I have not seen a case of this that was not caused by having an internet reachable router with port 5060 TCP or UDP open. I have these shut down on my home router and I consistently see scans. You should always shut down ports TCP/UCP 5060 and TCP 1720 on your router for outside interfaces. Maybe your NAT is not a PAT also, and it forwards all ports through. NAT is not inherently a security device, and should not be assumed so.<br>
<br>This has been addressed in 15.1(2)T through some more specific restrictions as well.<br><br>-nick<br><br><div class="gmail_quote">On Sat, Jan 15, 2011 at 11:50 PM, Jawad A Hai <span dir="ltr"><<a href="mailto:ahjawad@hotmail.com">ahjawad@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="padding-left: 10px; padding-right: 10px; padding-top: 15px;" link="blue" vlink="purple" name="Compose message area" lang="EN-US">
<div><font color="#000080" face="Tahoma">Hello Jason,</font></div>
<div><font color="#000080" face="Tahoma"></font> </div>
<div><font color="#000080" face="Tahoma">The CME has intenret accessibility, but
with Natted IP.</font></div>
<div><font color="#000080" face="Tahoma">Its behind firewall, </font></div>
<div><font color="#000080" face="Tahoma">I think we were hacked by those pay phone
gangs,</font></div>
<div><font color="#000080" face="Tahoma">they have some how scanned the system for
the CLID manipulation, once they found the matching four digit DID, they have
started sending calls using that DID.</font></div>
<div><font color="#000080" face="Tahoma">I traced the calls, they were going to
"dial to win " hold your call as long as to win prizes, blah blah.</font></div>
<div><font color="#000080" face="Tahoma">I don’t have any call pattern.</font></div>
<div><font color="#000080" face="Tahoma">But what amazes with the sophistication of
those gangs, it was done deliberately during weekend.</font></div>
<div><font color="#000080" face="Tahoma">I see SIP call legs in call logs, I don’t
have SIP configured in the CME, but I don’t have in " h.323 to sip and sip to
h.323 " conversion in voice service voip.</font></div>
<div><font color="#000080" face="Tahoma"></font> </div>
<div><font color="#000080" face="Tahoma">Still not sure how was it done, with CLID
manipulation.</font></div>
<div><font color="#000080" face="Tahoma">Please share any ideas.</font></div>
<div> </div>
<div style="font: 10pt Tahoma;">
<div><font color="#000080" size="3"></font><br></div>
<div style="background: none repeat scroll 0% 0% rgb(245, 245, 245);">
<div><b>From:</b> <a title="jason.aarons@us.didata.com" href="mailto:jason.aarons@us.didata.com" target="_blank">Jason Aarons (US)</a> </div>
<div><b>Sent:</b> Sunday, January 16, 2011 6:35 AM</div>
<div><b>To:</b> <a title="ahjawad@hotmail.com" href="mailto:ahjawad@hotmail.com" target="_blank">Jawad A Hai</a> ; <a title="mailto:cisco-voip@puck.nether.net
CTRL + Click to follow link" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a> </div>
<div><b>Subject:</b> RE: [cisco-voip] E1 call Fraud + h.323 Gw</div></div></div><div><div></div><div class="h5">
<div><br></div>
<div>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125); font-size: 11pt;">Hopefully
the CME doesn’t have any Internet accessability? It’s behind a firewall
right?</span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125); font-size: 11pt;"> </span></p>
<div>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a title="mailto:cisco-voip-bounces@puck.nether.net
CTRL + Click to follow link" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
[mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Jawad A
Hai<br><b>Sent:</b> Saturday, January 15, 2011 1:21 PM<br><b>To:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><b>Subject:</b>
[cisco-voip] E1 call Fraud + h.323 Gw</span></p></div></div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><span style="color: navy;">Hello
Group,</span></p></div>
<div>
<p class="MsoNormal"> </p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">Recently I faced a
problem with one of my client, who has got E1r2,
DID/DOD.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">He has Cisco CME and
Cisco Voice Gateway.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">Suddenly all 30 ports
got busy with international calls. All the calls are being generated by ONE IP
Phone which has got local extension 2000.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">This extension was
translated to DID number, so that any call goes out via this number takes the
DID and any call comes on this DID will land on this
Phone.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">The CME was configured
to access via outside with live IP. ie Live IP to Local IP
(NAT).</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">Now the thing here is
all the calls which were generated are international calls, we rebooted the gw,
we rebooted the CME it stayed same..once it reboots all 30 ports got busy with
international calls.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">calls going to african
countries/russian countries( dial codes belongs to these
countries).</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">When I changed the
international dial peer on the CME they stopped.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">But catch here is they
have received more than 100 k USD bill from TELCO. DEAD DEAD Bang
Bang.</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">What are the chances of
toll Fraud or any other way of hacking ?</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">OR could it be TELCO
side issue?</span></p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">Cuz I see mostly calls
are being generated by single DID number ??</span></p></div>
<div>
<p class="MsoNormal"> </p></div>
<div>
<p class="MsoNormal"><span style="color: navy;">Aali</span></p></div>
<div>
<p class="MsoNormal"> </p></div></div>
<p>
</p><hr size="1">
<p></p>
<p><b>Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee, you are
hereby notified that you have received this communication in error and that any
use or reproduction of this email or its contents is strictly prohibited and may
be unlawful. If you have received this communication in error, please notify us
immediately by replying to this message and deleting it from your computer.
Thank you. </b></p></div></div></div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br>