atcomsystems.ca/forum Forums Other TDM Phone Systems Telrad Telephones & Systems someone using our PBX to call cuba!

Can anyone tell me where I would look for open or default access passwords for my telrad digital 400 PBX? Our LD vendor called today and said we had billed over 3K in calls to Guantanamo last month. I don't beleive that they are originating within the building, as they are all through the day and night.
For now I have shut down international calling, but that is not a viable option for the long term as we have offices in Europe.

I think there must be some open access that I don't know about.

The system:
Digital 400 3 t-1's about 40 pots lines, version is PCP DB6.05

VM is also telrad 6.00D USA

Any thoughts on what I have done wrong? Whatever it is I think has been wrong for a long time and someone has just found it.

thanks
ayb

Turn off forwarding calls access to I for internal It's in Class of Services and says FWD COR. If you do that no one will be able to call out for the outside. Meaning a HACKER. Then if it's an internal problem you have to set-up toll Restriction. And for your calls to Europe offices set-up toll plans or do VOIP or a t-1 to connect the systems (you can ste-up t-1 to t-1 using two diffrent systems), it will save you money in the long run.

Thanks,
I will check it tomorrow and report back what I find.
ayb

1.Are all these calls being metered on one POTS line only .(Your vendor can tell you what phone number the metering is occurring on)
2.Is that line actually connected to your system(ring the phone number and check that it rings into your system.)
3.Get the line checked to ensure there isn't a tail jointed into the cable at the Main frame (I think you call them the closet)-where the cable network enters the building.Could be paralleled to another part of the building and active at another outlet.Could even be tailed off in the street to another address.Stranger things have happened.
4.If all else fails connect an SMDR(System Management Detail Recorder)at the system and it will track and record ALL calls made through the system and what numbers have been dialled from what xtn ,at what time etc.Do this on the quiet so the offender doesn't become aware and ceases.
5.I don't know the system but similar problems occur here if the system has 3 way conference (1 xtn to 2 exch lines)activated,OR has external call transfer activated(call comes into system-at the cost of a local call-and is transferred to another number anywhere) .May only be to another local number BUT may also be international.
You will need an SMDR to chase the xtn user doing this .

POTS lines are being used, but these lines are picked to our LD provider for any LD calls that go out over them. Usually LD calls are routed to the T-1's via LCR so I don't understand how they are forcing them out the POTS lines.

The lines are connected to the system an AA answers when you dial them.

We own the building alone so if someone is tapping, it has to be from the outside. Of course anything is possible.

Can you explain[if it is someone remotley accessing] how they actually do it? I would like to understand the mechanics of it as well.
i.e. they dial one of these POTS and hit some sequence to get another outside line or to connect their current line to another placed call?


We do have numbers that when left a VM will dial pagers, or other numbers. Is this considered call forwarding as well? That is a functionallity we really need.

We do have SMDR and I will be checking that as well.

Thanks to everyone again, I really appreciate it!
ayb

If your Long Distance calls are being correctly routed via your LD Provider it most probably means that the calls are being originated from within .
I assume there is a Carrier override code programmed into your system to route calls to your long distance provider which means the code is inserted BY THE SYSTEM prior to digits being sent to line.
Check your system speed dial entries and check if the number is in speed dial store-for no other reason than to remove it.The person responsible may simply have it in their personal speed dial .
If you don't normally call Guantanamo, and have to dial an access code to ring there, bar this code in the system .
But, I feel sure,once you analyze you SMDR records you will find the culprit.

Check your SMDR!!!!!!!!!!

Then beat them with a stick!!!!!!!!!!

Also set-up some toll restriction

we have tapit2000 as our smdr, it is painful to use but what we seem to see is that valid users show their name and extension when making international calls. invalid users show a trunk number where the extension should be.

Can I get raw data in comma delimited txt format from that software?

my theory:
What I was guessing that these aholes were doing is dialing one of our 800 numbers getting to the AA then doing something[what I have no idea] that would allow them to dial out again. I figured they are not going to want to pay for the call in or out, [of course they are probably stealing that outbound line from some other person anyway. I was just hoping I could track the bastards. A pipe dream I know.]

So that would allow me to align an inbound 800 call to an outbound guantanamo call, and get the number they are calling from as all our 800 billing shows the calling number.

We changed the passwords in 2 places in the PBX configuration and 1 place in the VM system. My vendor assumes it is access via the VM system with someone adding a followme number, but I looked at each and every VM box and there are only the pagers we know about with followme's.

Again I don't understand the mechanics of how they are doing it but since we changed the passwords we have no data in smdr logs that shows calls after the time we changed them.

does that shed any light to you experts?
thanks
ayb

do you have disa set up?
Which has to do with remote system access.

question to the guru's...should he also change his system password? I don't think they can do it from voicemail, it's from the systems.

1.
Do you have Disa set up?


2.Set up forced account codes, I would also check the SMDR as it will tell you what station or stations are doing it, if it is going on in the day time it sure sounds like an employee is involved. I have run into this a few times and the account codes stopped it dead in the tracks because if it is from a hacker they won't be able to do it anymore and if it is an employee the will be able to be traced.

Also change your system program password just in case.

no we checked disa and it is disabled.

we changed passwods on pbx and vm and the calling has stopped

ayb

Years ago I had a customer with a similar situation. Their onsite tech had created a bunch of vm boxes in the 9XX range. Someone was calling their auto-attendant line and dialing extension 901. This would result in a trunk to trunk transfer (9 01) and the outside caller could then finish dialing an international call.

So would any VM box in the 9xx allow this or would it have to be 901?

I am checking now to see if I have any MB in that range.

also what is a trunk to trunk transfer and how does it work?
thanks
ayb

just checked no VM boxes in 9xx range.

Does anyone have any experience with the the call accounting package tapit 2000? According to our logs we show an Extension 845
[Which is not an extension as far as I can see, that is associated with a T-1 card]
placing a call on trunk 809
[a COL card with POTS line attached I think]
Which is making the connections to cuba and other places.

crazy

I've put in a several Tapit systems but I think you need a Telrad expert. Somehow someone is getting access to your lines via DISA or auto-attendant, etc.

It is not DISA as it's disabled.

I am on my second telrad expert at this point, the second being better than the first but even they are saying it is not anything they have seen before. Not the simple things with VM at least.

What we have learned:
we have a toll free number[one of many] that seems to be the point of entry and is even related to the point of exit.

This toll free has a local number associated with it something like 800-123-1234 and 212-123-1234.

What the billing is telling us is that all the LD calls are being billed to the local number 212-123-1234, this is a POTS line on a COL card using labeled Trunk 809.

So we have a T-1 with toll free traffic, and an associated POTS line.

The SMDR is showing that the extension dialing the LD numbers in cuba is usually 845, this to me is not an extension, our internal extensions are 200, 300, 400, and 500 numbers. 845 is a number associated with a t-1 card in the system.

As a test I tried the following:
ran smdr report showing all outgoing calls from trunk 809, got a list of dialed numbers and called one of them in canada. So this guy Mark answers and I proceed to ask him hwo called him at 2:28 today? He seemed like a nice enough guy and told me his sister had called at that time. So I thanked him and mentioned she might want to find a better wa to make her calls.

Anyway my experiment was to see how that called showed up in the smdr reporting so I wnet back to the reports and ran it for outbound from my extension 499. It showed the 3:32 call to the guy in the great white north 'eh

It also showed me how a true call should look coming from an ext 499 to a trunk 862 to Mark in Canada.

But after all this I still can't see how they are doing it. Our new Telrad vendor is going to escalate to Telrad Engineering to see if they have any ideas.

thanks
ayb

Forgot to mention that we took Tony's suggestion as well and set the class of service FWD COR to I for all of them.

thanks
ayb

Is there any value in updating our current system from PCP DB 6.05? What could we go up to without buying new hardware? I think that there is a firmware card or module that usually comes with these upgrades.

thanks again
ayb

I haven't worked on anything Telrad since the late '80s, but just a thought...

If '809' is the trunk number, is this a system code? I remember the Nitsuko DS01 had trunk numbers (801=line 1, 802=line 2, etc etc.) that if dialed would access that line directly.

In that case are there any mailboxes in the 8xx range (like 809)? Or any whos dial string could possibly access an outside line?

SO- it could be as simple as Call forward no answer or busy to a speed dial number which STORES 809 + external number.

During working Hours simply dial into the system from your own xtn number, via DISA, dial your own xtn number(BUSY )-call is forwarded to wherever you want-INTERNAL OR EXTERNAL.

After hours -do the same- but have your xtn programmed as Call Forward All Calls or CFNA to wherever you want-INTERNAL OR EXTERNAL.

I don't know the system but if an xtn user is smart enough they can get the system to do whatever they want.

The SMDR may simply assume that you know your xtn range and expects you to realise that xtn 845 is actually a trunk

OR AM I GRASPING AT STRAWS :rofl:

update:
we removed the POTS line [809]in the COL card, as well as the trunk group it was associated with.

we then busied the line with a jumper at the block[before the PBX] and the calling has stopped.

Of course this is a brute force method of fixing it and the question still remains how the heck it happened at all.

I still have the idea that it is somehow tied to the fact that the 809 trunk is associated with the toll free number that rings into the T-1.

thanks
ayb

Just in case you're still curious about how this was occuring. Check the follow me numbers in voice mailboxes. Seems like it would be really easy for somebody to guess a default password to a vm box. Setup the follow me to be an int'l number and then all they have to do is dial the 800 number, dial the mbox and then the follow me does the work. Doesn't your inbound 800 have CID? Tapit should tell you where the call originated if there's any valid CID getting through. People seem to have covered all the other possibilities, but this one was left out so I had to mention it. Also, if they experiment some, the fact that you busied out the pots line won't stop them. All they would have to do is change the 809 to something else in the follow me. Hmmm, now that I think about it, I don't remember if you can direct access a trunk from a follow me in an imagen... Somebody with a testbench could tell you. Good luck busting whoever did this.

"Just in case you're still curious about how this was occuring. Check the follow me numbers in voice mailboxes. "

Yep, I read this thread and was ready to post the same thing. If you are using the old VM ImaGen or whatever, throw it away. It's horrible. Reliable, but a joke to crack. It has no setting to limit the number of password attempts, you can't restrict users from changing follow me numbers. You can setup a tol restriction for what are valid follow me numbers though. Bottom line, punt.

Here is the scam. Some yoyo in say the Philipines sets up a kind of 900 number. An international call that is 7 to 10 bucks per minute. They hack your PBX (your password was probably set to 0000 as that would be the first number tried if they sequentially war dialed you) and they ran a follow me script to setup a number that goes to this goofy 7-10 per hour number. They just need a call to originate and connect. They don't care to make long distance calls, they just want you to generate traffic and build up your bill.

Also, if you have been hit. MAKE SURE YOU CHECK YOUR MESSAGES IN CASE THEY HAVE BEEN CHANGED TO SAY "hello? Yes, I accept the call". lol. There is also a collect call scam floating around. If they cracked your voicemail, then you need to check each and every message. Especially if DID's route right to VM ;-)

Also, don't waste your time trying to figure out where the call originated. You will most likely find it came from another compromised system.

With computers connected to the internet via dialup, you can also bet that the call could have come from a trojan dialer on 100's or thousands of compromised zomies that have modems attached. When little Johnny goes beddie bye, the trojan starts to dial out his modem and look for all the old classic system. A simple script would tell me what kind of VM I hit and what script to run.

Also, once you are hit, you can bet you are a target now. They know you have a telrad, they know you have an imagen. Think of yourself as that girl in high school who was "accessible", all the boys will know about you, lol. You are on the list.

Some tips:

1. Setup a restriction for the trunk that manages your follow me calls.

2. Setup a dial pattern change that will take any 9011* (for example) follow me calls and erase them but instead call a number that would only get a call from this modified dial pattern. (maybe setup a DID that you don't use to call an ext that is specifically to receive these calls) if a call comes in, then you have a very good chance that your VM was compromised. You then audit your VM. It's a poor man's fraud alert.

3. Get a new VM. A Linux Box running Asterisk can be done for well under 500.00. Extremely flexible and powerful and will also provide VoIP capabilities.

4. I didn't read anyone mention about the REMOTE PROGRAMMING OPTION Via a Modem Card. Do you have one installed on your system? If so, do your home work and make sure it is secure.