[cisco-voip] Fraud calls to Cuba - Please read

Ryan West rwest at zyedge.com
Thu Jan 8 07:27:36 EST 2009


Dial-peer 0 should be disabled.  You should have to explicit about what you accept and from who, the router isn't supposed to be a SIP proxy...

-----Original Message-----
From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Kelemen Zoltan
Sent: Thursday, January 08, 2009 06:51
To: Nicolas
Cc: Corbett Enders; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

Cisco just blames you for not putting up a firewall (or ACLs) in the 
first place. 

However I couldn't agree with you more ... been there, burnt myself too, 
and have heard of several others too. Just search this list ... 
http://markmail.org/search/?q=list%3Anet.nether.puck.cisco-voip+sip+port+open

and this has been going on for years now. I think the keyword here is 
ignorance.

Even as as an afterthought I do agree with Cisco (that ACLs, firewalls 
should be put in place etc.) I still cannot accept, that this is a sane 
default.

Anyway. You'll see a bunch of angry rants every time someone pops up 
this question, then nothing.

regards,
  Zoltan Kelemen

Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh at gmail.com 
> <mailto:aman.chugh at gmail.com>> wrote:
>
>     I had this happen as well to a CME router which the customer
>     connected to the Internet and the router also had a PRI from the
>     local telco. Customer had put in a public ip on the router
>     exposing it to the Internet as they wanted to do an IPSEC tunnel
>     as well. After investigation it was discovered that some one was
>     using SIP port on the router and running a script to call numbers
>     in CUBA and all calls were a minute call. We put in an ACL to
>     block SIP and H.323 on the router to stop this. I believe someone
>     is using SIP port (5060) from the Internet and making calls
>     through your FXO line.
>      
>      
>     Aman
>
>     On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest at zyedge.com
>     <mailto:rwest at zyedge.com>> wrote:
>
>         The feature set doesn't imply that CBAC is configured
>         correctly.  Check your outside ACL and since you're only using
>         MGCP, you can use the link below to disable SIP processing
>         (most likely your culprit, probably a calling card company
>         that scans for open routers).  You should also disable H323 as
>         well.  To see if the router has the firewall running, issue a
>         show ip inspect sessions.  The command I was thinking of
>         earlier is 'show control-plan host open-ports', which do a
>         netstat type listing on the router.
>
>          
>
>         Hope that helps.
>
>          
>
>         -ryan
>
>          
>
>         *From:* Corbett Enders [mailto:cenders at homesbyavi.com
>         <mailto:cenders at homesbyavi.com>]
>         *Sent:* Wednesday, January 07, 2009 23:56
>         *To:* Ryan West
>         *Cc:* Ahmed Elnagar; VOIP Group
>
>         *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>          
>
>         The router is on the Internet, is configured for MGCP and has
>         ip advanced services with the firewall feature enabled (for
>         VPN and nat). Wouldn't that block external connections?
>
>
>         On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest at zyedge.com
>         <mailto:rwest at zyedge.com>> wrote:
>
>             If the router is connected to the Internet, both H323
>             TCP/1720 and SIP UDP/5060 need to blocked.  I don't
>             remember the command offhand, but on some versions of code
>             it is show ip sockets.  Check this out to actually disable
>             default SIP and H323 processing:
>
>              
>
>             https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
>             <https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
>
>             -ryan
>
>              
>
>             *From:* cisco-voip-bounces at puck.nether.net
>             <mailto:cisco-voip-bounces at puck.nether.net>
>             [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf Of
>             *Ahmed Elnagar
>             *Sent:* Wednesday, January 07, 2009 23:13
>             *To:* cenders at homesbyavi.com <mailto:cenders at homesbyavi.com>
>             *Cc:* VOIP Group
>             *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>              
>
>
>             Wow...exaclty the same problem I had...but with PRI...I
>             have a site in Egypt that the user called us one day and
>             informed that he has a bill from the Teleco for 100,000$
>             for a period of 3 months and they never produce this
>             amount of calls...all calls were for random numbers and
>             the call never exceeded 1 minute and these random numbers
>             happen to be starting with 00 which is the internationl
>             prefix here in Egypt.
>              
>             After long nights of troubleshootting...I found that the
>             gateway was configured to register SIP phones from the
>             internet and I found an IP address from Mexico city that
>             is trying this random calls so frequent, the strange thing
>             is that the gateway was accepting these calls and route it
>             to H323 side which relay the call to the PRI.
>              
>             I did the following to ensure that it will not happen
>             again...removed SIP at all from the gateway...converted
>             the gateway to MGCP so that every call that will pass the
>             gateway will need signalling from Callmanager and will
>             leave a record in the CDR. But the strange thing the
>             problem contiuned...
>              
>             During troubleshooting we noticed something strange...alot
>             of incoming calls coming to the PRI from a certain local
>             number...and it was 3 AM in the morning we called this
>             number and he told us that he know no one in this site and
>             he has a problem that he got high invoices from the Teleco
>             too...so we come up with this conculsion...seems that the
>             CO. equipments has some problems and it is generating
>             calls on behalf of the user to random numbers...a strange
>             thing I know but till now this company still going to
>             discussions with the teleco to solve this problem.
>              
>             I suggest to do the followin...try to review CDR files and
>             have a detailed bill from your Teleco and try to compare
>             these calls with the CDR calls maybe this would help
>             you...also try to activate some debugs and show commands
>             "there is some tools that can automate show command every
>             5 mins or so" to know exactly when these calls happen and
>             what is the source of it.
>              
>             Good luck with this strange issue.
>
>             Thanks,
>             Ahmed Elnagar
>
>
>
>             ------------------------------------------------------------------------
>
>             From: cenders at homesbyavi.com <mailto:cenders at homesbyavi.com>
>             To: cisco-voip at puck.nether.net
>             <mailto:cisco-voip at puck.nether.net>
>             Date: Wed, 7 Jan 2009 20:26:56 -0700
>             Subject: [cisco-voip] Fraud calls to Cuba - Please read
>
>             Hello List,
>
>              
>
>             I've got a situation with 2 remote sites.  Over the course
>             of several days in late November, somehow the analog POTS
>             line in the site (which we use for SRST backup) proceeded
>             to make approx 4,940 calls to Cuba.  There wasn't really a
>             pattern to the calls.  It started with a couple of
>             repeated calls to the same number and from that point, the
>             dialed number changed (not dialed in any sort of
>             sequential pattern either).  Calls varied in duration from
>             0 seconds to many minutes long.  Sometimes the next call
>             would happen right away and other times there would be
>             several minutes delay between calls.  This proceeded to
>             occur over the course of about a day and a half until the
>             POTS provider called us and we blocked the line.
>
>              
>
>             The analog line in the show home serves 2 purposes.  It is
>             connected to the SRST FXO port on the Cisco 2801 router
>             and also connects to the analog fax machine.
>
>              
>
>             At this point, the POTS provider feels that somehow the
>             2801 router has been compromised and is being used to
>             route calls out the FXO port.  We have a cordless phone on
>             an ATA, and at first they felt this was the source but I
>             indicated that any calls from the cordless phone would
>             leave through our PRI in the main office, through the
>             phone line on the FXO port.
>
>              
>
>             Even if someone had managed to guess our admin password
>             for the console of the router, I don't believe that person
>             sitting on the Internet would be able to get a call to
>             connect from their computer, through the Internet, and
>             leave out our FXO port in our site.
>
>              
>
>             I'm wondering if anyone on the list has some thoughts as
>             to how the system could have been compromise or if it just
>             isn't possible.  The POTS line is actually a digital line
>             provided by Shaw (a local cable/telco in Alberta).  I feel
>             that their "digital" phone terminal has been compromised
>             though it isn't connected to the Internet in any way.  One
>             other possibility is old school phone phreaking where
>             someone has actually tapped into the physical line but
>             they would have been sitting outside in the cold for a
>             very long time making these crazy calls.
>
>              
>
>             I look forward to any insight the collective brain power
>             of this list can provide. The bill for these calls is over
>             $6000.
>
>              
>
>             Regards,
>
>             Corbett Enders.
>
>              
>
>             *Corbett Enders*
>
>             Network Manager
>             Homes by Avi - 2007 Canadian Builder of the Year.
>             Tel: (403) 536-7170
>             Fax: (403) 536-7171
>             www.homesbyavi.com <http://www.homesbyavi.com/>
>
>              
>
>              
>
>             ------------------------------------------------------------------------
>
>             check out the rest of the Windows Live™. More than
>             mail–Windows Live™ goes way beyond your inbox. More than
>             messages <http://www.microsoft.com/windows/windowslive/>
>
>             No virus found in this incoming message.
>             Checked by AVG - http://www.avg.com <http://www.avg.com/>
>             Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release
>             Date: 1/7/2009 8:49 AM
>
>
>         _______________________________________________
>         cisco-voip mailing list
>
>         cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
>         https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>     _______________________________________________
>     cisco-voip mailing list
>     cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>   

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


More information about the cisco-voip mailing list