<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc =
"urn:schemas-microsoft-com:office:odc" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs =
"http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p =
"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss =
"http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi =
"http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi =
"http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp =
"http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl =
"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl =
"http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService"
XMLNS:Z = "urn:schemas-microsoft-com:" xmlns:st = "�"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5726" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Verdana;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.ecmsonormal {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-style-name: ec_msonormal
}
LI.ecmsonormal {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-style-name: ec_msonormal
}
DIV.ecmsonormal {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-style-name: ec_msonormal
}
P.ecmsonormal1 {
FONT-SIZE: 11pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-style-name: ec_msonormal1
}
LI.ecmsonormal1 {
FONT-SIZE: 11pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-style-name: ec_msonormal1
}
DIV.ecmsonormal1 {
FONT-SIZE: 11pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-style-name: ec_msonormal1
}
SPAN.ecmsohyperlink {
mso-style-name: ec_msohyperlink
}
SPAN.ecmsohyperlinkfollowed {
mso-style-name: ec_msohyperlinkfollowed
}
SPAN.ecemailstyle17 {
mso-style-name: ec_emailstyle17
}
SPAN.ecmsohyperlink1 {
COLOR: blue; TEXT-DECORATION: underline; mso-style-name: ec_msohyperlink1
}
SPAN.ecmsohyperlinkfollowed1 {
COLOR: purple; TEXT-DECORATION: underline; mso-style-name: ec_msohyperlinkfollowed1
}
SPAN.ecemailstyle171 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-name: ec_emailstyle171
}
SPAN.EmailStyle26 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle27 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle28 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle29 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle30 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=121435418-09012009><FONT face=Arial
color=#0000ff size=2>Not to beat a dead horse, but I thought you might find this
interesting. A new customer was just turned up on my network and there were some
install problems, so my team was involved into trying to find the root cause.
While we were running the "debug ccsip messages", we noticed some unexpected
traffic. This is on a router that has not even been on the internet for more
than a day or so. It is absolutely amazing to see how fast something like this
can happen. Someone doing "voip wardialing" international numbers on a brand new
customer install.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=121435418-09012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=121435418-09012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=121435418-09012009><FONT face=Arial
color=#0000ff><FONT face="Courier New" color=#000000 size=2>Jan 9
18:40:41.629 GMT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:<BR>Received:
<BR>INVITE sip:011380442010102@64.206.168.14 SIP/2.0<BR>Via: SIP/2.0/UDP
66.197.138.69:5060;branch=z9hG4bK7d8c5757;rport<BR>Max-Forwards: 70<BR>From:
"BenQ Telecom" <sip:BenQ </FONT><A
title="mailto:Telecom@66.197.138.69>;tag=as700507be"
href="mailto:Telecom@66.197.138.69>;tag=as700507be"><FONT face="Courier New"
color=#000000
size=2>Telecom@66.197.138.69>;tag=as700507be</FONT></A><BR><FONT
face="Courier New" color=#000000 size=2>To:
<sip:011380442010102@64.206.168.14><BR>Contact: <sip:BenQ </FONT><A
title=mailto:Telecom@66.197.138.69 href="mailto:Telecom@66.197.138.69"><FONT
face="Courier New" color=#000000 size=2>Telecom@66.197.138.69</FONT></A><FONT
face="Courier New" color=#000000 size=2>><BR>Call-ID: </FONT><A
title=mailto:59f021193ae6eb9506735ee36691969b@66.197.138.69
href="mailto:59f021193ae6eb9506735ee36691969b@66.197.138.69"><FONT
face="Courier New" color=#000000
size=2>59f021193ae6eb9506735ee36691969b@66.197.138.69</FONT></A><BR><FONT
face="Courier New" color=#000000 size=2>CSeq: 102 INVITE<BR>User-Agent: BenQ
Telecom<BR>Date: Sat, 10 Jan 2009 02:41:29 GMT<BR>Allow: INVITE, ACK, CANCEL,
OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<BR>Supported: replaces,
timer<BR>Content-Type: application/sdp<BR>Content-Length: 266</FONT>
<DIV> </DIV>
<DIV><FONT face="Courier New" color=#000000 size=2>v=0<BR>o=root 1121455329
1121455329 IN IP4 66.197.138.69<BR>s=Asterisk PBX 1.6.0.3-rc1<BR>c=IN IP4
66.197.138.69<BR>t=0 0<BR>m=audio 12860 RTP/AVP 8 0 101<BR>a=rtpmap:8
PCMA/8000<BR>a=rtpmap:0 PCMU/8000<BR>a=rtpmap:101
telephone-event/8000<BR>a=fmtp:101
0-16<BR>a=ptime:20<BR>a=sendrecv</FONT></DIV></FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] <B>On Behalf Of </B>Corbett
Enders<BR><B>Sent:</B> Thursday, January 08, 2009 3:31 PM<BR><B>To:</B> 'VOIP
Group'<BR><B>Subject:</B> Re: [cisco-voip] Fraud calls to Cuba - Please
read<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Well
List, thank you for the assistance. I have run the following commands to
all of my routers to block SIP:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal>voip-gateway(config)#sip-ua
<BR>voip-gateway(config-sip-ua)#no transport
udp<BR>voip-gateway(config-sip-ua)#no transport tcp<o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">I
have not acted on H.323 as it doesn’t appear to be listening on that
port.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Pender, James
[mailto:James.Pender@PAETEC.com] <BR><B>Sent:</B> Thursday, January 08, 2009
12:35 PM<BR><B>To:</B> Ryan West; Mark Holloway; Corbett Enders; 'Ahmed
Elnagar'<BR><B>Cc:</B> 'VOIP Group'<BR><B>Subject:</B> RE: [cisco-voip] Fraud
calls to Cuba - Please read<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Don't
forget TCP/5060. I assist my companies fraud team from time to time in VoIP
fraud, and when we find an open CME/CUBE or the like and we ask for it to be
secured, most people forget that SIP can run on both UDP and TCP and they leave
themselves vulnerable.</SPAN><o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center>
<HR align=center width="100%" SIZE=2>
</DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net]
<B>On Behalf Of </B>Ryan West<BR><B>Sent:</B> Thursday, January 08, 2009 2:11
PM<BR><B>To:</B> Mark Holloway; 'Corbett Enders'; 'Ahmed Elnagar'<BR><B>Cc:</B>
'VOIP Group'<BR><B>Subject:</B> Re: [cisco-voip] Fraud calls to Cuba - Please
read</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Yeah,
just allow UDP/5060 to the proxy, deny all other SIP traffic and allow the UDP
ranges above 1024. Most SIP providers do not use the 16384 – 32767 range
for RTP streams.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">-ryan<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Mark Holloway
[mailto:mh@markholloway.com] <BR><B>Sent:</B> Thursday, January 08, 2009
14:07<BR><B>To:</B> 'Corbett Enders'; Ryan West; 'Ahmed Elnagar'<BR><B>Cc:</B>
'VOIP Group'<BR><B>Subject:</B> RE: [cisco-voip] Fraud calls to Cuba - Please
read<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">What
is the proposed solution if CME is using a SIP Trunk to an ITSP? I
assume an ACL would be the best way to secure the router.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net]
<B>On Behalf Of </B>Corbett Enders<BR><B>Sent:</B> Thursday, January 08, 2009
10:37 AM<BR><B>To:</B> Ryan West; Ahmed Elnagar<BR><B>Cc:</B> VOIP
Group<BR><B>Subject:</B> Re: [cisco-voip] Fraud calls to Cuba - Please
read<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">So
it turns out SIP 5060 is open, after running show ip
sockets.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Interestingly
enough, the hacker is connected to me right now (though we’ve blocked
international calls at the telco level).<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">His
IP is 124.217.250.240.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">If
you read this article, <A
href="http://www.honeynor.no/">http://www.honeynor.no/</A>, it describes the
attack in detail. I found the article by searching the phone number initially
dialed, 52555169000.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Ryan West
[mailto:rwest@zyedge.com] <BR><B>Sent:</B> Wednesday, January 07, 2009 9:50
PM<BR><B>To:</B> Ahmed Elnagar; Corbett Enders<BR><B>Cc:</B> VOIP
Group<BR><B>Subject:</B> RE: [cisco-voip] Fraud calls to Cuba - Please
read<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">If
the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060
need to blocked. I don’t remember the command offhand, but on some
versions of code it is show ip sockets. Check this out to actually disable
default SIP and H323 processing:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><A
href="https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router">https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router</A><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">-ryan<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net]
<B>On Behalf Of </B>Ahmed Elnagar<BR><B>Sent:</B> Wednesday, January 07, 2009
23:13<BR><B>To:</B> cenders@homesbyavi.com<BR><B>Cc:</B> VOIP
Group<BR><B>Subject:</B> Re: [cisco-voip] Fraud calls to Cuba - Please
read<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><BR>Wow...exaclty
the same problem I had...but with PRI...I have a site in Egypt that the user
called us one day and informed that he has a bill from the Teleco for 100,000$
for a period of 3 months and they never produce this amount of calls...all calls
were for random numbers and the call never exceeded 1 minute and these random
numbers happen to be starting with 00 which is the internationl prefix here in
Egypt.<BR> <BR>After long nights of troubleshootting...I found that the
gateway was configured to register SIP phones from the internet and I found an
IP address from Mexico city that is trying this random calls so frequent, the
strange thing is that the gateway was accepting these calls and route it to H323
side which relay the call to the PRI.<BR> <BR>I did the following to ensure
that it will not happen again...removed SIP at all from the gateway...converted
the gateway to MGCP so that every call that will pass the gateway will need
signalling from Callmanager and will leave a record in the CDR. But the strange
thing the problem contiuned...<BR> <BR>During troubleshooting we noticed
something strange...alot of incoming calls coming to the PRI from a certain
local number...and it was 3 AM in the morning we called this number and he told
us that he know no one in this site and he has a problem that he got high
invoices from the Teleco too...so we come up with this conculsion...seems that
the CO. equipments has some problems and it is generating calls on behalf of the
user to random numbers...a strange thing I know but till now this company still
going to discussions with the teleco to solve this problem.<BR> <BR>I
suggest to do the followin...try to review CDR files and have a detailed bill
from your Teleco and try to compare these calls with the CDR calls maybe this
would help you...also try to activate some debugs and show commands "there is
some tools that can automate show command every 5 mins or so" to know exactly
when these calls happen and what is the source of it.<BR> <BR>Good luck
with this strange issue.<o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: 'Verdana','sans-serif'">Thanks,</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><BR><SPAN
style="COLOR: black">Ahmed Elnagar</SPAN><o:p></o:p></SPAN></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'">From:
cenders@homesbyavi.com<BR>To: cisco-voip@puck.nether.net<BR>Date: Wed, 7 Jan
2009 20:26:56 -0700<BR>Subject: [cisco-voip] Fraud calls to Cuba - Please
read<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'">Hello
List,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">I’ve
got a situation with 2 remote sites. Over the course of several days in
late November, somehow the analog POTS line in the site (which we use for SRST
backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really
a pattern to the calls. It started with a couple of repeated calls to the
same number and from that point, the dialed number changed (not dialed in any
sort of sequential pattern either). Calls varied in duration from 0
seconds to many minutes long. Sometimes the next call would happen right
away and other times there would be several minutes delay between calls.
This proceeded to occur over the course of about a day and a half until the POTS
provider called us and we blocked the line.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">The
analog line in the show home serves 2 purposes. It is connected to the
SRST FXO port on the Cisco 2801 router and also connects to the analog fax
machine.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">At
this point, the POTS provider feels that somehow the 2801 router has been
compromised and is being used to route calls out the FXO port. We have a
cordless phone on an ATA, and at first they felt this was the source but I
indicated that any calls from the cordless phone would leave through our PRI in
the main office, through the phone line on the FXO port.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">Even
if someone had managed to guess our admin password for the console of the
router, I don’t believe that person sitting on the Internet would be able to get
a call to connect from their computer, through the Internet, and leave out our
FXO port in our site.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">I’m
wondering if anyone on the list has some thoughts as to how the system could
have been compromise or if it just isn’t possible. The POTS line is
actually a digital line provided by Shaw (a local cable/telco in Alberta).
I feel that their “digital” phone terminal has been compromised though it isn’t
connected to the Internet in any way. One other possibility is old school
phone phreaking where someone has actually tapped into the physical line but
they would have been sitting outside in the cold for a very long time making
these crazy calls.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">I
look forward to any insight the collective brain power of this list can provide.
The bill for these calls is over $6000.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">Regards,</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'">Corbett
Enders.</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><B><SPAN style="FONT-FAMILY: 'Arial','sans-serif'">Corbett
Enders</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Network
Manager<BR>Homes by Avi - 2007 Canadian Builder of the Year.<BR>Tel: (403)
536-7170<BR>Fax: (403) 536-7171<BR></SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><A
href="http://www.homesbyavi.com/"><SPAN
style="FONT-FAMILY: 'Arial','sans-serif'">www.homesbyavi.com</SPAN></A></SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"> <o:p></o:p></SPAN></P></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Verdana','sans-serif'">check out the rest
of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox.
<A href="http://www.microsoft.com/windows/windowslive/" target=_new>More than
messages</A><o:p></o:p></SPAN></P>
<P><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">No virus
found in this incoming message.<BR>Checked by AVG -
http://www.avg.com<BR>Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release
Date: 1/7/2009 8:49 AM</SPAN><o:p></o:p></P></DIV></BODY></HTML>