Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Voicemail was hacked.. 4

Status
Not open for further replies.

DBrewsky

Vendor
Jan 23, 2006
1,381
US
I was dispatched to a customer who had their BCM50 hacked. I looked at the CDR logs and found they were using the Link Transfer out of the voicemail system. I ran a Mailbox Information report but didn't find anything out of the ordinary. I searched all 11 mailboxes and only one had outbound transfer enabled, and it was to a local number.

I checked the only active CCR tree and the only option in use was to send the caller to a specific mailbox.

Got me stumped... Below is a tidbit of the CDR. You'll notice the "L" and then an international number with a duration of 25 seconds. However, the call lasted a good 15 minutes. This is because once the link transfer was initiated and transferred successfully, the trunk was dropped from the BCM.

Any ideas? Is there a new hacking method I may not know about? Been doing this work for a long time, and I normally can find where the hacking occurred.

-------- 01/14/12 15:16:24 LINE = 0064 STN = 393
BC = SPEECH
00:00:00 INCOMING CALL RINGING 0:00
00:00:14 DIGITS DIALED L
DIGITS DIALED 011xxx3734682
00:00:25 CALL RELEASED


Thanks..

--DB

 
need to check admin mailboxes "gen delivery,101,102"

6 months until ski season starts...sadly i must resign myself to the warmer weather"this will include a normal 8-5 work day, 5 days a week"
 
Yes, it was an analog line going into the system. Like I said, I pulled a report and it will show when a mailbox has external forwarding enabled and in use. When this happens we will always see which mailbox was hacked and what number they put for the dial out string.

I have seen *67 as this will always bypass the normal filters, but in a BCM you can create a filter with those digits. I have seen 011+number, 1010+carrier+number, and many others. We would create a filter and apply it to all the application DN's, then remove the ability to do outbound transfers, etc. The normal stuff.. This would normally halt the problems. But this one has me stumped. I found many mailboxes that were locked, but none with the outbound transfer programmed.

Weird...

--DB

 
Try to call the line and press flash or link key and see if you get dial tone. I ran into this at a bank a few years ago. It was a problem with the telco.
 
Link (feature 71) does work on these lines. But in order to flashhook a line, it has to be done through the voicemail.

-------- 01/14/12 15:16:24 LINE = 0064 STN = 393
BC = SPEECH
00:00:00 INCOMING CALL RINGING 0:00
00:00:14 DIGITS DIALED L
DIGITS DIALED 011xxx3734682
00:00:25 CALL RELEASED

STN = 393 is an Application DN for the voicemail.

--DB

 
Yes, they do. I'm just scratching my head as to how the hacker did it. No trace of any mailbox with outbound transfer programmed.

--DB

 
DISA,Vmail and a bad employee whom forwards their phone external at night are the only ways I can think of.

i.e. STN = 393, who or what is that? is line redirect On for that user?

""gen delivery,101,102" "
You checked?


=----(((((((((()----=
curlycord
 
393 is an application DN for the voicemail.

Mailbox 100 and 102 not initialized. Remote initialization is disabled.

DISA not used.

No set has external call forward enabled.

All analog lines (061-064).

--DB

 
mailbox 101 is a admin mb and should be checked
102 checked for dialout???

6 months until ski season starts...sadly i must resign myself to the warmer weather"this will include a normal 8-5 work day, 5 days a week"
 
I'd suspect the system is being programmed temporarily and after the call has been made is removing the programming and unfortunately, any target line answer assignment and CCR tree reporting is also lost other than the CDR you see.



KE407122

"The phone was working fine before it knocked over my coffee.
 
The twenty-five seconds to Link flash the call is all the BCM sees no matter how long the call duration actually was.
Some CO's Loop Supervision is slow (or non-existent) on disconnect compared to Ground Start and would take about 25 seconds to drop the line after the link--- which then frees up the line to take another call.

KE407122

"The phone was working fine before it knocked over my coffee.
 
I thought about the logging in portion and viewed the logs and saw where a previous tech entered into programming, but nothing else until I logged in. Also the password is changed and not default, nor had it been defaulted.

The timing issue is only until the flash hook, because that's all they needed. After that it was on the local exchange carrier.



--DB

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top