[cisco-voip] Fraud calls to Cuba - Please read

Nicolas yogzgo at gmail.com
Thu Jan 8 04:39:34 EST 2009 

Does someone open a TAC at Cisco to talk aout it ?
What Cisco say about that ?

Nicolas

On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh at gmail.com> wrote:

> I had this happen as well to a CME router which the customer connected to
> the Internet and the router also had a PRI from the local telco. Customer
> had put in a public ip on the router exposing it to the Internet as they
> wanted to do an IPSEC tunnel as well. After investigation it was discovered
> that some one was using SIP port on the router and running a script to call
> numbers in CUBA and all calls were a minute call. We put in an ACL to block
> SIP and H.323 on the router to stop this. I believe someone is using SIP
> port (5060) from the Internet and making calls through your FXO line.
>
>
> Aman
>
> On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest at zyedge.com> wrote:
>
>>  The feature set doesn't imply that CBAC is configured correctly.  Check
>> your outside ACL and since you're only using MGCP, you can use the link
>> below to disable SIP processing (most likely your culprit, probably a
>> calling card company that scans for open routers).  You should also disable
>> H323 as well.  To see if the router has the firewall running, issue a show
>> ip inspect sessions.  The command I was thinking of earlier is 'show
>> control-plan host open-ports', which do a netstat type listing on the
>> router.
>>
>>
>>
>> Hope that helps.
>>
>>
>>
>> -ryan
>>
>>
>>
>> *From:* Corbett Enders [mailto:cenders at homesbyavi.com]
>> *Sent:* Wednesday, January 07, 2009 23:56
>> *To:* Ryan West
>> *Cc:* Ahmed Elnagar; VOIP Group
>>
>> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>>
>>
>>
>> The router is on the Internet, is configured for MGCP and has ip advanced
>> services with the firewall feature enabled (for VPN and nat). Wouldn't that
>> block external connections?
>>
>>
>> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest at zyedge.com> wrote:
>>
>>  If the router is connected to the Internet, both H323 TCP/1720 and SIP
>> UDP/5060 need to blocked.  I don't remember the command offhand, but on some
>> versions of code it is show ip sockets.  Check this out to actually disable
>> default SIP and H323 processing:
>>
>>
>>
>>
>> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
>>
>> -ryan
>>
>>
>>
>> *From:* cisco-voip-bounces at puck.nether.net [
>> mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
>> *On Behalf Of *Ahmed Elnagar
>> *Sent:* Wednesday, January 07, 2009 23:13
>> *To:* cenders at homesbyavi.com
>> *Cc:* VOIP Group
>> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>>
>>
>>
>>
>> Wow...exaclty the same problem I had...but with PRI...I have a site in
>> Egypt that the user called us one day and informed that he has a bill from
>> the Teleco for 100,000$ for a period of 3 months and they never produce this
>> amount of calls...all calls were for random numbers and the call never
>> exceeded 1 minute and these random numbers happen to be starting with 00
>> which is the internationl prefix here in Egypt.
>>
>> After long nights of troubleshootting...I found that the gateway was
>> configured to register SIP phones from the internet and I found an IP
>> address from Mexico city that is trying this random calls so frequent, the
>> strange thing is that the gateway was accepting these calls and route it to
>> H323 side which relay the call to the PRI.
>>
>> I did the following to ensure that it will not happen again...removed SIP
>> at all from the gateway...converted the gateway to MGCP so that every call
>> that will pass the gateway will need signalling from Callmanager and will
>> leave a record in the CDR. But the strange thing the problem contiuned...
>>
>> During troubleshooting we noticed something strange...alot of incoming
>> calls coming to the PRI from a certain local number...and it was 3 AM in the
>> morning we called this number and he told us that he know no one in this
>> site and he has a problem that he got high invoices from the Teleco too...so
>> we come up with this conculsion...seems that the CO. equipments has some
>> problems and it is generating calls on behalf of the user to random
>> numbers...a strange thing I know but till now this company still going to
>> discussions with the teleco to solve this problem.
>>
>> I suggest to do the followin...try to review CDR files and have a detailed
>> bill from your Teleco and try to compare these calls with the CDR calls
>> maybe this would help you...also try to activate some debugs and show
>> commands "there is some tools that can automate show command every 5 mins or
>> so" to know exactly when these calls happen and what is the source of it.
>>
>> Good luck with this strange issue.
>>
>> Thanks,
>> Ahmed Elnagar
>>
>>
>>
>>  ------------------------------
>>
>> From: cenders at homesbyavi.com
>> To: cisco-voip at puck.nether.net
>> Date: Wed, 7 Jan 2009 20:26:56 -0700
>> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>>
>> Hello List,
>>
>>
>>
>> I've got a situation with 2 remote sites.  Over the course of several days
>> in late November, somehow the analog POTS line in the site (which we use for
>> SRST backup) proceeded to make approx 4,940 calls to Cuba.  There wasn't
>> really a pattern to the calls.  It started with a couple of repeated calls
>> to the same number and from that point, the dialed number changed (not
>> dialed in any sort of sequential pattern either).  Calls varied in duration
>> from 0 seconds to many minutes long.  Sometimes the next call would happen
>> right away and other times there would be several minutes delay between
>> calls.  This proceeded to occur over the course of about a day and a half
>> until the POTS provider called us and we blocked the line.
>>
>>
>>
>> The analog line in the show home serves 2 purposes.  It is connected to
>> the SRST FXO port on the Cisco 2801 router and also connects to the analog
>> fax machine.
>>
>>
>>
>> At this point, the POTS provider feels that somehow the 2801 router has
>> been compromised and is being used to route calls out the FXO port.  We have
>> a cordless phone on an ATA, and at first they felt this was the source but I
>> indicated that any calls from the cordless phone would leave through our PRI
>> in the main office, through the phone line on the FXO port.
>>
>>
>>
>> Even if someone had managed to guess our admin password for the console of
>> the router, I don't believe that person sitting on the Internet would be
>> able to get a call to connect from their computer, through the Internet, and
>> leave out our FXO port in our site.
>>
>>
>>
>> I'm wondering if anyone on the list has some thoughts as to how the system
>> could have been compromise or if it just isn't possible.  The POTS line is
>> actually a digital line provided by Shaw (a local cable/telco in Alberta).
>> I feel that their "digital" phone terminal has been compromised though it
>> isn't connected to the Internet in any way.  One other possibility is old
>> school phone phreaking where someone has actually tapped into the physical
>> line but they would have been sitting outside in the cold for a very long
>> time making these crazy calls.
>>
>>
>>
>> I look forward to any insight the collective brain power of this list can
>> provide. The bill for these calls is over $6000.
>>
>>
>>
>> Regards,
>>
>> Corbett Enders.
>>
>>
>>
>> *Corbett Enders*
>>
>> Network Manager
>> Homes by Avi - 2007 Canadian Builder of the Year.
>> Tel: (403) 536-7170
>> Fax: (403) 536-7171
>> www.homesbyavi.com
>>
>>
>>
>>
>>  ------------------------------
>>
>> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
>> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
>>
>> No virus found in this incoming message.
>> Checked by AVG - http://www.avg.com
>> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
>> 8:49 AM
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090108/3fba8363/attachment.html>

More information about the cisco-voip mailing list