<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I had a similar problem with a 100K USD bill over 3 months and it is the same problem…never give a voice gateway internet access, also you may consider some access lists, CORs,…etc to prevent this hacking.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Ahmed Elnagar | CCIE#24697 Voice</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of </b>Ki Wi<br><b>Sent:</b> Sunday, January 16, 2011 12:41 PM<br><b>To:</b> Nick Matthews<br><b>Cc:</b> cisco-voip@puck.nether.net<br><b>Subject:</b> Re: [cisco-voip] E1 call Fraud + h.323 Gw<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I have this problem recently also with one of the customer who's router is connected to Internet directly. Luckily the telco inform them about it.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>When I remote in, it is still happening. They are actually using sip 5060 to make outgoing call. What I did was using acl to block 5060 both tcp and udp. I blocked sccp and h323 as well. All of them I set to log but only seems like it's hitting 5060 only<br><br>Sent from my iPhone<o:p></o:p></p><div><p class=MsoNormal>Pls pardon my fat fingers.<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Jan 16, 2011, at 5:19 PM, Nick Matthews <<a href="mailto:matthnick@gmail.com">matthnick@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-bottom:12.0pt'>I have not seen a case of this that was not caused by having an internet reachable router with port 5060 TCP or UDP open. I have these shut down on my home router and I consistently see scans. You should always shut down ports TCP/UCP 5060 and TCP 1720 on your router for outside interfaces. Maybe your NAT is not a PAT also, and it forwards all ports through. NAT is not inherently a security device, and should not be assumed so.<br><br>This has been addressed in 15.1(2)T through some more specific restrictions as well.<br><br>-nick<o:p></o:p></p><div><p class=MsoNormal>On Sat, Jan 15, 2011 at 11:50 PM, Jawad A Hai <<a href="mailto:ahjawad@hotmail.com">ahjawad@hotmail.com</a>> wrote:<o:p></o:p></p><div name="Compose message area"><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>Hello Jason,</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>The CME has intenret accessibility, but with Natted IP.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>Its behind firewall, </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>I think we were hacked by those pay phone gangs,</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>they have some how scanned the system for the CLID manipulation, once they found the matching four digit DID, they have started sending calls using that DID.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>I traced the calls, they were going to "dial to win " hold your call as long as to win prizes, blah blah.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>I don’t have any call pattern.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>But what amazes with the sophistication of those gangs, it was done deliberately during weekend.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>I see SIP call legs in call logs, I don’t have SIP configured in the CME, but I don’t have in " h.323 to sip and sip to h.323 " conversion in voice service voip.</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>Still not sure how was it done, with CLID manipulation.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Tahoma","sans-serif";color:navy'>Please share any ideas.</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:jason.aarons@us.didata.com" target="_blank" title="jason.aarons@us.didata.com">Jason Aarons (US)</a> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Sent:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Sunday, January 16, 2011 6:35 AM<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>To:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:ahjawad@hotmail.com" target="_blank" title="ahjawad@hotmail.com">Jawad A Hai</a> ; <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:whitesmoke'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Subject:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> RE: [cisco-voip] E1 call Fraud + h.323 Gw<o:p></o:p></span></p></div></div></div><div><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>Hopefully the CME doesn’t have any Internet accessability? It’s behind a firewall right?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:-moz-use-text-color -moz-use-text-color'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> <a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Jawad A Hai<br><b>Sent:</b> Saturday, January 15, 2011 1:21 PM<br><b>To:</b> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br><b>Subject:</b> [cisco-voip] E1 call Fraud + h.323 Gw</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>Hello Group,</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>Recently I faced a problem with one of my client, who has got E1r2, DID/DOD.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>He has Cisco CME and Cisco Voice Gateway.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>Suddenly all 30 ports got busy with international calls. All the calls are being generated by ONE IP Phone which has got local extension 2000.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>This extension was translated to DID number, so that any call goes out via this number takes the DID and any call comes on this DID will land on this Phone.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>The CME was configured to access via outside with live IP. ie Live IP to Local IP (NAT).</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>Now the thing here is all the calls which were generated are international calls, we rebooted the gw, we rebooted the CME it stayed same..once it reboots all 30 ports got busy with international calls.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>calls going to african countries/russian countries( dial codes belongs to these countries).</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>When I changed the international dial peer on the CME they stopped.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>But catch here is they have received more than 100 k USD bill from TELCO. DEAD DEAD Bang Bang.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>What are the chances of toll Fraud or any other way of hacking ?</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>OR could it be TELCO side issue?</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>Cuz I see mostly calls are being generated by single DID number ??</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:navy'>Aali</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><div class=MsoNormal align=center style='text-align:center'><hr size=1 width="100%" align=center></div><p><b>Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you. </b><o:p></o:p></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></div></blockquote></div><DIV> </DIV>Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message. </body></html>