Help please suspicious entries in logs

[janus2005]

Hello all,
Quick question from a newbie:

Our MD110 BC12 SP8 has been acting a bit strange lately (ie. calls go to wrong extensions, echo on the voice calls, etc).
I checked our LOG**.dat and found some suspicious entries like this one:

2006-11-26 02:55:49 SYSTERMINAL MDUSER LOGIN OK
2006-11-26 03:22:53 SYSTERMINAL MDUSER LOGOUT

I presume that this login is via the modem (yes it was always plugged in). I find it strange that our vendor would be servicing our PBX at these late hours in the morning and also for example on Christmas day there are log entries.

My question is this? Do you think we have been hacked? If so what to do presuming they have had access to the system for quite sometime. Is it possible to check the origin of these dialins late at night?
Here's the printout of the CLINP; command.
<CLINP;
CALL LOGGING DATA

CALL LOGGING MODE: ACTIVATED

MOBILITY LOGGING MODE: NOT ACTIVATED

HEADER FORM DMPSIZ DISCR IN SERVICE LOGABN LOGFAL HRTBT
MIDUPO 4 1 0 YES YES 3 NO

ORIG DIAL TIME
ALL ALL ALL

DIR LIM BPOS EVENT



END

Any help would be appreciated.

 

[fcpli]

Change the password to something else is the best solution.

If this "hacker" is sending his CID, check in your call logging system (Ring MAster etc.) his/her number.

 

[nschreuder]

How looks the command logfile in this time and date?
Can you give us a FIFCP of these 27 minutes?

 

[janus2005]

@fcpli: I haven't found any suspicious numbers. Changing the password would prevent them from getting back in but not whatever damage has been done meanwhile. Like any computer, once its been compromised the only really safe thing to do is reinstall everything from trusted media.

@NCCOI: Unfortunately there are no command logs for logging was disabled. It is now enabled for future use.

As I said, I'm a bit of a newbie on the MD110, is this behaviour (ie calls going to wrong extensions, echo on line and 3AM logins from "supplier") normal, am I being paranoid?
I don't want to overreact but also don't want to underreact as the MD is in a fairly sensitive facility.

 

[fouesnant]

Hi

Why don't you ask to your vendor, if your have maintenance contract, what's the problem?

 

[janus2005]

The problem is that the vendor has never been too cooperative and never wants to give out any info, which doesn't exactly inspire trust.

That is why I am asking in this forum, where this is expertise and no vested interested in telling us everything is fine so that the vendors don't lose any contracts. Did I mention they left in the default level 7 password? Now you see the problem?

 

[whosrdaddy]

janus,

are you sure there aren't other systems that login automatically to your system? like a DNA server (time synchronisation)

your comment about "compromised system" is not entirely true, just change the password if you are sure you're being hacked, the MD110 is not an ordinary computer...

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[fouesnant]

Hi JAnus

Do you have AAU2 baord, or EVM (Event Manager) or HPOV that handles the alarms of your system?
There is some good change that it is this feature of alarm suppervision that access to your system.
Could you post IOELP result command ?

 

[nschreuder]

The problem is that, when it ends all up illegal and he is really "MDUSER", he is most probably an AUTH 7 and than you can't change password.

In my case "SYSTERMINAL" would mean that a technician was on location and logged in with his pc on the NIU in LIM1, so i understand you're worried.

 

[janus2005]

@whosrdaddy: Unfortunately I am not sure of much of anything. However our DNA server doesn't log on automatically.

@fouesnant: I don't think so but I don't really know. Here's the result of the IOELP:
< IOELP;
EVENT LOG FUNCTION STATUS

LOG DIRECTORY /SYSN/USR1/SES/IC
LOGIN LOG ON
COMMAND LOG ON
PRINT RESULT SEPARATOR INITIATED/ENDED BY DATE
YES YES H'20 MDUSER 2007-06-07

END


Plus another reason I don't think it is any sort of automatic login is that the logs show large periods of time without any login, then logins on sundays and holidays at strange times, sometimes for hours on end. I'm no expert on the MD110 but this seems like human action to me.
Thanks for all your help.

 

[whosrdaddy]

is the "Ericsson MD110 Time" service started on your DNA server?

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[nschreuder]

Ask the one who enabled your command log yesterday.
He used "MDUSER".

 

[janus2005]

@whosrdaddy: No. It's set on manual.

@NCCOI: That was me yesterday. Command logging was off until I turned it on yesterday.

Anymore ideas or is it safe to assume unauthorised entry?

Here's another strange log:
2005-10-30 03:35:59 SYSTERMINAL MDUSER LOGIN OK
2005-10-30 02:33:02 SYSTERMINAL MDUSER LOGOUT

Notice that the logout time comes BEFORE the login time. Is this a bug in the MD110 or someone sloppy in cleaning the logs?

 

[parnum]

if you are MDUSER then change the password and any access via MDUSER will then fail as the password is changed.

do you have maybe call logger that polls for data? you will find out what is polling your MD110 if you change the password, as whatever it is will stop working. There is nothing else you need to so to stop this access.

best parnum