IP Office DDI no incoming call route ghost calls

[JoeyIT]

Hello,

We were alerted from the phone company that we had calls trying to dial random countries so they blocked it. In the system status I am seeing errors for the following line had no incoming call route for the call and then a random DDI, the current one has 18 digits. The phone company says they aren't seeing the traffic on their end coming in yet I am getting a ton of these errors. We have checked the server the software is running on and don't see anything on it. I have also changed all the passwords to log into the ip office. Has anyone seen anything like this before and know how to stop it. Any ideas are much appreciated!

 

[icet500]

Are these attempts to dial out or in from your Phone system?
What type of line? If SIP trunk, do you have a firewall in between or the IPO has a public IP?

 

[IPEXE]

your system is tried to hack by hacker for international calls to burden huge telco bills.change sip ports,use alphanumeric and special character passwords,
if not necessary block international calls on telco lines.Ask firewall team to configure blacklist IP,deny international calls on extensions during night hours as per your country time table.If any one want international calling try to force pin dialing.

 

[budbyrd]

Google ip office security. Avaya has several version dependent guide line docs.

Dermis and feline can be divorced by manifold methods.*
*(Disclaimer for all advise given)--'Version Dependent'

 

[JoeyIT]

It appears they are dialing from the inside. It's a trunk that comes in from the IPO and is converted to a PRI in the avaya. In the sys monitor it shows as the number being dialed but then it gets shut down. I'm trying to figure out what is doing the dialing so I can shut it down.

I'll look at the guide I found in terms of security. Thanks for the responses.

 

[CarGoSki]

sysmon traces with ISDN L2 and L3 filters and short codes and some others on will tell the tale but then you need someone who can read the traces.

BTW IPO does not convert anything to PRI. Instead an IAD(Integrated Access Device) can take a SIP trunk from the provider and convert to mixed media for different uses by the premise. One thing it can convert a provider SIP line is to a PRI line which can then be connected to IPO.

 

[JoeyIT]

Yeah should of been clearer on that. The sip trunk comes off the IPO switch into an adtran device and then into the pri port on the avaya. I've changed all the passwords and have rebooted but still not sure what's going on. The unit itself doesn't have internet access. Below is what I see when a call is generated but don't have enough knowledge to know where exactly it is generating from. I'm think its time to get a phone vendor involved at this point.

22:52:51 1600570mS CMTARGET: ISDN BChannel 1: in-service check = 1
22:52:51 1600571mS CMLineRx: v=1
CMSetup
Line: type=Q931Line 1 Call: lid=1 id=7 in=1
Called[99999999999999999999] Type=Unknown (0) Reason=CMDRdirect SndComp Calling[] Type=Unknown Plan=Unknown Pres=Allowed (0)
BC: CMTC=Speech CMTM=Circuit CMTR=64 CMST=Default CMU1=ULaw
BChan: slot=0 chan=1
IE CMIESupplementaryService (3)
Interpretation APDU
rejectAnyUnrecognisedInvokePdu
CallingName.Invoke.CodePageUnknown
invokeId 1
user '' presentation Restricted
22:52:51 1600571mS PRN: Q931Trunk: Found QBChannel to match 0.1 --> 1.2
22:52:51 1600571mS CMCallEvt: 0000000000000000 0.1014.0 -1 BaseEP: NEW CMEndpoint f197573c TOTAL NOW=1 CALL_LIST=0
22:52:51 1600571mS CMTARGET: ISDN BChannel 1: in-service check = 1
22:52:51 1600572mS CMTARGET: ISDN BChannel 1: in-service check = 1
22:52:51 1600572mS CMCallEvt: CREATE CALL:7 (f19750c4)
22:52:51 1600572mS CMCallEvt: 0000000000000000 0.1015.0 -1 BaseEP: NEW CMEndpoint f19737b8 TOTAL NOW=2 CALL_LIST=0
22:52:51 1600574mS CD: CALL: 1.7.1 BState=Idle Cut=1 Music=0.0 Aend="Line 1" (1.2) Bend="" [] (0.0) CalledNum=99999999999999999999 () CallingNum= () Internal=0 Time=2 AState=Idle
22:52:51 1600574mS CD2: CALL:S 1.7.1,0.1015.0,0,0,1,0,0,0,Line 1,,,1.2,0.0,100.0,99999999999999999999,0.0,,,,100,,100,,0,16,0,1,0.0,,,,,,,0,2,0,0,0,0,,,0,,0,0,0,0,,7,0,0,,0,,3,0,0,0,0,0,0,1,618,1,,,,,,,,,,,,,,,
22:52:51 1600574mS CMCallEvt: 0a1e141e00000007 1.7.1 7 Q931 Trunk:1 CHAN=1: StateChange: END=A CMCSIdle->CMCSDialInitiated
22:52:51 1600575mS CMTARGET: 0a1e141e00000007 1.7.1 7 Q931 Trunk:1 CHAN=1: LOOKUP CALL ROUTE: GID=0 type=0 called_party=99999999999999999999 sub= calling= calling_sub= dir=in complete=1 ses=0
22:52:51 1600576mS CMLOGGING: CALL:2020/07/1422:52,00:00:00,000,,I,99999999999999999999,99999999999999999999,,,,0,,"",0,n/a
22:52:51 1600576mS CD: CALL: 1.7.1 BState=Idle Cut=0 Music=0.0 Aend="Line 1" (1.2) Bend="" [] (0.0) CalledNum=99999999999999999999 () CallingNum= () Internal=0 Time=4 AState=Dialling
22:52:51 1600577mS CD2: CALL:S 1.7.1,0.1015.0,7,0,0,0,0,0,Line 1,,,1.2,0.0,100.0,,0.0,,,,0,,100,,0,16,0,1,0.0,,,,,,,0,4,0,0,0,0,,,0,,0,0,0,0,,7,0,0,,0,,3,0,0,0,0,0,0,1,618,1,,,,,,,,,,,,,,,
22:52:51 1600577mS CD: CALL: 1.7.1 Deleted
22:52:51 1600577mS CMLineTx: v=1
CMReleaseComp
Line: type=Q931Line 1 Call: lid=1 id=7 in=1
Cause=1, Unallocated (unassigned) number
22:52:51 1600577mS CMCallEvt: 0a1e141e00000007 1.7.1 -1 Q931 Trunk:1 CHAN=1: StateChange: END=X CMCSDialInitiated->CMCSDelete
22:52:51 1600577mS CMCallEvt: 0000000000000000 0.1015.0 -1 BaseEP: DELETE CMEndpoint f19737b8 TOTAL NOW=1 CALL_LIST=0
22:52:51 1600577mS CMCallEvt: END CALL:7 (f19750c4)
22:52:51 1600578mS CMTARGET: ISDN BChannel 1: in-service check = 1
22:52:51 1600578mS CMTARGET: ISDN BChannel 1: in-service check = 1
22:52:51 1600578mS CD2: CALL 1.7.1,0.1015.0,7,,,,,,,,,,,,,,,,0,0,,0,,3,0,0,0,0,0,0,1,618,1
22:52:51 1600579mS CMTARGET: 0a1e141e00000007 1.7.1 -1 BaseEP: ~CMTargetHandler f196d5e0 ep f197573c
22:52:51 1600579mS CMCallEvt: 0a1e141e00000007 1.7.1 -1 BaseEP: DELETE CMEndpoint f197573c TOTAL NOW=0 CALL_LIST=0