[cisco-voip] E1 call Fraud + h.323 Gw

Nick Matthews matthnick at gmail.com
Sun Jan 16 04:19:10 EST 2011


I have not seen a case of this that was not caused by having an internet
reachable router with port 5060 TCP or UDP open.  I have these shut down on
my home router and I consistently see scans.  You should always shut down
ports TCP/UCP 5060 and TCP 1720 on your router for outside interfaces.
Maybe your NAT is not a PAT also, and it forwards all ports through.  NAT is
not inherently a security device, and should not be assumed so.

This has been addressed in 15.1(2)T through some more specific restrictions
as well.

-nick

On Sat, Jan 15, 2011 at 11:50 PM, Jawad A Hai <ahjawad at hotmail.com> wrote:

>  Hello Jason,
>
> The CME has intenret accessibility, but with Natted IP.
> Its behind firewall,
> I think we were hacked by those pay phone gangs,
> they have some how scanned the system for the CLID manipulation, once they
> found the matching four digit DID, they have started sending calls using
> that DID.
> I traced the calls, they were going to "dial to win " hold your call as
> long as to win prizes, blah blah.
> I don’t have any call pattern.
> But what amazes with the sophistication of those gangs, it was done
> deliberately during weekend.
> I see SIP call legs in call logs, I don’t have SIP configured in the CME,
> but I don’t have in " h.323 to sip and sip to h.323 " conversion in voice
> service voip.
>
> Still not sure how was it done, with CLID manipulation.
> Please share any ideas.
>
>
>  *From:* Jason Aarons (US) <jason.aarons at us.didata.com>
> *Sent:* Sunday, January 16, 2011 6:35 AM
> *To:* Jawad A Hai <ahjawad at hotmail.com> ; cisco-voip at puck.nether.net
> *Subject:* RE: [cisco-voip] E1 call Fraud + h.323 Gw
>
>  Hopefully the CME doesn’t have any Internet accessability? It’s behind a
> firewall right?
>
>
>
> *From:* cisco-voip-bounces at puck.nether.net [mailto:
> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Jawad A Hai
> *Sent:* Saturday, January 15, 2011 1:21 PM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] E1 call Fraud + h.323 Gw
>
>
>
> Hello Group,
>
>
>
> Recently I faced a problem with one of my client, who has got E1r2,
> DID/DOD.
>
> He has Cisco CME and Cisco Voice Gateway.
>
> Suddenly all 30 ports got busy with international calls. All the calls are
> being generated by ONE IP Phone which has got local extension 2000.
>
> This extension was translated to DID number, so that any call goes out via
> this number takes the DID and any call comes on this DID will land on this
> Phone.
>
> The CME was configured to access via outside with live IP. ie Live IP to
> Local IP (NAT).
>
> Now the thing here is all the calls which were generated are international
> calls, we rebooted the gw, we rebooted the CME it stayed same..once it
> reboots all 30 ports got busy with international calls.
>
> calls going to african countries/russian countries( dial codes belongs to
> these countries).
>
> When I changed the international dial peer on the CME they stopped.
>
> But catch here is they have received more than 100 k USD bill from TELCO.
> DEAD DEAD Bang Bang.
>
> What are the chances of toll Fraud or any other way of hacking ?
>
> OR could it be TELCO side issue?
>
> Cuz I see mostly calls are being generated by single DID number ??
>
>
>
> Aali
>
>
>
> ------------------------------
>
> *Disclaimer: This e-mail communication and any attachments may contain
> confidential and privileged information and is for use by the designated
> addressee(s) named above only. If you are not the intended addressee, you
> are hereby notified that you have received this communication in error and
> that any use or reproduction of this email or its contents is strictly
> prohibited and may be unlawful. If you have received this communication in
> error, please notify us immediately by replying to this message and deleting
> it from your computer. Thank you. *
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110116/46422f96/attachment.html>


More information about the cisco-voip mailing list