[cisco-voip] Fraud calls to Cuba - Please read
Kelemen Zoltan
keli at carocomp.ro
Thu Jan 8 06:50:31 EST 2009
Cisco just blames you for not putting up a firewall (or ACLs) in the
first place.
However I couldn't agree with you more ... been there, burnt myself too,
and have heard of several others too. Just search this list ...
http://markmail.org/search/?q=list%3Anet.nether.puck.cisco-voip+sip+port+open
and this has been going on for years now. I think the keyword here is
ignorance.
Even as as an afterthought I do agree with Cisco (that ACLs, firewalls
should be put in place etc.) I still cannot accept, that this is a sane
default.
Anyway. You'll see a bunch of angry rants every time someone pops up
this question, then nothing.
regards,
Zoltan Kelemen
Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh at gmail.com
> <mailto:aman.chugh at gmail.com>> wrote:
>
> I had this happen as well to a CME router which the customer
> connected to the Internet and the router also had a PRI from the
> local telco. Customer had put in a public ip on the router
> exposing it to the Internet as they wanted to do an IPSEC tunnel
> as well. After investigation it was discovered that some one was
> using SIP port on the router and running a script to call numbers
> in CUBA and all calls were a minute call. We put in an ACL to
> block SIP and H.323 on the router to stop this. I believe someone
> is using SIP port (5060) from the Internet and making calls
> through your FXO line.
>
>
> Aman
>
> On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest at zyedge.com
> <mailto:rwest at zyedge.com>> wrote:
>
> The feature set doesn't imply that CBAC is configured
> correctly. Check your outside ACL and since you're only using
> MGCP, you can use the link below to disable SIP processing
> (most likely your culprit, probably a calling card company
> that scans for open routers). You should also disable H323 as
> well. To see if the router has the firewall running, issue a
> show ip inspect sessions. The command I was thinking of
> earlier is 'show control-plan host open-ports', which do a
> netstat type listing on the router.
>
>
>
> Hope that helps.
>
>
>
> -ryan
>
>
>
> *From:* Corbett Enders [mailto:cenders at homesbyavi.com
> <mailto:cenders at homesbyavi.com>]
> *Sent:* Wednesday, January 07, 2009 23:56
> *To:* Ryan West
> *Cc:* Ahmed Elnagar; VOIP Group
>
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
> The router is on the Internet, is configured for MGCP and has
> ip advanced services with the firewall feature enabled (for
> VPN and nat). Wouldn't that block external connections?
>
>
> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest at zyedge.com
> <mailto:rwest at zyedge.com>> wrote:
>
> If the router is connected to the Internet, both H323
> TCP/1720 and SIP UDP/5060 need to blocked. I don't
> remember the command offhand, but on some versions of code
> it is show ip sockets. Check this out to actually disable
> default SIP and H323 processing:
>
>
>
> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
> <https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
>
> -ryan
>
>
>
> *From:* cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net>
> [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf Of
> *Ahmed Elnagar
> *Sent:* Wednesday, January 07, 2009 23:13
> *To:* cenders at homesbyavi.com <mailto:cenders at homesbyavi.com>
> *Cc:* VOIP Group
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
>
> Wow...exaclty the same problem I had...but with PRI...I
> have a site in Egypt that the user called us one day and
> informed that he has a bill from the Teleco for 100,000$
> for a period of 3 months and they never produce this
> amount of calls...all calls were for random numbers and
> the call never exceeded 1 minute and these random numbers
> happen to be starting with 00 which is the internationl
> prefix here in Egypt.
>
> After long nights of troubleshootting...I found that the
> gateway was configured to register SIP phones from the
> internet and I found an IP address from Mexico city that
> is trying this random calls so frequent, the strange thing
> is that the gateway was accepting these calls and route it
> to H323 side which relay the call to the PRI.
>
> I did the following to ensure that it will not happen
> again...removed SIP at all from the gateway...converted
> the gateway to MGCP so that every call that will pass the
> gateway will need signalling from Callmanager and will
> leave a record in the CDR. But the strange thing the
> problem contiuned...
>
> During troubleshooting we noticed something strange...alot
> of incoming calls coming to the PRI from a certain local
> number...and it was 3 AM in the morning we called this
> number and he told us that he know no one in this site and
> he has a problem that he got high invoices from the Teleco
> too...so we come up with this conculsion...seems that the
> CO. equipments has some problems and it is generating
> calls on behalf of the user to random numbers...a strange
> thing I know but till now this company still going to
> discussions with the teleco to solve this problem.
>
> I suggest to do the followin...try to review CDR files and
> have a detailed bill from your Teleco and try to compare
> these calls with the CDR calls maybe this would help
> you...also try to activate some debugs and show commands
> "there is some tools that can automate show command every
> 5 mins or so" to know exactly when these calls happen and
> what is the source of it.
>
> Good luck with this strange issue.
>
> Thanks,
> Ahmed Elnagar
>
>
>
> ------------------------------------------------------------------------
>
> From: cenders at homesbyavi.com <mailto:cenders at homesbyavi.com>
> To: cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> Date: Wed, 7 Jan 2009 20:26:56 -0700
> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>
> Hello List,
>
>
>
> I've got a situation with 2 remote sites. Over the course
> of several days in late November, somehow the analog POTS
> line in the site (which we use for SRST backup) proceeded
> to make approx 4,940 calls to Cuba. There wasn't really a
> pattern to the calls. It started with a couple of
> repeated calls to the same number and from that point, the
> dialed number changed (not dialed in any sort of
> sequential pattern either). Calls varied in duration from
> 0 seconds to many minutes long. Sometimes the next call
> would happen right away and other times there would be
> several minutes delay between calls. This proceeded to
> occur over the course of about a day and a half until the
> POTS provider called us and we blocked the line.
>
>
>
> The analog line in the show home serves 2 purposes. It is
> connected to the SRST FXO port on the Cisco 2801 router
> and also connects to the analog fax machine.
>
>
>
> At this point, the POTS provider feels that somehow the
> 2801 router has been compromised and is being used to
> route calls out the FXO port. We have a cordless phone on
> an ATA, and at first they felt this was the source but I
> indicated that any calls from the cordless phone would
> leave through our PRI in the main office, through the
> phone line on the FXO port.
>
>
>
> Even if someone had managed to guess our admin password
> for the console of the router, I don't believe that person
> sitting on the Internet would be able to get a call to
> connect from their computer, through the Internet, and
> leave out our FXO port in our site.
>
>
>
> I'm wondering if anyone on the list has some thoughts as
> to how the system could have been compromise or if it just
> isn't possible. The POTS line is actually a digital line
> provided by Shaw (a local cable/telco in Alberta). I feel
> that their "digital" phone terminal has been compromised
> though it isn't connected to the Internet in any way. One
> other possibility is old school phone phreaking where
> someone has actually tapped into the physical line but
> they would have been sitting outside in the cold for a
> very long time making these crazy calls.
>
>
>
> I look forward to any insight the collective brain power
> of this list can provide. The bill for these calls is over
> $6000.
>
>
>
> Regards,
>
> Corbett Enders.
>
>
>
> *Corbett Enders*
>
> Network Manager
> Homes by Avi - 2007 Canadian Builder of the Year.
> Tel: (403) 536-7170
> Fax: (403) 536-7171
> www.homesbyavi.com <http://www.homesbyavi.com/>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> check out the rest of the Windows Live™. More than
> mail–Windows Live™ goes way beyond your inbox. More than
> messages <http://www.microsoft.com/windows/windowslive/>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com <http://www.avg.com/>
> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release
> Date: 1/7/2009 8:49 AM
>
>
> _______________________________________________
> cisco-voip mailing list
>
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
More information about the cisco-voip
mailing list