[cisco-voip] Fraud calls to Cuba - Please read

Thu Jan 8 00:16:46 EST 2009

I had this happen as well to a CME router which the customer connected to
the Internet and the router also had a PRI from the local telco. Customer
had put in a public ip on the router exposing it to the Internet as they
wanted to do an IPSEC tunnel as well. After investigation it was discovered
that some one was using SIP port on the router and running a script to call
numbers in CUBA and all calls were a minute call. We put in an ACL to block
SIP and H.323 on the router to stop this. I believe someone is using SIP
port (5060) from the Internet and making calls through your FXO line.

Aman

On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest at zyedge.com> wrote:

>  The feature set doesn't imply that CBAC is configured correctly.  Check
> your outside ACL and since you're only using MGCP, you can use the link
> below to disable SIP processing (most likely your culprit, probably a
> calling card company that scans for open routers).  You should also disable
> H323 as well.  To see if the router has the firewall running, issue a show
> ip inspect sessions.  The command I was thinking of earlier is 'show
> control-plan host open-ports', which do a netstat type listing on the
> router.
>
>
>
> Hope that helps.
>
>
>
> -ryan
>
>
>
> *From:* Corbett Enders [mailto:cenders at homesbyavi.com]
> *Sent:* Wednesday, January 07, 2009 23:56
> *To:* Ryan West
> *Cc:* Ahmed Elnagar; VOIP Group
>
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
> The router is on the Internet, is configured for MGCP and has ip advanced
> services with the firewall feature enabled (for VPN and nat). Wouldn't that
> block external connections?
>
>
> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest at zyedge.com> wrote:
>
>  If the router is connected to the Internet, both H323 TCP/1720 and SIP
> UDP/5060 need to blocked.  I don't remember the command offhand, but on some
> versions of code it is show ip sockets.  Check this out to actually disable
> default SIP and H323 processing:
>
>
>
>
> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
>
> -ryan
>
>
>
> *From:* cisco-voip-bounces at puck.nether.net [
> mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *Ahmed Elnagar
> *Sent:* Wednesday, January 07, 2009 23:13
> *To:* cenders at homesbyavi.com
> *Cc:* VOIP Group
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
>
> Wow...exaclty the same problem I had...but with PRI...I have a site in
> Egypt that the user called us one day and informed that he has a bill from
> the Teleco for 100,000$ for a period of 3 months and they never produce this
> amount of calls...all calls were for random numbers and the call never
> exceeded 1 minute and these random numbers happen to be starting with 00
> which is the internationl prefix here in Egypt.
>
> After long nights of troubleshootting...I found that the gateway was
> configured to register SIP phones from the internet and I found an IP
> address from Mexico city that is trying this random calls so frequent, the
> strange thing is that the gateway was accepting these calls and route it to
> H323 side which relay the call to the PRI.
>
> I did the following to ensure that it will not happen again...removed SIP
> at all from the gateway...converted the gateway to MGCP so that every call
> that will pass the gateway will need signalling from Callmanager and will
> leave a record in the CDR. But the strange thing the problem contiuned...
>
> During troubleshooting we noticed something strange...alot of incoming
> calls coming to the PRI from a certain local number...and it was 3 AM in the
> morning we called this number and he told us that he know no one in this
> site and he has a problem that he got high invoices from the Teleco too...so
> we come up with this conculsion...seems that the CO. equipments has some
> problems and it is generating calls on behalf of the user to random
> numbers...a strange thing I know but till now this company still going to
> discussions with the teleco to solve this problem.
>
> I suggest to do the followin...try to review CDR files and have a detailed
> bill from your Teleco and try to compare these calls with the CDR calls
> maybe this would help you...also try to activate some debugs and show
> commands "there is some tools that can automate show command every 5 mins or
> so" to know exactly when these calls happen and what is the source of it.
>
> Good luck with this strange issue.
>
> Thanks,
> Ahmed Elnagar
>
>
>
>  ------------------------------
>
> From: cenders at homesbyavi.com
> To: cisco-voip at puck.nether.net
> Date: Wed, 7 Jan 2009 20:26:56 -0700
> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>
> Hello List,
>
>
>
> I've got a situation with 2 remote sites.  Over the course of several days
> in late November, somehow the analog POTS line in the site (which we use for
> SRST backup) proceeded to make approx 4,940 calls to Cuba.  There wasn't
> really a pattern to the calls.  It started with a couple of repeated calls
> to the same number and from that point, the dialed number changed (not
> dialed in any sort of sequential pattern either).  Calls varied in duration
> from 0 seconds to many minutes long.  Sometimes the next call would happen
> right away and other times there would be several minutes delay between
> calls.  This proceeded to occur over the course of about a day and a half
> until the POTS provider called us and we blocked the line.
>
>
>
> The analog line in the show home serves 2 purposes.  It is connected to the
> SRST FXO port on the Cisco 2801 router and also connects to the analog fax
> machine.
>
>
>
> At this point, the POTS provider feels that somehow the 2801 router has
> been compromised and is being used to route calls out the FXO port.  We have
> a cordless phone on an ATA, and at first they felt this was the source but I
> indicated that any calls from the cordless phone would leave through our PRI
> in the main office, through the phone line on the FXO port.
>
>
>
> Even if someone had managed to guess our admin password for the console of
> the router, I don't believe that person sitting on the Internet would be
> able to get a call to connect from their computer, through the Internet, and
> leave out our FXO port in our site.
>
>
>
> I'm wondering if anyone on the list has some thoughts as to how the system
> could have been compromise or if it just isn't possible.  The POTS line is
> actually a digital line provided by Shaw (a local cable/telco in Alberta).
> I feel that their "digital" phone terminal has been compromised though it
> isn't connected to the Internet in any way.  One other possibility is old
> school phone phreaking where someone has actually tapped into the physical
> line but they would have been sitting outside in the cold for a very long
> time making these crazy calls.
>
>
>
> I look forward to any insight the collective brain power of this list can
> provide. The bill for these calls is over $6000.
>
>
>
> Regards,
>
> Corbett Enders.
>
>
>
> *Corbett Enders*
>
> Network Manager
> Homes by Avi - 2007 Canadian Builder of the Year.
> Tel: (403) 536-7170
> Fax: (403) 536-7171
> www.homesbyavi.com
>
>
>
>
>  ------------------------------
>
> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
> 8:49 AM
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090108/7263de1d/attachment.html>