[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed
Matt Yaklin
myaklin at g4.net
Fri Nov 1 17:30:39 EDT 2013
List,
The problem was I missing a check box labeled:
"Limit Inbound to listed Proxies / SIP Servers"
Under the SIP settings page.
This was my first Edgemarc that had the survivability license with
it so it took some playing around to get everything to work. I must
have unchecked it while trying to fix an issue during setup and never
came back to it.
No problem found. Operator error that probably cost G4 $300 bucks
easy on toll charges.
Thank you all for responding. Now I just need a way to get revenge
on the hacker. Anyone have any contacts in the Gaza Strip? :-(
I know this has been discussed here before but why in the world
would a Palestinian be calling Grenada? How does one make money off
that situation. Sigh...
matt at g4.net
On Fri, 1 Nov 2013, Matt Yaklin wrote:
>
> I think you are on the right track.
>
> I was reading the manual just now trying to figure out how
> or where 1001 comes from. Perhaps that does not even matter.
> You could make up anything.
>
> I am just not seeing how I tell this edgemarc box to stop
> allowing it yet short of using a firewall feature that this
> box does not have like the newest 13.x firmware does. Maybe
> it is hidden or people used the pass through rule set.
>
> matt
>
> On Fri, 1 Nov 2013, Paul Timmins wrote:
>
>> Have you tried tossing an unauthenticated call at the edgemarc from outside
>> using a from address of 1001 at edgemarcip? looks like that's what this guy is
>> doing.
>> You're ignoring his registers but you may be allowing invites from an
>> unregistered device.
>>
>> On Fri, 11/01/2013 03:33 PM, Matt Yaklin <myaklin at g4.net> wrote:
>> They are not over lapping.
>>
>> The attacker finally bit just a bit ago. I only was running
>> tcpdump on port 5060 on the edgemarc but i captured the SIP
>> traffic for what the attacker is doing. I wish I had setup
>> more.
>>
>>
>> I blocked international via an auth code right now...
>>
>> x.x.139.225 = WAN ethernet port of the Edgemarc.
>>
>> I am going through this now and if anyone can help I would
>> greatly appreciate it. I need to find out why this is happening.
>>
>>
>>
>> -----------------------
>> -----------------------
>> -----------------------
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:1001 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:1001 at 176.58.68.20:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0
>> To: <sip:14734050085 at x.x.139.225>;tag=6516fea2
>> From: <sip:1001 at x.x.139.225>;tag=214bbc47
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport
>> Call-ID: 346c8a3823657575
>> CSeq: 2 BYE
>> Route: <sip:14734050085 at x.x.139.225;lr>
>> Contact: <sip:1001 at 176.58.68.20:10189>
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE,
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 200 OK
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060
>> Record-Route: <sip:14734050085 at x.x.139.225;lr>
>> From: <sip:1001 at x.x.139.225>;tag=214bbc47
>> To: <sip:14734050085 at x.x.139.225>;tag=6516fea2
>> Call-ID: 346c8a3823657575
>> CSeq: 2 BYE
>> Contact: <sip:14734050085 at x.x.139.225:5060>
>> User-agent: fxo/1.0
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> INVITE sip:14734050088 at x.x.139.225 SIP/2.0
>> To: <sip:14734050088 at x.x.139.225>
>> From: <sip:1001 at x.x.139.225>;tag=d909f80a
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> Contact: <sip:1001 at 176.58.68.20:10189>
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> Content-Type: application/sdp
>> User-Agent: eyeBeam
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 100 Trying
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
>> From: <sip:1001 at x.x.139.225>;tag=d909f80a
>> To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> User-agent: fxo/1.0
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 180 Ringing
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
>> Record-Route: <sip:14734050088 at x.x.139.225;lr>
>> From: <sip:1001 at x.x.139.225>;tag=d909f80a
>> To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> Contact: <sip:14734050088 at x.x.139.225:5060>
>> User-agent: fxo/1.0
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 200 OK
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
>> Record-Route: <sip:14734050088 at x.x.139.225;lr>
>> From: <sip:1001 at x.x.139.225>;tag=d909f80a
>> To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> Contact: <sip:14734050088 at x.x.139.225:5060>
>> User-agent: fxo/1.0
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE
>> Content-Type: application/sdp
>> Content-Leng
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0
>> To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
>> From: <sip:1001 at x.x.139.225>;tag=d909f80a
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 ACK
>> Route: <sip:14734050088 at x.x.139.225;lr>
>> Contact: <sip:1001 at 176.58.68.20:10189>
>> Max-Forwards: 70
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>>
>> ---------------
>> --------------
>> ------------
>>
>> On Fri, 1 Nov 2013, Jay Hennigan wrote:
>>
>> > On 11/1/13 12:04 PM, Matt Yaklin wrote:
>> >>
>> >> Approx 60-70 calls.
>> >
>> > If more than one overlapping you can rule out the physical FXO
>> port.
>> >
>> > --
>> > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
>> > Impulse Internet Service - http://www.impulse.net/
>> > Your local telephone and internet company - 805 884-6323 - WB6RDV
>> > _______________________________________________
>> > VoiceOps mailing list
>> > VoiceOps at voiceops.org
>> > https://puck.nether.net/mailman/listinfo/voiceops
>> >
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
>>
>
More information about the VoiceOps
mailing list