<div dir="ltr"><div><div><div><div>Hey Ryan,<br><br></div>The telco said these POTS lines (four of them) were being used to dial Jamaica. The router has 4 FXO ports. For some reason, they were leaving the fourth line alone, though the telco felt that wouldn't last long.<br></div>The router only has an internal non-routable IP addy.<br></div>Only processes H.323 (but does allow telnet and SNMP)<br></div>I don't know what PSTN egress means. Sorry!<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 11, 2016 at 11:49 AM, Ryan Huff <span dir="ltr"><<a href="mailto:ryanhuff@outlook.com" target="_blank">ryanhuff@outlook.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi David,</p>
<p><br>
</p>
<ul>
<li>Did the telco say that the calls were originated from your POTS trunks or were they responding to customer complaints that one of your numbers had been reported to them for fraud ... etc?</li><li>Does this router have a public Internet facing interface?</li><li>Does this router process any other signaling protocols besides H.323?</li><li>You mentioned having Unity / Unity Connections ... are you allowing PSTN egress from Unity Connections / have you verified the restriction tables are correct?</li></ul>
<p>There are a number of things you could do on either side (UCM / Gateway). To cover the gap for the interim, I would at least deal with the specific called numbers that the telco gave you. In UCM, you could create specific route patterns in the egress path
that do not route the match. On the gateway, you could use voice translation rules to try and reject the call attempt or translate the number to something the carrier won't route. You could also create specific dial-peers for the called numbers that do not
route to anything.</p>
<p><br>
</p>
<p>This reminds me of a time I had this issue (and I was a bit less mature); I created dial-peers on the CUBE that matched the 'bad' called numbers and I routed them back into CCM->CTIRp->CUC and had a small sample of Rick Astley's, "Never Gonna Give You Up"
playing as the opening greeting to a System Call Handler .... ahhh the younger days ....<br>
</p>
<p><br>
</p>
<p>ANYWAYS ....</p>
<p><br>
</p>
<p>I would say, in my experience, this sort of thing typically comes from the outside in. In cases where CUBE has a public Internet facing interface, usually someone finds something open on CUBE, sends some signaling that matches a dial-peer and off it goes.
In this case you'd want to look at some outside ACLs or putting a firewall between the public Internet and the CUBE. If your CUBE does not face the Internet or is on a private network like MPLS ... that is much less likely to be the case and you want to start
looking elsewhere on the network.</p>
<p><br>
</p>
<p>I have seen bot dialers/Probers like '<a href="http://blog.sipvicious.org/" target="_blank">SIPVicious</a>' (<a href="https://tools.cisco.com/security/center/viewAlert.x?alertId=33141" target="_blank">Cisco even has an advisory about it</a>) be able to access CUBE from the inside while
installed on an infected PC. Granted, this tool is for SIP, but similar tools exist for h.323. <br>
</p>
<p><br>
</p>
Thanks,<br>
<br>
Ryan<br>
<p></p>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.<wbr>nether.net</a>> on behalf of David Zhars <<a href="mailto:dzhars@gmail.com" target="_blank">dzhars@gmail.com</a>><br>
<b>Sent:</b> Sunday, September 11, 2016 9:37 AM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> [cisco-voip] Phone Fraud H.323</font>
<div> </div>
</div><div><div class="h5">
<div>
<div dir="ltr">So yesterday I was alerted by our landline company that some of our phone numbers that come in POTS on an H323 router, we being used for phone fraud. I am wondering how this happens with an H323 router (I am familiar with someone hacking Unity
and setting up actions to route to Jamaica once someone leaves a voicemail or similar).
<div><br>
</div>
<div>The odd part is that these numbers are almost NEVER used for calling out, unless the user presses a 7 for an outbound line (versus an 8 which puts the call out on ISDN).</div>
<div><br>
</div>
<div>I found a link on how to disable OffNet calling in UCM, but should I instead look at securing the H323 router? Or does the call blocking rule need to be done in UCM?</div>
<div><br>
</div>
<div>Thanks for any enlightenment you can provide.</div>
<div><br>
</div>
<div>PS- Client is in USA, call fraud to Jamaica which does not require a country code, so harder to block.</div>
</div>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br></div>