Help with Toll Fraud and SMDR

[floppy1]

Hi all

We may have an issue with calls made to Ethiopia. Embedded VM did have access to PSTN and COR was not applied. The system has been administered by the company IT dept. I have since locked down all VM ports so now there is no access to PSTN what so ever via the VM ports



The SMDR records below seem to indicate calls made from ext 2449 but I am not entirely sure. Can anyone who is better versed at reading SMDR please advise. I am a bit baffled by the 12449 in the record ?

4400 is a menu mode MB and 2300 is one of the option MB associated with 4400

VM options was set to not allow digit 9



Any assistance is appreciated




07/15 13:01:16 2449 00251932049974 00000 T3
001 12449 A001721
1 A
07/15 13:00:00 2449 00251928705529 00000 T3
001 12449 C001717
2 A
07/15 12:59:16 0000:00:24 2449 00251926486112 00000A T3
001 12449 C001330
7 A
07/08 12:33:50 0000:00:01 T7 **** P403 001 P403
I 4400 001 00251917102052 2300 A001820

 

[floppy1]

Sorry disregard the first two records this was site calling the number to confirm. However the third record seems to indicate VW had been compromised or misused

4400 is menu mode with the following options associated

1 4410
2 4440
3 4450
4 2301

I have done locate number 2300 with result number not in use ?

 

[sarond]

Make sure they haven't hacked the operator mailbox as well. I've seen them change the extension associated with 0 to dial and external number.

I'm not well versed in SMDR but the last record looks like an incoming call via an ACD path. I think??

 

[LoopyLou]

You are correct sarond. The P403 means an ACD queue with a path reporting number set to 403. Does the path by change overflow to a RAD or mailbox? Its been a while since I have had to thrash around in SMDR records.

An apple a day keeps the doctor away. Anyone else and you need to throw it harder.

 

[floppy1]

Thanks both. No not the 0 MB I did have a look at that

Yes ACD path 4403 Path reporting number P403. This path has an interflow to Menu MB 4400. I am now thinking that a MB has been compromised and the contacts in that MB may hold the key.

I will update asap

 

[Billz66]

Your Mitel dealer may be able to help with this .
There is a method to listup all embedded mailbox settings via the console
it does also include Mailbox personal contact numbers ( i just checked our system)

The method is not something that should be published on an open forum however

If I never did anything I'd never done before , I'd never do anything.....

 

[sarond]

@Billz66

Is this something that is on MOL?

 

[Billz66]

no
I learnt it from a Mitel tech but as i said its not something that is public knowledge.

If I never did anything I'd never done before , I'd never do anything.....

 

[Billz66]

from memory you may also be able to check in the backup in the

​

\vmail\temp\db\backup\vmail\0000MASTER.DAT file

I think Notebook ++ may help read it if you use a replace string to remove the NULS's

use replace \x00 with space

not as easy as the console method but may help you see if there are any external numbers assigned

Anyway we are getting off track
if its the vmail you need to set the ports to a cor that does not allow international dialling

No reason to have it allowed that i can see.


If I never did anything I'd never done before , I'd never do anything.....

 

[bobcheese]

why dont you just re-create the menu node with new mailbox numbers, changer the password and enable mailbox lockout (depending on version), check the ARS is solid (no point having COR groups if routes are compromised), and change the COR of the Vmail ports.

Then just delete the old Menu Node.

I normally bar the vmail ports from dialling out at all then create speedcalls that override toll control for anyone who wants personal contact numbers. Its admin intensive but secure.

 

[floppy1]

Hi all thanks for your help

Found it MB 2355 contacts. Have a guess what the passcode was ?

 

[Billz66]

0000 1111 2222 1234

If I never did anything I'd never done before , I'd never do anything.....

 

[sarond]

2355

 

[Billz66]

customers ..... like would be so much easier without them

for some reason the boss disagrees.

If I never did anything I'd never done before , I'd never do anything.....

 

[floppy1]

Sarond you are correct the passcode was 2335

We have since changed passcode length to 6 digits and stressed to the customer the importance of strong passcodes.
The embedded VM is now locked down with COS and COR and users are being discouraged from using personal contacts but for thos who insist speed call to override toll control.

Thanks for all the assistance