Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Suspicious activity / Help Interpreting CDR

Status
Not open for further replies.
dotanak

dotanak

IS-IT--Management
Oct 23, 2012
5
Hi,

I was notified by our phone provider that they notices international calls on 4th of July. Looking at the CDR info on the BCM 400, I see the calls but there is no mention of an actual set that is assigned to an employee. Instead, I see different lines and DN500. The pattern of the CDR file is: Start (S), transfer (X), and End (E) - Our BCM is configured for SL-1 CLID reports.

When I do see an international number, it is prefixes with a Dial-Around (1010) number. I was not aware of the Dial Around option but my guess is that it allows people to bypass dialing restrictions looking for 011 as the first digits. In the sample below, 1010-288 is a prefix for AT&T Long Distance followed by a Guinea(?) phone number. Also in the log is 8436515003, which seems to be listed on
S 010 00 DN500 T234000 07/04 02:19 101028801122470500004
X 011 00 T121000 T234000 07/04 02:20
E 012 00 T234000 T121000 07/04 02:20
S 013 00 DN500 T234000 07/04 02:23 101028801122470500004
X 014 00 T121000 T234000 07/04 02:23
E 015 00 T234000 T121000 07/04 02:34
S 016 00 T121241 DN500 07/04 02:23
8436515003xxxxxx
X 017 00 T121241 T234241 07/04 02:23
8436515003xxxxxx
E 018 00 T121241 T234241 07/04 02:34
8436515003xxxxxx
S 019 00 T122241 DN500 07/04 02:24
8432136945xxxxxx
X 020 00 T122241 T233241 07/04 02:24
8432136945xxxxxx
E 021 00 T122241 T233241 07/04 02:34
8432136945xxxxxx

My questions are:
- How do I identify the TXXXXXX lines from this report?
- What is Application DN500?
- How can it be hacked? Is this done via voicemail access?
- How can I block 1010 Dial Around numbers

I can provide more info as needed in an effort to understand what is happening on the system.

Thanks,
Dotan
 
Sort by date Sort by votes
Check your voicemail.
Usually mailbox 100

In Call pilot run a directory report and it will show you any extension that have off premises notification switched on with that number programmed in it.

Usually what happens is they hack the mailbox password then set off premise notification to an external number.

Then they dial in and your system forwards the call to there number premium line
 
Upvote 0 Downvote
Common sense precautions.

Set mailbox passwords to 4 attempts before locking
Disable off premises notification
Disable gen delivery mail if not used
In line filter restrict that number so as it can't be dialled
 
Upvote 0 Downvote
Thank you, snowman50. I am new to Nortel (worked with Cisco and Digium in the past) and I am slowly finding my way through the system. What is off-premise notification?

The basic Directory report did not give me anything other than these fields: Subscriber, MB, Type Ext, Name Recorded, Greeting Recorded.
The Mailbox Information report reveals what I believe is a hacked mailbox (transferring to an MCI 800 Access Number). I am posting below some info from this report that shows Mailbox 100 and a few lines that are different than most others. Note that for Doe, Jane, RNEXT is to its own extension. What does P 1 mean in Outdial?
NUMERIC MAILBOX INFORMATION REPORT Date: 2013/07/09

-Total- --New-- -Unsent-Out
MB Type Directory Name Ext COS Msg Min Msg Min Msg Min dial
-- ---- -------------- --- --- --- --- --- --- --------
100 GDM General Delivery XXX 1 0 0 0 0 0 0 none
XXX SUB Smith, Jane XXX 1 1 1 0 0 0 0 P 1
XXX SUB Doe, John XXX 1 5 3 0 0 0 0 P 1
TRANSF 18004443333

123 SUB Doe, Jane 123 1 0 0 0 0 0 0 none
OPN/RNEXT 123

XXX SUB Smith, John XXX 1 1 0 0 0 0 0 none
XFERS Screened

Thanks again for all your help.
 
Upvote 0 Downvote
How can I block 1010 Dial Around numbers

Build a Filter restricting 101 and apply it to all the lines. If they do not use Remote Notification on the Voice Mail I would also build a filter blocking all numbers and assign that to the VM extensions.
 
Upvote 0 Downvote
P1 is line pool A. used to access external lines.

Off Premises Notification is a method the Call Pilot use to contact you if a voice mail message is left and the user presses a digit to transfer to your external number( cell Phone)
 
Upvote 0 Downvote
Thanks. I changed those mailboxes with Outdial: Pool 1 to None. How do I disable off-premise notifications for all mailboxes (system-wide) and, lastly, how do I lock mailboxes after 3-4 attempts?

 
Upvote 0 Downvote
UPDATE: I found and disabled the following in the Class of Service that most mailboxes belonged to:
Enable Off-premise Msg Notification / Remote Notification: Was checked. Now unchecked.
Enable Outbound Transfer: Was checked. Now unchecked.

This COS also has "max incorrect password attempts" set to 4 which I believe is the minimum.

I will now look at creating the filter to block 011, 1010, 1900, etc. dialing.
 
Upvote 0 Downvote
Thank you hawks and snowman50 for your help. Our phone vendor is scheduled to visit us for something else and he will implement the filter.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ramblingrebel
  • Locked
  • Question
CDR
Replies
4
Views
254
ramblingrebel
ramblingrebel
Firebird Scrambler
  • Locked
  • Question
BCM 50 / 450 CDR live client query on port used? 1
Replies
3
Views
133
Firebird Scrambler
Firebird Scrambler
gberger
  • Locked
  • Question
Activity Reporter on Windows 7 or 10 1
Replies
10
Views
118
gberger
gberger
NashD
  • Locked
  • Question
Help with Nortel Norstar + Startalk Mini!
Replies
1
Views
81
curlycord
curlycord
imcool1
  • Locked
  • Question
I cant get this M7310 to work, please help
Replies
6
Views
160
curlycord
curlycord

Part and Inventory Search

Sponsor

Back
Top