[cisco-voip] E1 call Fraud + h.323 Gw
Dennis Heim
Dennis.Heim at cdw.com
Mon Jan 17 08:49:48 EST 2011
If you have SIP provider, you should deny all SIP traffic to/from the CME except the traffic originating from your providers proxy/registrar servers. If you are not running to a SIP providers, your firewall should be configured to block all SIP 5060-5063 TCP and UDP to your CME. After you do that do and internet port scan for those ports to verify that they are indeed blocked.
Dennis Heim
Network Voice Engineer
CDW Advanced Technology Services
11711 N. Meridian Street, Suite 225
Carmel, IN 46032
317.569.4255 Single Number Reach
317.569.4201 Fax
dennis.heim at cdw.com<mailto:dennis.heim at cdw.com>
cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>
From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Sunday, January 16, 2011 2:47 PM
To: Jawad A Hai
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] E1 call Fraud + h.323 Gw
My Customer CEO is a friend of teleco CEO and they had a deal to pay only a part of the bill ☺
I don’t know what is the case in yours; but a trial will not hurt.
Best Regards,
Ahmed Elnagar | CCIE#24697 Voice
From: Jawad A Hai [mailto:ahjawad at hotmail.com]
Sent: Sunday, January 16, 2011 9:41 PM
To: Ahmed Elnagar; Ki Wi; Nick Matthews
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] E1 call Fraud + h.323 Gw
Ahmed
One Q.
How did you solved this billing issue with your telco ???
Did you paid it all ??
Or any negotiations worked?
Aali
From: Ahmed Elnagar<mailto:ahmed_elnagar at rayacorp.com>
Sent: Sunday, January 16, 2011 10:24 PM
To: Ki Wi<mailto:kiwi.voice at gmail.com> ; Nick Matthews<mailto:matthnick at gmail.com>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] E1 call Fraud + h.323 Gw
I had a similar problem with a 100K USD bill over 3 months and it is the same problem…never give a voice gateway internet access, also you may consider some access lists, CORs,…etc to prevent this hacking.
Best Regards,
Ahmed Elnagar | CCIE#24697 Voice
From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ki Wi
Sent: Sunday, January 16, 2011 12:41 PM
To: Nick Matthews
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] E1 call Fraud + h.323 Gw
I have this problem recently also with one of the customer who's router is connected to Internet directly. Luckily the telco inform them about it.
When I remote in, it is still happening. They are actually using sip 5060 to make outgoing call. What I did was using acl to block 5060 both tcp and udp. I blocked sccp and h323 as well. All of them I set to log but only seems like it's hitting 5060 only
Sent from my iPhone
Pls pardon my fat fingers.
On Jan 16, 2011, at 5:19 PM, Nick Matthews <matthnick at gmail.com<mailto:matthnick at gmail.com>> wrote:
I have not seen a case of this that was not caused by having an internet reachable router with port 5060 TCP or UDP open. I have these shut down on my home router and I consistently see scans. You should always shut down ports TCP/UCP 5060 and TCP 1720 on your router for outside interfaces. Maybe your NAT is not a PAT also, and it forwards all ports through. NAT is not inherently a security device, and should not be assumed so.
This has been addressed in 15.1(2)T through some more specific restrictions as well.
-nick
On Sat, Jan 15, 2011 at 11:50 PM, Jawad A Hai <ahjawad at hotmail.com<mailto:ahjawad at hotmail.com>> wrote:
Hello Jason,
The CME has intenret accessibility, but with Natted IP.
Its behind firewall,
I think we were hacked by those pay phone gangs,
they have some how scanned the system for the CLID manipulation, once they found the matching four digit DID, they have started sending calls using that DID.
I traced the calls, they were going to "dial to win " hold your call as long as to win prizes, blah blah.
I don’t have any call pattern.
But what amazes with the sophistication of those gangs, it was done deliberately during weekend.
I see SIP call legs in call logs, I don’t have SIP configured in the CME, but I don’t have in " h.323 to sip and sip to h.323 " conversion in voice service voip.
Still not sure how was it done, with CLID manipulation.
Please share any ideas.
From: Jason Aarons (US)<mailto:jason.aarons at us.didata.com>
Sent: Sunday, January 16, 2011 6:35 AM
To: Jawad A Hai<mailto:ahjawad at hotmail.com> ; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] E1 call Fraud + h.323 Gw
Hopefully the CME doesn’t have any Internet accessability? It’s behind a firewall right?
From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Jawad A Hai
Sent: Saturday, January 15, 2011 1:21 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] E1 call Fraud + h.323 Gw
Hello Group,
Recently I faced a problem with one of my client, who has got E1r2, DID/DOD.
He has Cisco CME and Cisco Voice Gateway.
Suddenly all 30 ports got busy with international calls. All the calls are being generated by ONE IP Phone which has got local extension 2000.
This extension was translated to DID number, so that any call goes out via this number takes the DID and any call comes on this DID will land on this Phone.
The CME was configured to access via outside with live IP. ie Live IP to Local IP (NAT).
Now the thing here is all the calls which were generated are international calls, we rebooted the gw, we rebooted the CME it stayed same..once it reboots all 30 ports got busy with international calls.
calls going to african countries/russian countries( dial codes belongs to these countries).
When I changed the international dial peer on the CME they stopped.
But catch here is they have received more than 100 k USD bill from TELCO. DEAD DEAD Bang Bang.
What are the chances of toll Fraud or any other way of hacking ?
OR could it be TELCO side issue?
Cuz I see mostly calls are being generated by single DID number ??
Aali
________________________________
Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message.
________________________________
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110117/2aaab6e7/attachment.html>
More information about the cisco-voip
mailing list