Infected BCM, someone trying to Hack in ?

[EduardoYus]

We had a lot of Alarm Banner entries on our BCM 200 (3.6-2.2c) for "Unsuccessful Logon Attempts", it looked like someone was trying to Login using a variety of User Names and Passwords, common words in alphabetical order. We could see the alarms pile up (over 1500), as it kept trying and trying different words.

After some troubleshooting it appears that the BCM contacted a site in Japan, thus opening a channel of communication (that our Firewall allowed) and that site started the brute force attack on the username and password.

DNS was setup, enabled and pointing to our internal DNS Server. I disabled it, removed the IP address it was pointing to and the Alarms stopped. Now of course I'm getting a bunch of "DNS Lookup errors".

My guess is that the Windows NT part of the BCM got infected and it is trying to contact a site that, thinking it is a regular Server or PC, it is trying to login to install a SPAM sending package or something similar.

So...

Has anybody encountered anything like this ?
Any ideas how to fix it ?
Can the drive(s) of the BCM be accessed from another computer to run an anti-virus ?

Many Thanks,

Eduardo

 

[biv343]

Do you have a public IP address on your BCM? Or, do you have any firewall/NAT rules NATing an outside IP to your BCM? My guess is that someone stumbled across it and started hacking away.

The BCM wouldn't have contacted a site in Japan unless someone told it to. Most likely someone in Japan contacted your BCM.

I haven't ever seen a BCM get a virus, but it's not impossible. Load all patches related to Microsoft security advisories (that you get from Nortel's site), and turn off any NAT rules pointing to your system.

That's the number one reason I cringe whenever I read about someone putting a BCM in a DMZ or putting an external IP on the BCM without using the internal firewall.

 

[EduardoYus]

I agree with you, having the BCM public is asking for trouble, for that very reason we do NOT have any public IP on it, nor do we have any NAT rules or conduits. The system is not available from the outside.

My guess is that either somebody visited a site with a drive-by download and before the Desktop's Anti-Virus caught it, it infected the BCM since it is on the same network. Or, somebody plugged-in a "guest" laptop that was infected.

Our Cisco PIX Firewall is setup to not allow incoming connections, unless an outgoing connection was initiated from here. It looks like the BCM tries to contact a list of IP addresses and it succesfully hit one of them, in this case in Japan.

All Microsoft patches are up to date.

Eduardo

 

[biv343]

Interesting. Definitely sounds like an infection of some type. I've never seen that type of thing happen though unless the BCM was exposed to the Internet.

Not quite sure what to advise you on at this point.

 

[MagnaRGP]

Do you have telnet enabled on that unit?? Is it an upgraded unit? Perhaps something was loaded on it when VNC was still accessible?

We have had one BCM in our history get hit by a virus, but I'm not sure how it got there.

I would suggest perhaps that you back up your telephony and Voice Apps and have a new hard-drive imaged. That is about the only way that I can see that you will be able to conclusively get rid of the infection.

 

[acewarlock]

If the Nt OS is infected, changing the harddrive wont help as the NT OS is on the motherboard.

 

[biv343]

No, the NT OS is on the hard drive. Only thing that lives on the motherboard is memory, CPU, BIOS, and I/O (IDE) controllers. If that was the case, we'd be reprogramming our BCM's when we change base function trays.