School Hacked and Made International Calls 3

[DawsIsHere]

So I came into the office today with a pressing phone call from one of the high schools that we manage their IPO for. They had gotten hacked and were making international calls to Serbia, thankfully the provider caught this and stopped it before it got too out of hand. (they're also not charging the high school which is neat) We've since blocked international dialing on both the provider side and the IPO side of the house. But I'm curious on how this was done.. I was thinking they got in somehow through voice mail? Or TSPI since it was left (by default) on an unsecured port. Any ideas? I just want to know to prevent it from happening again/to other customers that have international dialing.

Thanks guys!

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[IamaSherpa]

For my experience they use 2 ways: 1st by logging in or creating a sip user; 2nd by using tapi connected in the afterhours time to handsfree phones and generating long distance but short lasting calls

 

[sizbut]

Given its a school (high throughput of a wide variety of people every day) I wouldn't rule out simple insider maliciousness before looking for external hacking.

Stuck in a never ending cycle of file copying.

 

[Westi]

3rd option to do that is to find a mailbox password, then call the mailbox with caller ID of some ... far away country and then log back in and hit ** to call back.

That is only possible in "IP Office mode" which is why I try to convince customers that have that to change to Intuity mode instead. I don't like IP Office mode but European techs here will disagree as it seems popular in Europe.

Joe
FHandw, ACSS, ACIS

If you give more information you will get better answers. If you only give bits and pieces then you will get the same back and maybe not fitting your problem.

 

[DawsIsHere]

Thank you guys! They were able to forward calls through an Auto Attendant that allowed you to access your voicemail box remotely. The users didn't have passcodes set on their voice mail box and that's how they were able to route those calls out. It wasn't internally or a student doing something malicious. We are running traces to see what or who is trying to access the phone system after-hours. I appreciate all the responses and they were all spot on when it comes to vulnerabilities.

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[sizbut]

...because Intuity is the opposite of intuitive. It requires you to do a lot more work to get to the number one purpose most people will access their mailbox for: listening to the message that MWI light was telling them about.

[ul]
[li]IP Office mode: Dial *17 from your phone. It announces the number of new messages and then starts playing the first one. ie. It assumes that the main function of the whole thing should also be its default function unless you select something else. [/li]
[/ul]

[ul]
[li]Intuity mode: Dial *17 from your phone, press #, enter your password and press #. It announces the number of new messages, then the number of priority messages, then you have to press 2, and then have to press 0 to skip that interminable header, and finally you get to the first message.[/li]
[/ul]

Stuck in a never ending cycle of file copying.

 

[Westi]

Hi Sizbut
[ul]
[li]accessing the voicemail IP Office mode - press the envelope button[/li]
[li]accessing voicemail Intuity mode - press the envelope button[/li]
[/ul]

HAHAHAHA

I know it may take a few button pushes more but I work with Intuity since 1999 when I actually worked with Intuity and it is so ingrained in my brain that I don't even notice it. You can also set up the Intuity so that you don't need the password which then makes it only pressing 2 and 0

Joe
FHandw, ACSS, ACIS

If you give more information you will get better answers. If you only give bits and pieces then you will get the same back and maybe not fitting your problem.

 

[DawsIsHere]

I love how forums turn into a "Blue/black is better!" "No you're wrong! black/blue is better!" When in all reality they're the same thing. I'm pretty new to IP office and I've been trained to always use Intuity since I've started

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[Westi]

DawIsHere - here is some pink for using the right voicemail mode

Joe
FHandw, ACSS, ACIS

If you give more information you will get better answers. If you only give bits and pieces then you will get the same back and maybe not fitting your problem.

 

[DawsIsHere]

(I am also not saying that one is better than the other. I'm just saying I don't know what is better just what I've been told)

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[sizbut]

If that visual voice you're describing then you clearly agreing with me, something had to be done to hide the ridiculous Intuity menus.

Stuck in a never ending cycle of file copying.

 

[DawsIsHere]

Guys guys... can't we just be friends? Here's something we should be able to agree on! Cisco Unified Call Manager is an awful system.

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[Westi]

Hahaha

I love it.

DawIsHere no worries I am all good with sizbut and I think he is with me, we are here together for a long time and so far have not thrown rocks at each other but thanks for watching out for us.

Joe
FHandw, ACSS, ACIS

If you give more information you will get better answers. If you only give bits and pieces then you will get the same back and maybe not fitting your problem.

 

[sizbut]

Agree Now back to the subject of a potentially hacked system and how that might have been done.

Stuck in a never ending cycle of file copying.

 

[DawsIsHere]

We're looking into if they got in through our Intuity Voicemail but we're pretty sure they're using the old school way of phone hacking using DTMF tones to go through the system. Thoughts?

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[Westi]

you would have to have a DISA option programmed on the system to get through the system back out. Have a look in the vmpro and see if you have that.

Check your config for some users that are forwarded, easiest is if you change the setup of the user columns and add the forwarding number as additional column

Joe
FHandw, ACSS, ACIS

If you give more information you will get better answers. If you only give bits and pieces then you will get the same back and maybe not fitting your problem.

 

[DawsIsHere]

Thank you Westi, I'll take a look a the DISA option. We did check to see if any users were setup to forward calls, they weren't.

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[DawsIsHere]

Where would I find this DISA option, also?

Anything That Can Go Wrong, Will Go Wrong-De Morgan

 

[IPOTS]

DISA option would be found under the FNE codes.

 

[Westi]

or maybe it is programmed into the auto attendant as an option, VmPro only

Joe
FHandw, ACSS, ACIS

If you give more information you will get better answers. If you only give bits and pieces then you will get the same back and maybe not fitting your problem.