[cisco-voip] has anyone seen this !
Jason Aarons (US)
jason.aarons at us.didata.com
Sat Jun 7 10:49:46 EDT 2008
I would recommend running a port/security scanner on your own subnet,
you mind find other unexpected results.
It wasn't clear if these are outside your firewall.
-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of
keli at carocomp.ro
Sent: Saturday, June 07, 2008 4:20 AM
To: James Buchanan
Cc: cisco voip
Subject: Re: [cisco-voip] has anyone seen this !
Basically I agree with you, and I think all of us who faced the
problem have learned our lesson the hard way ... :/
But the issue here is a bit different, I'd say:
Cisco is running SIP and H.323 services by default, once CME is
configured. Cisco CME is *routing* incoming SIP/H.323 calls
indiscriminately, also *by default*. The key thing being that your
appliance (Cisco CME router in this case) makes things you're not
configured it specifically to do. Where we hit this thing, we didn't
used any SIP services, and the router was configured from blank, so I
did not expect any SIP service to be running on it.
It's funny, that on local side Cisco considers their stuff so
"secure", that an auto-registered SCCP phone will not get tone, and
won't be able to call anywhere, but then again a blind incoming SIP
packet can pass through the router as they wish...
If you consider, that CME systems come integrated into routers, so
they are very likely to be used as such in low-budget environments.
It's very possible that the people installing it are not some
extremely experienced telephony and/or networking experts (Cisco's
target for CME is expected to be able to use/configure CME through the
web interface). So while it is certainly a bad decision to deploy it
that way, it's not by a mile such an unlikely one.
sorry for the rant. :)
regards,
Zoltan
Quoting James Buchanan <jbuchanan at ctiusa.com>:
> I find it puzzling why anyone would put their production telephone
> system on the Internet with no apparent security measures, not even an
> access list. Cisco should restrict this I suppose, but some basic
> network security practices should also have been followed in this case
> during implementation.
>
>
>
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Aman Chugh
> Sent: Friday, June 06, 2008 10:50 PM
> To: Kelemen Zoltan
> Cc: cisco voip
> Subject: Re: [cisco-voip] has anyone seen this !
>
>
>
> Yes , exactly I was told the same thing and customer is facing a huge
> bill.
>
>
>
> On 6/6/08, Kelemen Zoltan <keli at carocomp.ro> wrote:
>
>
>
> I had bitten this bullet in January (
> https://puck.nether.net/pipermail/cisco-voip/2008-January/029569.html
)
> and I'm still perplexed how can Cisco leave this as-is with SIP and
> H.323 wide open for public as default settings, while being well aware
> of the situation and it's possible consequences.
>
> I've been discussing this issue with some other colleagues as
> well in the branch and I know this has happened to plenty of other
> people, in some case causing very serious monetary damage.
>
> regards,
> Zoltan
>
> Aman Chugh wrote:
>
> It was SIP , disabled sip on the wan port using an ACL to stop
> calls going out.
> Aman
>
> On 6/6/08, *James Edmondson* <biged7600 at gmail.com
> <mailto:biged7600 at gmail.com>> wrote:
>
> Do you happen to have custom scripts on the CME box? I had
> this
> problem as whoever developed the script left the hole open to
> dial
> anynumber from the AA.
> On Thu, Jun 5, 2008 at 2:31 PM, Jorge L. Rodriguez Aguila
> <jorge.rodriguez at netxar.com
> <mailto:jorge.rodriguez at netxar.com>>
> wrote:
>
> I would recommend that you do Two things immediately.
> Install
> COR to limit calls and second implement Access List to
> Kill
> H.323 coming from the internet.
>
>
> Jorge
>
>
> *From:* cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net>
> [mailto:cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net>] *On Behalf
> Of
> *Aman Chugh
> *Sent:* Thursday, June 05, 2008 2:13 PM
> *To:* cisco voip
> *Subject:* [cisco-voip] has anyone seen this !
>
>
>
>
> I have a site with CME and CUE , the internet link is
> also
> terminated on my CME router, apparently some one has
> hacked
> into the router and is using the router calling numbers
> in
> cuba and somalia. This has caused a huge bill from the
> phone
> company.We have TAC case openned for this, When we shut
> the
> internet link this stops .
>
>
> Aman
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> -- James
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-----------------------------------------
Disclaimer:
This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
More information about the cisco-voip
mailing list