atcomsystems.ca/forum Forums Other TDM Phone Systems Telrad Telephones & Systems someone using our PBX to call cuba!

SO- it could be as simple as Call forward no answer or busy to a speed dial number which STORES 809 + external number.

During working Hours simply dial into the system from your own xtn number, via DISA, dial your own xtn number(BUSY )-call is forwarded to wherever you want-INTERNAL OR EXTERNAL.

After hours -do the same- but have your xtn programmed as Call Forward All Calls or CFNA to wherever you want-INTERNAL OR EXTERNAL.

I don't know the system but if an xtn user is smart enough they can get the system to do whatever they want.

The SMDR may simply assume that you know your xtn range and expects you to realise that xtn 845 is actually a trunk

OR AM I GRASPING AT STRAWS :rofl:

update:
we removed the POTS line [809]in the COL card, as well as the trunk group it was associated with.

we then busied the line with a jumper at the block[before the PBX] and the calling has stopped.

Of course this is a brute force method of fixing it and the question still remains how the heck it happened at all.

I still have the idea that it is somehow tied to the fact that the 809 trunk is associated with the toll free number that rings into the T-1.

thanks
ayb

Just in case you're still curious about how this was occuring. Check the follow me numbers in voice mailboxes. Seems like it would be really easy for somebody to guess a default password to a vm box. Setup the follow me to be an int'l number and then all they have to do is dial the 800 number, dial the mbox and then the follow me does the work. Doesn't your inbound 800 have CID? Tapit should tell you where the call originated if there's any valid CID getting through. People seem to have covered all the other possibilities, but this one was left out so I had to mention it. Also, if they experiment some, the fact that you busied out the pots line won't stop them. All they would have to do is change the 809 to something else in the follow me. Hmmm, now that I think about it, I don't remember if you can direct access a trunk from a follow me in an imagen... Somebody with a testbench could tell you. Good luck busting whoever did this.

"Just in case you're still curious about how this was occuring. Check the follow me numbers in voice mailboxes. "

Yep, I read this thread and was ready to post the same thing. If you are using the old VM ImaGen or whatever, throw it away. It's horrible. Reliable, but a joke to crack. It has no setting to limit the number of password attempts, you can't restrict users from changing follow me numbers. You can setup a tol restriction for what are valid follow me numbers though. Bottom line, punt.

Here is the scam. Some yoyo in say the Philipines sets up a kind of 900 number. An international call that is 7 to 10 bucks per minute. They hack your PBX (your password was probably set to 0000 as that would be the first number tried if they sequentially war dialed you) and they ran a follow me script to setup a number that goes to this goofy 7-10 per hour number. They just need a call to originate and connect. They don't care to make long distance calls, they just want you to generate traffic and build up your bill.

Also, if you have been hit. MAKE SURE YOU CHECK YOUR MESSAGES IN CASE THEY HAVE BEEN CHANGED TO SAY "hello? Yes, I accept the call". lol. There is also a collect call scam floating around. If they cracked your voicemail, then you need to check each and every message. Especially if DID's route right to VM ;-)

Also, don't waste your time trying to figure out where the call originated. You will most likely find it came from another compromised system.

With computers connected to the internet via dialup, you can also bet that the call could have come from a trojan dialer on 100's or thousands of compromised zomies that have modems attached. When little Johnny goes beddie bye, the trojan starts to dial out his modem and look for all the old classic system. A simple script would tell me what kind of VM I hit and what script to run.

Also, once you are hit, you can bet you are a target now. They know you have a telrad, they know you have an imagen. Think of yourself as that girl in high school who was "accessible", all the boys will know about you, lol. You are on the list.

Some tips:

1. Setup a restriction for the trunk that manages your follow me calls.

2. Setup a dial pattern change that will take any 9011* (for example) follow me calls and erase them but instead call a number that would only get a call from this modified dial pattern. (maybe setup a DID that you don't use to call an ext that is specifically to receive these calls) if a call comes in, then you have a very good chance that your VM was compromised. You then audit your VM. It's a poor man's fraud alert.

3. Get a new VM. A Linux Box running Asterisk can be done for well under 500.00. Extremely flexible and powerful and will also provide VoIP capabilities.

4. I didn't read anyone mention about the REMOTE PROGRAMMING OPTION Via a Modem Card. Do you have one installed on your system? If so, do your home work and make sure it is secure.