Someone Hacked a NAM - Sundance Business VOIP Telephone Help

This customer is a defense contractor with the Gov't. Their system keeps calling every terrorist nation in the Middle East you can think of. The FBI's even involed with this one.

Anyhoo....

I've gone over this system and (with the customer by side) looked at every Mbox in the system and deleted any old ones, or ones that weren't current empolyees.

We changed passwords on everything.

We disco'd the Rad.

It's still making calls.

The only thing I found relating to this was one Mbox had msg notification turned on to an internationl number, of course we deleted that box (after the FBI said it ok to do so).

My question is this: Is there any VM admin parameters available by logging into the actual mbox 102 (F981, not F983).

I didn't change that password thinking that you'd have to be on site to access F983, but now I'm wondering if someone can log into it as a user and hack in from there.

Help, I really don't want to default the whole system!

Replace the hard drive and install the software! Better yet install a Call Pilot!If law enforcement is involved, contact Nortel directly. Help from them will probably be immediate. I'm surprised the unit hasn't been seized.

Actually, the customer really had to rattle some cages to even get a response from the FBI. They ended up going through an employee who had a relative in the Bureau before they even got a call back and even then, they had to push the issue before an agent come out.....our tax dollars hard at work...

Try restricting the voice mail ports to dial only local Phone #s. Dicsourage users from using easy passwords. If you have Norstar Voice Mail Manager I recommend you run a numeric mailbox report to see if anyone has any more international numbers in their outdial. Also, you may want to disable external initialization if it is on.

I have had this happen to a couple of my customers, this seems to help.

Now that makes sense. I don't know why I didn't think of that before. I can disable external dial out on mboxes in 983 and I suppose I can apply a dialing filter on the VM ports themselves.

Still does anyone know if there are any admin parameters available by logging into mbox 102? I have only logged into it with F983.

I think Gravelhead gave you th answer. It should work.

AAAAARRRRGHHHHH!!!!!

This happened to me this weekend!!

I restricted ports to local calling only, changed everyones passwords.

This morning, VP gets a call saying that ATT reported now these slimeballs are using the local pics for access (1010-etc). Geez.

How many doors gotta be closed?? I am only the network engineer here and not a phone guru, doing my best at it. Any pointers??

You never said what switch this NAM sits behind. You can go into your dialing filters and build restrictions and you can also initiate account codes. It sounds as if you've got a phreaker on staff! Install an SMDR unit to track the calls.

[This message has been edited by jwooten (edited November 08, 2004).]

I restricted all vm ports from dialing out period.

1.,2.,3.,4.,5.,6.,7.,8.,9., 0. in a dialing filter.

It seems to have worked because now they've got a couple of messages in a couple of mboxes that say, "The sysem was unable to deliver the message to the number you specified" Which of course is a message notification failure report to the user.

They also set up outbound transfer with only "011" in a box as well as an 800 number to some communications company that gives an automated prompt asking for out of state number you want to connect to.

The thing I don't get is that in VM admin, all mboxes are set to outdialing = No. So even if the mboxes are set up to do it, they shouldn't be able to.

But as soon as they lifted the international restrictions from telco, they were hit again the very same day.

why is that?

------------------
Punch down all your damn pairs!..........please.

BTW, this one is an old copper NAM on an early MICS. Probably a 1. something.
The menu on the KSU looks like the old DR5 824 style menus.

are you sure it is the VM and not someone trying to dial in via DISA and then out again?

Honestly, I'm not sure about anything except that there is some vmbox hacking going on.

I dsidn't check for DISA. How would I go about that?

I'm DISA-challenged! Could you elaborate?

------------------
Punch down all your damn pairs!..........please.

We just got a NOrtel VM hacked up here in Eugene, Or as well. They must be bored. Lotta Arabic type of talking.

Had this happen last year. You may also want to restrict # and *, found that they could bypass restrictions . We also set up account codes for all long distance. It is an inconvenience for the customer but sure is cheaper than paying for all those international calls. Good Luck.
B.

Well guy's just to let you know that your not alone.
one of our customers here in ny just got hit on a nam.
I found mbox 100 was set for outdial to some other country. I turned off outdial and changed the password. now here's the fun part. everyday for the past week customer calls me to say her mailbox is locked. I guess this bozo is still trying to hack in.

Our Nortel just got phreaked, few hundred of calls out to over 20 countries ... I changed ALL the passwds and only one mbox since has "locked" and needed to be reset.

call every phone company and put blocks on international calls as well as any 10 10's

then block 00 dialing and 0 dialing ....

then monitor, monitor, monitor ....

any pointers out there on who to report this fraud to ? any good online fraud websites would help ..

thx