get a rough indication of the start / end of the call, should not be that hard to find.

As a test, and after you verify raw data, try initiating a call out, then transfer that call to another outside number. See what comes out. This used to be a common toll fraud here.

 
Upvote 0 Downvote
There were about 20 calls made that night. Most were anywhere from 1-10 min long and overseas.

I need to check to see if the carrier is billing us.

Thx
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

BCU
  • Locked
  • Question
Caller id is not getting displayed
Replies
3
Views
625
gbtac3
gbtac3
Ozphonebloke
  • Locked
  • Question
Option 11C PSU cct diagram or voltage pinout
Replies
1
Views
403
Ozphonebloke
Ozphonebloke
bltodd
  • Locked
  • Question
ERR008 Digital and Analog Calls in Hang up after initial connection. Calls to outside hangup Fax too
Replies
0
Views
272
bltodd
bltodd
John Tel
  • Locked
  • Question
CS1K Signaling Server partition full /dev/hda10 (Not the normal /var issue). Directory not working.
Replies
4
Views
756
John Tel
John Tel
JM2009
  • Locked
  • Question
CS1000 how to use telent to download the ip trunk error message??
Replies
3
Views
536
psychotech
psychotech

Part and Inventory Search

Sponsor

Back
Top