How to audit attempts at remote access

[nwaller]

I recently noticed some strange entries in our calls logs. It looks like somebody is dialing in once every minute, for about a minute. We have a Mitel ICP 3300. Extension 2200 is the operator's extension. Here's a sample of the CDR output:

@20110705@ 07/05 06:26P 0000:00:58 X9999 0017 2200 5002 X 2200
@20110705@ 07/05 06:27P 0000:00:59 X9999 0016 2200 5003 X 2200
@20110705@ 07/05 06:28P 0000:00:58 X9999 0016 2200 5004 X 2200
@20110705@ 07/05 06:29P 0000:00:58 X9999 0017 2200 5001 X 2200

I suspect that somebody is trying to brute-force our manager/admin passwords using an automated dialer. Is there any way to audit access to the administrative menu? Or is it possible to disable this access entirely?

 

[dryaquaman]

Is the call hitting your Auto attendant 1st?
Are these SIP calls or are they originating from another PBX 1st?

Dry Aquaman

http://www.university-music-on-hold.com

 

[nwaller]

Sorry, I don't know how to answer your questions. My training is mostly with servers, not telephony.

We have three Mitel ICP 3300 gateways with an IP link between them. Each gateway is also connected to the PSTN through an ISDN PRI link.

Since our office is closed at night, I don't know whether the extension is actually ringing. However, the calls are also showing up in the Unified Communicator call log.

 

[dryaquaman]

These calls originated from a different PBX.
You'll need to login to the other systems and see if you can find the original source PBX. You should also see if you can turn on Caller ID reporting in the SMDR form.

Dry Aquaman

http://www.university-music-on-hold.com

 

[SXWizard]

To help in troubleshooting calls go to the SMDR Options form in each system and set the following options to Yes:

Network Format
ANI/DNIS/ISDN/CLASS Number Delivery Reporting

This will show much more information on calls coming into the system and between systems. Also, check the COS for the PRI trunks in each controller and make sure that SMDR External is set to Yes.

 

[LoopyLou]

X9999 means its coming across IP trunks from another 3300 somewhere. If its trying to ring the console its most likely ringing your companies main number which I assume would go to the operator. Could also be some type of automated fax server trying to look for fax tone to deliver its fax spam.

The single biggest problem with communications is the illusion that it has taken place.

 

[nwaller]

@dryaquaman:
It makes sense that the calls came from another PBX, since there were no public phone numbers in the call logs. Our SMDR logs normally include caller ID records for inbound calls.

@SXWizard:
I can't change the SMDR formatting options, because our logs are collected and interpreted by a third party software product which expects a very specific format. Currently "Network Format" is "No" and "ANI/DNIS..." is "Yes". I also noticed that "Report Internal Calls" is "No".

@LoopyLou:
Yep it's probably from another 3300, and I'm pretty sure it did ring the operator.

-------------------

I tried to check call logs on the other two PBX's from the same time period, but nothing shows up. It looks like I have insufficient logging data to get a clear understanding, and it hasn't happened again since then.

I'm just going to assume that LoopyLou was right, and it's some kind of relatively benign automated system. Thanks everybody.

 

[james1982]

do you have route lists configured?

We experienced an issue the other day whereby someone hacked several mailboxes.
They were trying to dial an international number, the call failed as the required COR was in place, however as we use route lists the call went over the 2nd route which was the IP network.
Thankfully the IP routes were also restricted from dialling out.

Probably worth exporting the vm form for peace of mind and checking the operator extensions.