[cisco-voip] E1 call Fraud + h.323 Gw

Ki Wi kiwi.voice at gmail.com
Sun Jan 16 05:41:01 EST 2011 

I have this problem recently also with one of the customer who's router is connected to Internet directly. Luckily the telco inform them about it.

When I remote in, it is still happening. They are actually using sip 5060 to make outgoing call. What I did was using acl to block 5060 both tcp and udp. I blocked sccp and h323 as well. All of them I set to log but only seems like it's hitting 5060 only

Sent from my iPhone
Pls pardon my fat fingers.

On Jan 16, 2011, at 5:19 PM, Nick Matthews <matthnick at gmail.com> wrote:

> I have not seen a case of this that was not caused by having an internet reachable router with port 5060 TCP or UDP open.  I have these shut down on my home router and I consistently see scans.  You should always shut down ports TCP/UCP 5060 and TCP 1720 on your router for outside interfaces.  Maybe your NAT is not a PAT also, and it forwards all ports through.  NAT is not inherently a security device, and should not be assumed so.
> 
> This has been addressed in 15.1(2)T through some more specific restrictions as well.
> 
> -nick
> 
> On Sat, Jan 15, 2011 at 11:50 PM, Jawad A Hai <ahjawad at hotmail.com> wrote:
> Hello Jason,
>  
> The CME has intenret accessibility, but with Natted IP.
> Its behind firewall,
> I think we were hacked by those pay phone gangs,
> they have some how scanned the system for the CLID manipulation, once they found the matching four digit DID, they have started sending calls using that DID.
> I traced the calls, they were going to "dial to win " hold your call as long as to win prizes, blah blah.
> I don’t have any call pattern.
> But what amazes with the sophistication of those gangs, it was done deliberately during weekend.
> I see SIP call legs in call logs, I don’t have SIP configured in the CME, but I don’t have in " h.323 to sip and sip to h.323 " conversion in voice service voip.
>  
> Still not sure how was it done, with CLID manipulation.
> Please share any ideas.
>  
> 
> From: Jason Aarons (US)
> Sent: Sunday, January 16, 2011 6:35 AM
> To: Jawad A Hai ; cisco-voip at puck.nether.net
> Subject: RE: [cisco-voip] E1 call Fraud + h.323 Gw
> 
> Hopefully the CME doesn’t have any Internet accessability? It’s behind a firewall right?
> 
>  
> 
> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jawad A Hai
> Sent: Saturday, January 15, 2011 1:21 PM
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] E1 call Fraud + h.323 Gw
> 
>  
> 
> Hello Group,
> 
>  
> 
> Recently I faced a problem with one of my client, who has got E1r2, DID/DOD.
> 
> He has Cisco CME and Cisco Voice Gateway.
> 
> Suddenly all 30 ports got busy with international calls. All the calls are being generated by ONE IP Phone which has got local extension 2000.
> 
> This extension was translated to DID number, so that any call goes out via this number takes the DID and any call comes on this DID will land on this Phone.
> 
> The CME was configured to access via outside with live IP. ie Live IP to Local IP (NAT).
> 
> Now the thing here is all the calls which were generated are international calls, we rebooted the gw, we rebooted the CME it stayed same..once it reboots all 30 ports got busy with international calls.
> 
> calls going to african countries/russian countries( dial codes belongs to these countries).
> 
> When I changed the international dial peer on the CME they stopped.
> 
> But catch here is they have received more than 100 k USD bill from TELCO.  DEAD DEAD Bang Bang.
> 
> What are the chances of toll Fraud or any other way of hacking ?
> 
> OR could it be TELCO side issue?
> 
> Cuz I see mostly calls are being generated by single DID number ??
> 
>  
> 
> Aali
> 
>  
> 
> Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.
> 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110116/45c72245/attachment.html>

More information about the cisco-voip mailing list