03-07-2014 08:01 AM - edited 03-18-2019 02:42 AM
Working with MCU 4510 this morning, I noticed a new conference called "auto attendant"
Name | Description | Owner | Registration | Participants | Start time | Time remaining | |
---|---|---|---|---|---|---|---|
redacted | ConferenceMe | redacted | redacted | Registered | 0 | Mar 22 2013, 12:42 | <forever> |
Auto attendant | <auto attendant> | <none> | n/a | 1 | 10:44 | <forever> | |
Auto attendant 1 | <auto attendant> | <none> | n/a | 1 | 10:44 | <forever> | |
redacted | ConferenceMe | redacted | redacted | Registered | 0 | Aug 9 2013, 14:10 | <forever> |
Here is a snapshot of the logs. I do not recognize any of the external IP addresses.
219857 | 00:32:49.377 | H.323 | Info | New connection accepted from 10.15.173.101 |
219858 | 00:32:49.379 | CONFERENCE | Info | new H.323 participant 4218 |
219859 | 00:32:49.473 | CONFERENCE | Info | created auto attendant "Auto attendant" |
219860 | 00:33:53.729 | CONFERENCE | Info | destroy H.323 participant 4218, "442099999999@64.34.197.18" |
219861 | 00:33:53.731 | CONFERENCE | Info | destroyed "Auto attendant" |
219862 | 00:37:32.613 | H.323 | Info | New connection accepted from 10.15.173.101 |
219863 | 00:37:32.614 | CONFERENCE | Info | new H.323 participant 4219 |
219864 | 00:37:32.697 | CONFERENCE | Info | created auto attendant "Auto attendant" |
219865 | 00:38:36.738 | CONFERENCE | Info | destroy H.323 participant 4219, "442099999999@62.109.134.26" |
219866 | 00:38:36.740 | CONFERENCE | Info | destroyed "Auto attendant" |
219867 | 00:41:14.240 | H.323 | Info | New connection accepted from 10.15.173.101 |
219868 | 00:41:14.241 | CONFERENCE | Info | new H.323 participant 4220 |
219869 | 00:41:14.324 | CONFERENCE | Info | created auto attendant "Auto attendant" |
219870 | 00:42:18.575 | CONFERENCE | Info | destroy H.323 participant 4220, "442099999999@72.9.154.150" |
219871 | 00:42:18.577 | CONFERENCE | Info | destroyed "Auto attendant" |
219872 | 00:46:16.970 | H.323 | Info | New connection accepted from 10.15.173.101 |
219873 | 00:46:16.971 | CONFERENCE | Info | new H.323 participant 4221 |
219874 | 00:46:17.056 | CONFERENCE | Info | created auto attendant "Auto attendant" |
219875 | 00:46:23.341 | H.323 | Info | New connection accepted from 10.15.173.101 |
219876 | 00:46:23.342 | CONFERENCE | Info | new H.323 participant 4222 |
219877 | 00:46:23.427 | CONFERENCE | Info | created auto attendant "Auto attendant 1" |
219878 | 00:47:21.302 | CONFERENCE | Info | destroy H.323 participant 4221, "442099999999@74.86.197.108" |
219879 | 00:47:21.304 | CONFERENCE | Info | destroyed "Auto attendant" |
219880 | 00:47:27.491 | CONFERENCE | Info | destroy H.323 participant 4222, "442099999999@188.204.140.210" |
219881 | 00:47:27.493 | CONFERENCE | Info | destroyed "Auto attendant 1" |
219882 | 00:47:49.072 | H.323 | Info | New connection accepted from 10.15.173.101 |
219883 | 00:47:49.073 | CONFERENCE | Info | new H.323 participant 4223 |
Is this some kind of malicious attack?
03-07-2014 09:13 AM
HI Nicholas. To me, it seems the VCS may be sending the call towards your MCU and these calls may be originating from your Expressway perhaps?
Looks like someone is trying to send calls your way to try and gain access to an ISDN Gateway that may be on your network, but calls are routing to your MCU instead. MCU may be setup to send calls to Auto Attendant under
Incoming calls to unknown conferences or auto attendants.
If you have an ISDN Gateway on your network, look at the VCS admin guide to try and restrict these types of calls getting to your GW.
VR
Patrick
03-07-2014 09:25 AM
To add to PP's response, do you have your VCS setup with a fallback alias, and if so, is it your MCU?
On another note, is your MCU open to the public, and is SIP enabled? Calls could be trying to go to the MCU directly if it's open to the public.
Sent from Cisco Technical Support iPhone App
03-07-2014 09:36 AM
Patrick,
I checked VCS and it is not configured for fallback alias.
Also, MCU is not open to the public directly. We have VCS-E though.
03-07-2014 09:41 AM
I'd check the VCS that the MCU is registered to, looking at the search history going to your MCU for these calls and make your backward to the source, ie your Expressway, or a trunk to something else on your network, etc.
Sent from Cisco Technical Support iPhone App
03-07-2014 09:29 AM
Thanks for the response Patrick,
We do not have any ISDN Gateways on our network. However, I have informed our voice admin of the situation and he mentioned it could be a trunk doing something. He's investigating on his end.
03-07-2014 10:55 AM
This is 'new age wardialing'
People scan telephone systems and gateways looking for systems they can 'hairpin' through. Basically send a request in via a local or 'free' connection, and then get redirected out a gateway or trunk to a toll destination (like calling overseas)
You can look at the history in your VCS for how the call got directed to the MCU.. Follow it backwards and inspect your call routing rules.
03-07-2014 02:38 PM
Receive this from my 3rd party support...
Below is a good thread that kind of outlines the issues you’re having. Basically a new rule needs to be added over to your VCS in order to stop the spamming. You’ll go to VCS configuration
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: