×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

BCM50 - Brute Force Attack
4

BCM50 - Brute Force Attack

BCM50 - Brute Force Attack

(OP)
BCM50 R6 with the lastest/last patches.

We are getting about 6 attacks a second trying to log in as admin on the system with various user name names, over and over again, approx 30 different user names.

The BCM froze up, time & date stuck and cannot use buttons, PRI/CP not answering, could not login via front or back.
I think it froze because these alarms filled up the hard drive because this has been going on for weeks.

I replaced the BCM, but did not restore:
Data Services & Network Interface
IP Telephony

Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=admin Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=tomcat Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=foo Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=vagrant Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=service Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=postgres Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=root Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:16 EDT 2024 false 30202 minor User failed to login User=root Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=skyboxview Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=TANDBERG Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=admin Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=rwa Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=cisco Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=IntraSwitch Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:15 EDT 2024 false 30202 minor User failed to login User=NETOP Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=recovery Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=superuser Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=superadmin Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=ADVMAIL Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=dhs3mt Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:14 EDT 2024 false 30202 minor User failed to login User=3comcso Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:13 EDT 2024 false 30202 minor User failed to login User=manuf Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:13 EDT 2024 false 30202 minor User failed to login User=MGR Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security
Wed Mar 20 06:00:13 EDT 2024 false 30202 minor User failed to login User=OPERATOR Host=10.10.10.59 Comp=WWW systemId=BCM;entityId=bcm50r6;entitySubId=Security

It's coming from IP 10.10.10.49, this is not an IP from the clients network that I can see.
The BCM IP Lan IP is 192.168.143.X
The Modem dial in is 10.10.14.X
The ISDN dial in is 10.10.18.X
DHCP Server S1/2 is 192.168.143.X

I am wondering if the BCM has this IP but I cannot ping it from BCM Utilities or PC.

I tap in via their VPN which is 10.20.221.1, then I connect to the BCM at 192.168.143.X

They say they have only ports 5989 and 443 open per my past request.

So I need to know where this IP address is.




=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

(OP)
Yes!

Here is when I log in:
Wed Mar 20 07:24:39 EDT 2024 false 30301 information Account updated Account nnadmin User=tpcadmin Comp=CIM systemId=BCM;entityId=bcm50r6;entitySubId=Security

What is CID and or vs WWW, the differences?
It seems to always be CIM for me no matter what system I dial into.



=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

The IP protocol has certain reserved IP address ranges.

10.10.10.x
10.10.11.x
192.168.x.x
And many others.

My thoughts are that a computer on the customer network that is either an internal one or via a VPN has been infected with a virus causing an attack on the BCM. It could that they are attempting via SSH to gain access, hence the "CIM" reference.

The best thing is to gain access to the customers router and check the logs to see if you can match up the times and logs with the BCM.

Does the customer have their own copy of BCM Element Manager installed on a computer and what IP address range are they using.

Do any of their IP equipment use two Network cards per device like the BCM has?.

Does the customer's router need a firmware update?.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: BCM50 - Brute Force Attack

(OP)
I remember www now...
WWW is when logging into the main page via web browser
VMAIL would be CallpilotManager, maybe Mailbox Manager too.
SSH is just that, SSH

This I found out on a Linux forum:
CIM = Common Information Model
So...
CIM is Business Element Manager which makes sense.

Port 22 is closed, I cannot access it, only on demand, but now it is confirmed the brute force is via 443 (web browser or other)

They seem tight on security so I can only assume their network is up to snuff but I will ask for them to snoop anyway.
From what I can tell they (IT off site or users onsite) do not have access to the BCM.






=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

2
The port 443 is used by HTTPS - so typically the GUI login on many devices. For BCM50, that would be the BCM Launcher web page if I am not mistaken.

I would tend to disagree with the assumption that they are tight on security. One of these three options must be correct:
1. The system is directly connected to the Internet and due to that can be attacked from the outside (connecting BCM50 directly to an Internet is not a very good idea)
2. Internet access is via a router. They have a port open on this router that is forwarded to the port 443 on the BCM50 - or they have the BCM50's IP address configured as the DMZ address. This allows the BCM50 to be attacked from the outside.
3. Someone is attacking the BCM50 locally from their LAN

Unless they REALLY need the access to the BCM Launcher page remotely from the outside, they should not allow external access to the port 443 at all.

DMZ would be as bad an idea as it gets. And connecting the BCM50 directly to the internet would be really the same as DMZ. If the attack is from a device on their LAN, they should identify the device and "talk" to the user.

The proper configuration should be - nobody from the outside should be able to reach the port 443 on the BCM50. If the attack is local from their LAN, they should deal with the person doing this.

RE: BCM50 - Brute Force Attack

Yes, CIM in this case is Common Information Model, which is basically the BCM database you connect to using BEM and port 5989.

I've used a program called CIM Navigator to connect to BCM's. You use the nnadmin login and designate port 5989. It's mildly interesting to me, but most times I don't really understand what I'm looking at. CIM Navigator would be of more use to someone with knowledge of how the data is organized.

I agree with ucxguy as regards opening port 443. Most companies I connect to remotely only open the ports I need (22 and 5989) on request and close them up when I'm done. Too many bad actors lurking about.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952
https://brian-cox.square.site/

RE: BCM50 - Brute Force Attack

(OP)
Well we all agree on on everything, I just wanted to make sure BCM did not use 10.10.10.X, this way the blame is on them.
I have asked them to dig deeper on their end.

Thanks for the replies, I will update when I can.




=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

(OP)
Right!

Update:
The client has stated that they have that IP in use on their network and are going to investigate it.




=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

That's good to know Curlycord. I was meant to say in my previous post that were you able to ping the 10.10.10.59 IP address from the BCM system?.

I think the option in in one of the drop down menus in the Administration area.

I've used this a number of times to get connectivity.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: BCM50 - Brute Force Attack

(OP)
Yes I use it all the time when patching or doing my thing remotely so that I know it can see my server offsite before attempting to down/upload....it was the fist thing I did, no replies.

Because I wasn't for sure on 10.10.10. being somewhere in the backend on the BCM50 I had briefly pondered if it could ping part of itself, but it can.
For instance you can ping both the OAM or the LAN ports.

Just one of those when you knew everything mentioned above here, but you second guess yourself.
The IT company did not tell me about this up front until I pressed.

In fact, I have a hilarious update...it was the IP of their server that is dedicated to scan the network for threats daily.
lol





=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

At least you are getting some sort of support from the customer's IT dept. That's often the hardest part.

I agree with Exmogger on why it's scanning for threats on the BCM and what programs are they using to do this?.

In the first post, I saw multiple references to different account logins such as cisco, admin, superuser etc. I was wondering if some of them related to the older BCM Enterprise Windows NT accounts and other old IP equipment as "superuser" used to be one of the old NT ones?.

Perhaps this customer had an old BCM 200/400 ?.

Anyway, at least it's not the BCM and no longer needs your involvement. Make sure that you invoice them for all your efforts.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: BCM50 - Brute Force Attack

(OP)
"supervisor" (and "visor") is what your thinking of.


I think that server (Arctic Wolf software) is infected with the Brute Force malware of sorts, I guess it does not scan itself, lol.




=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: BCM50 - Brute Force Attack

"In the first post, I saw multiple references to different account logins such as cisco, admin, superuser etc. I was wondering if some of them related to the older BCM Enterprise Windows NT accounts and other old IP equipment as "superuser" used to be one of the old NT ones?"

I had similar thoughts about the usernames it was trying. Maybe some of them are default logins built into Linux systems. They were all definitely in the brute force program hitting the BCM50. I don't have a running BCM50 at the moment, but I do remember postgres as one of the BCM50 logins.

Yes, I remember supervisor and visor as one of the default logins on the old Windows NT version BCMs.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952
https://brian-cox.square.site/

RE: BCM50 - Brute Force Attack

Yep!. That was it Curlycord.
Old age is catching up with me.
I doubt if we have any of those old BCM 200/400 still in service on this side of the pond.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: BCM50 - Brute Force Attack

(OP)

Final update:

Today they confirmed that the Artic Wolf software was the culprit, not the server it's on.
The software (or an option of it) is designed to periodically try a brute force on it's own devices/servers on the network to keep things in check.

They added the BCM's IP to the exclusion list to avoid filling up the alarm log.

"They seem tight on security so I can only assume their network is up to snuff"
Sometimes, it feels good to be right!
Nyuk Nyuk Nyuk



=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close