[cisco-voip] Fraud calls to Cuba - Please read
Stefan Baltus
stefan at iunxi.nl
Thu Jan 8 04:47:42 EST 2009
I was planning to send Cisco a letter complaining about the fact that these
'features' are enabled by default on an ISR which is positioned as the
platform that does everything (in this case being a voip gateway and
internet router). I would like to hear other thoughts about this as well.
In my view, opening a TAC case would be of lesser use. Better send a letter
to John Chambers or the like of him.
Stefan
On Thu, Jan 08, 2009 at 10:39:34AM +0100, Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh at gmail.com> wrote:
>
> > I had this happen as well to a CME router which the customer connected to
> > the Internet and the router also had a PRI from the local telco. Customer
> > had put in a public ip on the router exposing it to the Internet as they
> > wanted to do an IPSEC tunnel as well. After investigation it was discovered
> > that some one was using SIP port on the router and running a script to call
> > numbers in CUBA and all calls were a minute call. We put in an ACL to block
> > SIP and H.323 on the router to stop this. I believe someone is using SIP
> > port (5060) from the Internet and making calls through your FXO line.
> >
> >
> > Aman
> >
> > On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest at zyedge.com> wrote:
> >
> >> The feature set doesn't imply that CBAC is configured correctly. Check
> >> your outside ACL and since you're only using MGCP, you can use the link
> >> below to disable SIP processing (most likely your culprit, probably a
> >> calling card company that scans for open routers). You should also disable
> >> H323 as well. To see if the router has the firewall running, issue a show
> >> ip inspect sessions. The command I was thinking of earlier is 'show
> >> control-plan host open-ports', which do a netstat type listing on the
> >> router.
> >>
> >>
> >>
> >> Hope that helps.
> >>
> >>
> >>
> >> -ryan
> >>
> >>
> >>
> >> *From:* Corbett Enders [mailto:cenders at homesbyavi.com]
> >> *Sent:* Wednesday, January 07, 2009 23:56
> >> *To:* Ryan West
> >> *Cc:* Ahmed Elnagar; VOIP Group
> >>
> >> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >>
> >>
> >> The router is on the Internet, is configured for MGCP and has ip advanced
> >> services with the firewall feature enabled (for VPN and nat). Wouldn't that
> >> block external connections?
> >>
> >>
> >> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest at zyedge.com> wrote:
> >>
> >> If the router is connected to the Internet, both H323 TCP/1720 and SIP
> >> UDP/5060 need to blocked. I don't remember the command offhand, but on some
> >> versions of code it is show ip sockets. Check this out to actually disable
> >> default SIP and H323 processing:
> >>
> >>
> >>
> >>
> >> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
> >>
> >> -ryan
> >>
> >>
> >>
> >> *From:* cisco-voip-bounces at puck.nether.net [
> >> mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> >> *On Behalf Of *Ahmed Elnagar
> >> *Sent:* Wednesday, January 07, 2009 23:13
> >> *To:* cenders at homesbyavi.com
> >> *Cc:* VOIP Group
> >> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >>
> >>
> >>
> >> Wow...exaclty the same problem I had...but with PRI...I have a site in
> >> Egypt that the user called us one day and informed that he has a bill from
> >> the Teleco for 100,000$ for a period of 3 months and they never produce this
> >> amount of calls...all calls were for random numbers and the call never
> >> exceeded 1 minute and these random numbers happen to be starting with 00
> >> which is the internationl prefix here in Egypt.
> >>
> >> After long nights of troubleshootting...I found that the gateway was
> >> configured to register SIP phones from the internet and I found an IP
> >> address from Mexico city that is trying this random calls so frequent, the
> >> strange thing is that the gateway was accepting these calls and route it to
> >> H323 side which relay the call to the PRI.
> >>
> >> I did the following to ensure that it will not happen again...removed SIP
> >> at all from the gateway...converted the gateway to MGCP so that every call
> >> that will pass the gateway will need signalling from Callmanager and will
> >> leave a record in the CDR. But the strange thing the problem contiuned...
> >>
> >> During troubleshooting we noticed something strange...alot of incoming
> >> calls coming to the PRI from a certain local number...and it was 3 AM in the
> >> morning we called this number and he told us that he know no one in this
> >> site and he has a problem that he got high invoices from the Teleco too...so
> >> we come up with this conculsion...seems that the CO. equipments has some
> >> problems and it is generating calls on behalf of the user to random
> >> numbers...a strange thing I know but till now this company still going to
> >> discussions with the teleco to solve this problem.
> >>
> >> I suggest to do the followin...try to review CDR files and have a detailed
> >> bill from your Teleco and try to compare these calls with the CDR calls
> >> maybe this would help you...also try to activate some debugs and show
> >> commands "there is some tools that can automate show command every 5 mins or
> >> so" to know exactly when these calls happen and what is the source of it.
> >>
> >> Good luck with this strange issue.
> >>
> >> Thanks,
> >> Ahmed Elnagar
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> From: cenders at homesbyavi.com
> >> To: cisco-voip at puck.nether.net
> >> Date: Wed, 7 Jan 2009 20:26:56 -0700
> >> Subject: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >> Hello List,
> >>
> >>
> >>
> >> I've got a situation with 2 remote sites. Over the course of several days
> >> in late November, somehow the analog POTS line in the site (which we use for
> >> SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't
> >> really a pattern to the calls. It started with a couple of repeated calls
> >> to the same number and from that point, the dialed number changed (not
> >> dialed in any sort of sequential pattern either). Calls varied in duration
> >> from 0 seconds to many minutes long. Sometimes the next call would happen
> >> right away and other times there would be several minutes delay between
> >> calls. This proceeded to occur over the course of about a day and a half
> >> until the POTS provider called us and we blocked the line.
> >>
> >>
> >>
> >> The analog line in the show home serves 2 purposes. It is connected to
> >> the SRST FXO port on the Cisco 2801 router and also connects to the analog
> >> fax machine.
> >>
> >>
> >>
> >> At this point, the POTS provider feels that somehow the 2801 router has
> >> been compromised and is being used to route calls out the FXO port. We have
> >> a cordless phone on an ATA, and at first they felt this was the source but I
> >> indicated that any calls from the cordless phone would leave through our PRI
> >> in the main office, through the phone line on the FXO port.
> >>
> >>
> >>
> >> Even if someone had managed to guess our admin password for the console of
> >> the router, I don't believe that person sitting on the Internet would be
> >> able to get a call to connect from their computer, through the Internet, and
> >> leave out our FXO port in our site.
> >>
> >>
> >>
> >> I'm wondering if anyone on the list has some thoughts as to how the system
> >> could have been compromise or if it just isn't possible. The POTS line is
> >> actually a digital line provided by Shaw (a local cable/telco in Alberta).
> >> I feel that their "digital" phone terminal has been compromised though it
> >> isn't connected to the Internet in any way. One other possibility is old
> >> school phone phreaking where someone has actually tapped into the physical
> >> line but they would have been sitting outside in the cold for a very long
> >> time making these crazy calls.
> >>
> >>
> >>
> >> I look forward to any insight the collective brain power of this list can
> >> provide. The bill for these calls is over $6000.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Corbett Enders.
> >>
> >>
> >>
> >> *Corbett Enders*
> >>
> >> Network Manager
> >> Homes by Avi - 2007 Canadian Builder of the Year.
> >> Tel: (403) 536-7170
> >> Fax: (403) 536-7171
> >> www.homesbyavi.com
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> check out the rest of the Windows Live?. More than mail?Windows Live? goes
> >> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
> >>
> >> No virus found in this incoming message.
> >> Checked by AVG - http://www.avg.com
> >> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
> >> 8:49 AM
> >>
> >>
> >> _______________________________________________
> >> cisco-voip mailing list
> >> cisco-voip at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>
> >>
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
--
E: stefan at iunxi.nl iunxi BV
M: +31 (0)6 18844094 Postbus 1315
T: +31 (0)88 5400500 1300 BH ALMERE
F: +31 (0)88 5400501
More information about the cisco-voip
mailing list