UCM 6510 hacked by outside phone number

ip-communications

#1

So I have a 6510 with service through a PRI circuit. Over the past few days, our PBX has been getting flooded with calls from random Houston, TX numbers to different extensions in our PBX. At some point, it managed to dial my phone with a robo message somehow. The CDR shows the Houston number as the incoming caller but me as the destination. Our incoming routes only allow for calls from all numbers to go directly to our IVR. So how might I be able to resolve this and prevent it from happening again in the future?


#2

are there abnormal incoming calls to UCM or abnormal outgoing calls from UCM?


#3

Both. A bunch of random Houston numbers are dialing in and hitting some random extensions. But they also made an outbound call to my cell which played a robo call in chinese on my phone. I checked the CDR because it showed the business number as the caller on my caller ID. The CDR basically showed the incoming caller as the Houston number and my cell as the destination.


#4

do they basically use UCM SIP extensions to make outgoing calls?


#5

Our phones use SIP extensions, but in this case, it didn’t show that they used an extension to make this call. The CDR shows the Houston number as the caller and my phone number as the destination. Usually if one of our extensions calls an outside number, the CDR will show the extension as the caller and the number they dialed as the destination.


#6

you put NATs on the firewall in ACL?


#7

We do, but the UCM only connects to the inside network, not outside. I have no reason to believe they actually accessed the UCM (logon activity seems normal) and no other users or random extensions have been created. They just dial the UCM and flood it with calls and at one point, managed to dial me directly somehow


#8

What FW is UCM?
if you have made the ACLs correctly it is impossible that they reach UCM


#9

Latest fw, and like I said, I don’t think they have actually accessed the UCM. They flood it with calls and then somehow managed to dial out when dialing the business. Let me ask this: is there a way I can block calls from a certain area code? That would help a ton


#10

it is enough to create the outgoing rules appropriately, but I would try to understand how they managed to enter.
Maybe it’s better if you read this


#11

Yes. Make an inbound route that has that (or those) area code as its prefix and send it to a dead destination.


#12

Ok, looks like we got it figured out. We had a flood of calls from these numbers to pretty much all of our DIDs and a tech had previously setup a test route to my cell phone for tests and forgot to take it out, which is why I got the call. We removed all but our main number and faxes from the routes to try and remedy this.


#13