cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
8
Replies

Cisco 2901 CME makes calls by itself

janos.baros1
Level 1
Level 1

We have a Cisco 2901 with CME  (Version 15.6(2)T, CME 11.0) and are testing SIP-Trunking now.
It is all fine, if we use the codec g729r8, but if we use the codec g711ulaw/alaw, the Router makes ominous things!
It makes calls by itself! The phones, which make the calls, they are not existent!
The number which will be called, are expensive foreign Number!
We do not know, is it a virus?
Did you hear this Problem yet?
Can you help us? If you need, we can send the configuration.
Thanks in advance!

8 Replies 8

Deepak Rawat
Cisco Employee
Cisco Employee

It looks like that someone is hacking into your CME and sending the calls over to it that then goes out to Telco through your CME. Please refer to below document and add a 'Trusted list' in this CME, therefore any IP Address that attempts to establish a call to the CME will be rejected if it is not assigned under the trusted list.

http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

Regards

Deepak

Thanks for your fast answer.
I knew the side above. There is a little problem with the configuration, if I configure “ip address trusted list”:
If the ip address of the SIP Provider will be changed, we will be not able to take a call from extern.
You can configure under “sip-ua” the sip-server as dns address, but you cannot configure dns address under “ip address trusted list”
Is there a solution too?
Many Thanks

I am sure the SIP Provider will definitely tell you that before changing it. You can simply do it then, it only takes IP Address there in the syntax.

Regards

Deepak

There is a new event!
It is indeed incredible, but I have new calls, despite I have in the ip address trusted list only one address of my SIP Provider.
Now I am really baffled!
I would like to say once more, it is happening, only I have the codec g711!

If it it still happening even after you have added the required IP Addresses in the Trusted List, then I think you should check with TAC for further t/s on this.

Regards

Deepak

Is it possible, that the virus is inside of the router?
I cannot understand, why it happens, if I am using g711 and it does not happen, if I am using g729?

It seems, there was an overlap, because the system works without suspect calls by now since over 17 hours. I hope it will stay forever so.
Many Thanks for your help!

Just to add couple of more things if this is potential threat to your phone system being hacked by someone. first of all do you have any CDR records how longs the bogus user making call to that foregin number? calling and called party numbeR??

Secondly you can apply ACL to your router and other than have lpcor/cor apply to the phone system so that everyone has some sort pin number before they make any calls or International call.

Br,
Nadeem Ahmed

Br, Nadeem Please rate all useful post.