web statisticsweb stats Business Phone Systems Tech Talk Forum - VOIP & Cloud Phone Help

Business Phone Systems

Previous Thread
Next Thread
Print Thread
Rate Thread
#618201 03/26/18 01:21 PM
Joined: Mar 2010
Posts: 228
Member
OP Offline
Member
Joined: Mar 2010
Posts: 228
Hello All,

Customer had their provider shut down LD services after a suspicious call and I am trying to figure out how they were able to transfer the call.

I'm not seeing any new or modified mailboxes with extensions dialing out. The only thing I noticed was a couple of mailboxes with @G(xxx) in the extension field.

I have put the VM ports in a COS with Tandem connections disabled but I still need to find out what they actually did.

Any other ideas would be appreciated.


Jason

Toshiba/Avaya/Nortel Installations and Service.

Honeywell-Paradox-Kantech-Keyscan-HIKvision Access control and CCTV
Atcom VoIP Phones
VoIP Demo

Best VoIP Phones Canada


Visit Atcom to get started with your new business VoIP phone system ASAP
Turn up is quick, painless, and can often be done same day.
Let us show you how to do VoIP right, resulting in crystal clear call quality and easy-to-use features that make everyone happy!
Proudly serving Canada from coast to coast.

Joined: Mar 2010
Posts: 228
Member
OP Offline
Member
Joined: Mar 2010
Posts: 228
Update: Apparently the customer already deleted 5 mailboxes


Jason

Toshiba/Avaya/Nortel Installations and Service.

Honeywell-Paradox-Kantech-Keyscan-HIKvision Access control and CCTV
Joined: Jun 2005
Posts: 2,702
Likes: 7
Member
Offline
Member
Joined: Jun 2005
Posts: 2,702
Likes: 7
Hopefully the customer didn't delete anything important.

I wouldn't worry about the @G(XXX) mailboxes. These will only transfer to another mailbox. Those would likely have been setup by a real Toshiba tech.

In every case I have seen the hacked mailbox will have an extension field that starts with 9. It could be 901, or something else that lets the hacker get an outside line. Sometimes they create a new mailbox, and other times they modify an existing mailbox.

Disabling Tandem CO is a good step. That should prevent them from being able to transfer offsite.

I also add Destination Restrictions to the voicemail port, and change the default admin mailbox password.

Check to see when the last time someone logged into the admin mailbox. If the customer is using the ES admin software then it is likely that the last person to log in was the hackers.



Moderated by  Carlos#1, phonemeister 

Link Copied to Clipboard
Forum Statistics
Forums84
Topics94,262
Posts638,696
Members49,757
Most Online5,661
May 23rd, 2018
Popular Topics(Views)
211,098 Shoretel
187,709 CTX100 install
186,794 1a2 system
Newest Members
BPopilek, Rich F, LewisR, TDKs79, Buttinset
49,757 Registered Users
Top Posters(30 Days)
dexman 18
Toner 12
TDKs79 8
pvj 4
Who's Online Now
1 members (Curlycord), 120 guests, and 246 robots.
Key: Admin, Global Mod, Mod
Contact Us | Sponsored by Atcom: One of the best VoIP Phone Canada Suppliers for your business telephone system!| Terms of Service

Sundance Communications is not affiliated with any of the above manufacturers. Sundance Phone System Forums - VOIP & Cloud Phone Help
©Copyright Sundance Communications 1998-2024
Powered by UBB.threads™ PHP Forum Software 7.7.5