Need PBX Security Opinion

[dudecrush]

Hello - I'd like the opinion of some security experts out there..

I've got a Definity G3R. The week of January 6, 2013 we were getting hit by a war/auto-dialer of some kind. Lot's of dead-air voice-mails and dead-air calls to only one of our toll-free numbers (never hit any other toll-free number). To cover his tracks, this person - in every call - inserted phone numbers from all over the US that were unused/expired/out-of-service or of businesses that we wouldn't work. I was under the impression that we were being hacked.

My telco carrier couldn't put a stop to it, though they agreed with my impression. This person was disguising their traffic as carrier traffic instead of retail traffic, and they told me they couldn't block the IP addresses of carriers. I attempted to file a police report, but my company blocked me. Since the report would be public record they didn't want to risk the perception that we were being "hacked" so customers wouldn't lose faith in us.

On the PBX scurity side, all of our VDN's have an FRL of zero, and our voice-mail is set up the same way (can't dial out). No one has a COS that allows for trunk-to-trunk transfers. Remote access has never been configured. No one has a COR that allows for international calling.

I had our maintenance vendor do another "just in case" security check, and they couln't find any gaping security holes. Even then, I set up our CDR system to e-mail me daily international call reports and had our maintenance vendor watch our PBX for long-distance calls at odd hours or on weekends.


A week later it stopped, and nothing turned up in any reports or feedback from our vendor. A week later, I started getting onsie-twosie voice-mail hits from this person - always on a Saturday or Sunday - to the same queue and voicemail box. I've reviewed our long-distance call-detail from the last month, and I see no outcalling on weekends or unexpected hours.


So here's my worry: What gives with this yahoo? Does he know something I don't know? Why does he keep calling that one queue, despite all evidence that he's wasting his time? Am I missing something? What else should I be looking at? Can any of you out there ease (or increase) my fear?

 

[DAVIDPAYNE]

I do not know what line of business you are in. But there is a chance that he is an upset costumer who is just trying to cost you money in 8xx traffic.
But have you checked to make sure that a caller can not hit 0 (or some other number) in voice mail and get dial tone? But he could be fishing for a hole that he can use.
I would also, be looking at more then just international traffic.

 

[dudecrush]

DAVIDPAYNE:

Thanks for the ideas. I think you might be right - this person might be fishin' for a hole. In the Audix system, System-Parameters > Outcalling is active for 1 port only. On the System-Parmaeters Dial Sequence page, the Dialing Sequence is set to "N", which I thought meant "No", but I think means any number. Nothing is set for Account Code Length or for AMIS account code.

On the mailbox he's hitting, though, Outcalling is set to "No" for the mailbox's COS. I had always presumed that means that you couldn't outcall, so I thought I was safe. Am I wrong? There are only 2 COS that have Outcalling enabled, and it's not used on any of the subscriber mailboxes.

On the PBX I checked all 18 Audix ports: Each had a COR with an FRL of 0, and a COS that restricts call-forwarding off-net. The only exception was port 00, which had a COR with an FRL of 4, and a COS that allowed off-net forwarding. I changed the COS on this one to match the others. I'm hesitant about changing the COR, as I'm wondering if it was set up this way for a reason.

If I disabled outcalling on the Audix, will I mess up anything else? I don't think so, but I'm afraid that something like an auto-attendant, zero-out of voice-mail or call transfers won't work.

Let me know. Thanks much!

 

[DAVIDPAYNE]

It has been a few years seens I used an Audix system. But going from memory, Outcalling, just dials a set number to alert you there is a waiting voice mail. However, if there is an option from them to hot 0 for the operator, etc. then they might be able to get access to dial tone.

 

[dudecrush]

Were in the insurance biz, so we're only staffed from 7 to 5 pm daily. Callers can reach the operator switchboard by dialing 0, but they'd only get a voice-mail box by doing so.

This person is starting to freak me out. I'm very worried that they're doing something that I haven't considered.

 

[fataldata]

Check to see if your remote-access number is being hit. It has a password but that is one number that returns dialtone when called. He could try to guess at the Barrier code.

display remote-access

 

[dudecrush]

fataklata - Thanks. I did think of that. Our remote access isn't configured (but not disabled). - there is no extension assigned to it.

 

[bleebrant]

There's also a couple of things you may want to check on your voicemail system.
You mentioned the caller seems to be going to the same mailbox- if a hacker discovers the password of a mailbox they could log in and listen to and delete messages; also some hackers have been known to use a mailbox as a message drop if they discover the password of the mailbox. They leave a message using your toll free number, and the person retrieving the message calls your toll free number, logs in to the mailbox and picks up the message; this usually just happens during non-business hours. You can check the activity log on this mailbox on the audix system to see if there is any unusual activity, and also ensure all staff use strong passwords that change periodically.

Also on the Audix voicemail system, you can enter the transfer code when you hear a personal greeting, or sometimes an automated attendant is set up to allow this code(not recommended). After enter the code the caller is prompted to enter the extension number they want to be transferred to - this extension could be one that is forwarded to a number off site. You can enter a command on the definity, list call-forwarding, to see all extensions that have forwarding active and the forwarding number.
Also you can check on the audix system, under system parameters I think, what type of transfer out of audix is allowed.

 

[dudecrush]

bleebrant - Thanks for the info, I hadn't thought of using the voice-mail as a drop-box. I'm stumped by that, though, since I see a mailbox as having two separate components: A "leave message" and a "listen to message" component. When you're listening to messages, you don't leave voice-mails. Since this person is leaving "dead-air" messages, how does one break out of that mode and listen to messages?

Within our voice-mail system, our transfer out of audix settingsm are:
Transfer type: enhanced_no_cover_0
Transfer restrcition: subscribers
Covering extension: 76xx

Anyone calling can hit 0 and dial the main auto-attendant at 76xx. From there, one can transfer to the dial-by-names attendant or one vector that allows a call-forward to one specific 800# with a partner business. I did check to see if that was being abused, but the call volume on that outcalling is normal.

On the PBX, I approve all call-forwarding, and there are only 9 entries. Nothing there that I haven't approved, so I don't think that this guy is hitting anyone's extension and off-netting.

 

[phoneguy55]

This could just be a telemarketer trying to sell some crap. You probably have a list of numbers that this person is sending you and you know what VDN's they are calling. Set the VDN to point to a vector that says, goto step 20 if ani in table X. Step 20 will be route to ext 1234, which is an extension on your desk. Then add vrt X to include all the number you think are suspect. This will send all calls from this joker to your desk. That might give you more information... Good luck.