Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
4
Helpful
7
Replies

Logs filling up with... created auto attendant "Auto attendant"

Nicholas Holum
Level 1
Level 1

‎03-07-2014 08:01 AM - edited ‎03-18-2019 02:42 AM

Working with MCU 4510 this morning, I noticed a new conference called "auto attendant"

Name
DescriptionOwnerRegistrationParticipantsStart timeTime remaining
redacted ConferenceMeredacted

redacted

Registered0Mar 22 2013, 12:42<forever>
Auto attendant
<auto attendant><none>n/a110:44<forever>
Auto attendant 1
<auto attendant><none>n/a110:44<forever>
redactedConferenceMe

redacted

redacted

Registered0Aug 9 2013, 14:10<forever>

Here is a snapshot of the logs. I do not recognize any of the external IP addresses.

21985700:32:49.377 H.323InfoNew connection accepted from 10.15.173.101
21985800:32:49.379 CONFERENCEInfonew H.323 participant 4218
21985900:32:49.473 CONFERENCEInfocreated auto attendant "Auto attendant"
21986000:33:53.729 CONFERENCEInfodestroy H.323 participant 4218, "442099999999@64.34.197.18"
21986100:33:53.731 CONFERENCEInfodestroyed "Auto attendant"
21986200:37:32.613 H.323InfoNew connection accepted from 10.15.173.101
21986300:37:32.614 CONFERENCEInfonew H.323 participant 4219
21986400:37:32.697 CONFERENCEInfocreated auto attendant "Auto attendant"
21986500:38:36.738 CONFERENCEInfodestroy H.323 participant 4219, "442099999999@62.109.134.26"
21986600:38:36.740 CONFERENCEInfodestroyed "Auto attendant"
21986700:41:14.240 H.323InfoNew connection accepted from 10.15.173.101
21986800:41:14.241 CONFERENCEInfonew H.323 participant 4220
21986900:41:14.324 CONFERENCEInfocreated auto attendant "Auto attendant"
21987000:42:18.575 CONFERENCEInfodestroy H.323 participant 4220, "442099999999@72.9.154.150"
21987100:42:18.577 CONFERENCEInfodestroyed "Auto attendant"
21987200:46:16.970 H.323InfoNew connection accepted from 10.15.173.101
21987300:46:16.971 CONFERENCEInfonew H.323 participant 4221
21987400:46:17.056 CONFERENCEInfocreated auto attendant "Auto attendant"
21987500:46:23.341 H.323InfoNew connection accepted from 10.15.173.101
21987600:46:23.342 CONFERENCEInfonew H.323 participant 4222
21987700:46:23.427 CONFERENCEInfocreated auto attendant "Auto attendant 1"
21987800:47:21.302 CONFERENCEInfodestroy H.323 participant 4221, "442099999999@74.86.197.108"
21987900:47:21.304 CONFERENCEInfodestroyed "Auto attendant"
21988000:47:27.491 CONFERENCEInfodestroy H.323 participant 4222, "442099999999@188.204.140.210"
21988100:47:27.493 CONFERENCEInfodestroyed "Auto attendant 1"
21988200:47:49.072 H.323InfoNew connection accepted from 10.15.173.101
21988300:47:49.073 CONFERENCEInfonew H.323 participant 4223

Is this some kind of malicious attack?

Labels:
0 Helpful
7 Replies 7

Patrick Pettit
Cisco Employee
Cisco Employee

‎03-07-2014 09:13 AM

HI Nicholas.  To me, it seems the VCS may be sending the call towards your MCU and these calls may be originating from your Expressway perhaps? 

Looks like someone is trying to send calls your way to try and gain access to an ISDN Gateway that may be on your network, but calls are routing to your MCU instead.  MCU may be setup to send calls to Auto Attendant under

Incoming calls to unknown conferences or auto attendants. 

If you have an ISDN Gateway on your network, look at the VCS admin guide to try and restrict these types of calls getting to your GW.

VR

Patrick

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to Patrick Pettit

‎03-07-2014 09:25 AM

To add to PP's response, do you have your VCS setup with a fallback alias, and if so, is it your MCU?

On another note, is your MCU open to the public, and is SIP enabled? Calls could be trying to go to the MCU directly if it's open to the public.

Sent from Cisco Technical Support iPhone App

0 Helpful

Nicholas Holum
Level 1
Level 1
In response to Patrick Sparkman

‎03-07-2014 09:36 AM

Patrick,

I checked VCS and it is not configured for fallback alias.

Also, MCU is not open to the public directly. We have VCS-E though.

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to Nicholas Holum

‎03-07-2014 09:41 AM

I'd check the VCS that the MCU is registered to, looking at the search history going to your MCU for these calls and make your backward to the source, ie your Expressway, or a trunk to something else on your network, etc.

Sent from Cisco Technical Support iPhone App

0 Helpful

Nicholas Holum
Level 1
Level 1
In response to Patrick Pettit

‎03-07-2014 09:29 AM

Thanks for the response Patrick,

We do not have any ISDN Gateways on our network. However, I have informed our voice admin of the situation and he mentioned it could be a trunk doing something. He's investigating on his end.

0 Helpful

Steve Kapinos
Cisco Employee
Cisco Employee

‎03-07-2014 10:55 AM

This is 'new age wardialing'

People scan telephone systems and gateways looking for systems they can 'hairpin' through.  Basically send a request in via a local or 'free' connection, and then get redirected out a gateway or trunk to a toll destination  (like calling overseas)

You can look at the history in your VCS for how the call got directed to the MCU..  Follow it backwards and inspect your call routing rules.

0 Helpful

Nicholas Holum
Level 1
Level 1
In response to Steve Kapinos

‎03-07-2014 02:38 PM

Receive this from my 3rd party support...

Below is a good thread that kind of outlines the issues you’re having.  Basically a new rule needs to be added over to your VCS in order to stop the spamming. You’ll go to VCS configuration

https://supportforums.cisco.com/thread/2127426

New rule for VCS.PNG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents