<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The feature set doesn’t imply that CBAC is configured
correctly. Check your outside ACL and since you’re only using MGCP, you can use
the link below to disable SIP processing (most likely your culprit, probably a
calling card company that scans for open routers). You should also disable
H323 as well. To see if the router has the firewall running, issue a show ip
inspect sessions. The command I was thinking of earlier is ‘show control-plan host
open-ports’, which do a netstat type listing on the router.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hope that helps.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-ryan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Corbett Enders
[mailto:cenders@homesbyavi.com] <br>
<b>Sent:</b> Wednesday, January 07, 2009 23:56<br>
<b>To:</b> Ryan West<br>
<b>Cc:</b> Ahmed Elnagar; VOIP Group<br>
<b>Subject:</b> Re: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>The router is on the Internet, is configured for MGCP and
has ip advanced services with the firewall feature enabled (for VPN and nat).
Wouldn't that block external connections?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
On Jan 7, 2009, at 9:48 PM, "Ryan West" <<a
href="mailto:rwest@zyedge.com">rwest@zyedge.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If
the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060
need to blocked. I don’t remember the command offhand, but on some versions
of code it is show ip sockets. Check this out to actually disable default
SIP and H323 processing:</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a
href="https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router">https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router</a></span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-ryan</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>
[<a href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Ahmed Elnagar<br>
<b>Sent:</b> Wednesday, January 07, 2009 23:13<br>
<b>To:</b> <a href="mailto:cenders@homesbyavi.com">cenders@homesbyavi.com</a><br>
<b>Cc:</b> VOIP Group<br>
<b>Subject:</b> Re: [cisco-voip] Fraud calls to Cuba - Please read</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><br>
Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that
the user called us one day and informed that he has a bill from the Teleco for
100,000$ for a period of 3 months and they never produce this amount of
calls...all calls were for random numbers and the call never exceeded 1 minute
and these random numbers happen to be starting with 00 which is the
internationl prefix here in Egypt.<br>
<br>
After long nights of troubleshootting...I found that the gateway was configured
to register SIP phones from the internet and I found an IP address from Mexico
city that is trying this random calls so frequent, the strange thing is that
the gateway was accepting these calls and route it to H323 side which relay the
call to the PRI.<br>
<br>
I did the following to ensure that it will not happen again...removed SIP at
all from the gateway...converted the gateway to MGCP so that every call that
will pass the gateway will need signalling from Callmanager and will leave a
record in the CDR. But the strange thing the problem contiuned...<br>
<br>
During troubleshooting we noticed something strange...alot of incoming calls
coming to the PRI from a certain local number...and it was 3 AM in the morning
we called this number and he told us that he know no one in this site and he
has a problem that he got high invoices from the Teleco too...so we come up
with this conculsion...seems that the CO. equipments has some problems and it
is generating calls on behalf of the user to random numbers...a strange thing I
know but till now this company still going to discussions with the teleco to
solve this problem.<br>
<br>
I suggest to do the followin...try to review CDR files and have a detailed bill
from your Teleco and try to compare these calls with the CDR calls maybe this
would help you...also try to activate some debugs and show commands "there
is some tools that can automate show command every 5 mins or so" to know
exactly when these calls happen and what is the source of it.<br>
<br>
Good luck with this strange issue.</span><o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Thanks,</span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><br>
<span style='color:black'>Ahmed Elnagar</span><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>From: <a
href="mailto:cenders@homesbyavi.com">cenders@homesbyavi.com</a><br>
To: <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
Date: Wed, 7 Jan 2009 20:26:56 -0700<br>
Subject: [cisco-voip] Fraud calls to Cuba - Please read</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Hello List,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>I’ve
got a situation with 2 remote sites. Over the course of several days in
late November, somehow the analog POTS line in the site (which we use for SRST
backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really
a pattern to the calls. It started with a couple of repeated calls to the
same number and from that point, the dialed number changed (not dialed in any
sort of sequential pattern either). Calls varied in duration from 0
seconds to many minutes long. Sometimes the next call would happen right
away and other times there would be several minutes delay between calls.
This proceeded to occur over the course of about a day and a half until the
POTS provider called us and we blocked the line.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>The
analog line in the show home serves 2 purposes. It is connected to the
SRST FXO port on the Cisco 2801 router and also connects to the analog fax
machine.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>At
this point, the POTS provider feels that somehow the 2801 router has been
compromised and is being used to route calls out the FXO port. We have a
cordless phone on an ATA, and at first they felt this was the source but I
indicated that any calls from the cordless phone would leave through our PRI in
the main office, through the phone line on the FXO port.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>Even
if someone had managed to guess our admin password for the console of the
router, I don’t believe that person sitting on the Internet would be able to
get a call to connect from their computer, through the Internet, and leave out
our FXO port in our site.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>I’m
wondering if anyone on the list has some thoughts as to how the system could
have been compromise or if it just isn’t possible. The POTS line is
actually a digital line provided by Shaw (a local cable/telco in
Alberta). I feel that their “digital” phone terminal has been compromised
though it isn’t connected to the Internet in any way. One other
possibility is old school phone phreaking where someone has actually tapped
into the physical line but they would have been sitting outside in the cold for
a very long time making these crazy calls.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>I
look forward to any insight the collective brain power of this list can
provide. The bill for these calls is over $6000.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>Regards,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>Corbett
Enders.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-family:"Arial","sans-serif"'>Corbett Enders</span></b><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Network Manager<br>
Homes by Avi - 2007 Canadian Builder of the Year.<br>
Tel: (403) 536-7170<br>
Fax: (403) 536-7171<br>
</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><a
href="http://www.homesbyavi.com/"><span style='font-family:"Arial","sans-serif"'>www.homesbyavi.com</span></a></span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>check out the rest
of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. <a
href="http://www.microsoft.com/windows/windowslive/" target="_new">More than
messages</a></span><o:p></o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>No virus
found in this incoming message.<br>
Checked by AVG - <a href="http://www.avg.com">http://www.avg.com</a><br>
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49
AM</span><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</body>
</html>