Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12243
Views
5
Helpful
4
Replies

Fraudulent VoIP calls : how to track, control, and/or disable them

Go to solution
walter baziuk
Level 5
Level 5

‎06-10-2013 01:29 PM - edited ‎03-16-2019 05:47 PM

We have a mid-size office environment with less than 100 users

In the last few weeks, we have noticed a growing number of fraudulent calls to overseas countries. None of the employees indicated that they called any of the numbers. As well none of the numbers have ever been called before . Before this peried,

  • we never saw any fraudulent outgoing calls,
  • there are no new employess
  • the rtr config has not chnages
  • the asa config has not chnaged

We suspected that there is an infected machine/process someplace that is able to access the local network and initiate outbound calls. we are worried that it may also try to send out some files without our knowledge.

We have disconnect the rtr from the phone lines to prevent any further LAN initiated calls. Users now use POT sets

we have a 2821 rtr running ADV IP Services 12.4(24) t8, With CME for the VoIP users

We have both VIC2-2FXO and VIC2-2FXs cards

in front of that is a ASA 5505 in transparent mode running IOS 9.12-k9

we do not actually know if this is a user, process or some Trojan horse that has woken up

I am looking for solution to how to track, control, and/or disable these unwanted calls -

  • how can we best find out when the calls are made and who/what initiated them?
  • what information can be gather if we know when the calls was made?
  • are there additional syslog files that can be enable to record call information?
  • can a few specific debug commands be left on without killing the rtr CPU
  • are there ACL that disable specific calling patterns

My cisco SE is asking around for this issue. so far, he told me to try this

""you can have CDR (call detailed record) on the router itself, but you are limited by 100 records or so. Alternatively, you can offload to an external server for logging."

http://www.cisco.com/en/US/docs/ios/voice/cdr/developer/guide/cdrcsv.html

Any help would be useful.

thank you

walter

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-12-2013 05:57 AM

You are being exploited from the Internet, as is very normal for installations done without taking adavantege of the expereince of a reputable consultant.

Check: http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml

View solution in original post

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to walter baziuk

‎06-12-2013 02:24 PM

You are welcome, please remember to rate useful posts clicking on the stars below.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
walter baziuk
Level 5
Level 5

‎06-11-2013 09:45 PM

Listed below is a sample from the CME CDR log

it appears  that there is a rouge app somewhere on the network attempting to make outbound calls to Isreal (cc=972, see below)

It is emulating ephone 1001, which is not a vlaid  ephone number in the rtr config

i am looking for some s/w that can better decode the UCME/CME CDR format. so far all i see are ones that support UCM/CM CDR formats.

i understand that these two formats are much differant

any suggestions for a UCME/CME app to decode the CDR logs? 

 
1370984963,11454,0,2,"EBADA50A D21111E2 9BF39CD4 3FA3E5CA","","","16:08:38.492 NewYork Tue Jun 11 2013","","16:08:42.162 NewYork Tue Jun 11 2013","16:09:23.892 NewYork Tue Jun 11 2013","","","answer",0,"",1740,278400,8,1280,"1001","1001","972598769442","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",42,"","","25","","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:972598769442","ton:0,npi:0,pi:0,si:0,#:1001","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","06/11/2013 16:08:38.491","1001","972598769442",0,11392,EBADA50A D21111E2 9BF39CD4 3FA3E5CA,2CBE,"","","","","","" 
;   
1370984963,11455,0,1,"EBADA50A D21111E2 9BF39CD4 3FA3E5CA","","","16:08:38.514 NewYork Tue Jun 11 2013","","16:08:42.154 NewYork Tue Jun 11 2013","16:09:23.944 NewYork Tue Jun 11 2013","","","originate",0,"",1740,278400,8,1344,"1001","1001","972598769442","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",42,"Tariff:Unknown","","0","","","","","","","","","","","","","0/5:1","","","","","","","","","","ton:0,npi:0,#:972598769442","ton:0,npi:0,pi:0,si:0,#:1001","","","","ton:0,npi:0,#:2598769442","ton:0,npi:0,pi:0,si:0,#:1001","","","","","","","Unknown","","Vonage-VoIP","","","","TWC","06/11/2013 16:08:38.507","1001","972598769442",0,11393,EBADA50A D21111E2 9BF39CD4 3FA3E5CA,2CBF,"","","","","","" 
   
1370984976,11457,0,2,"9345B99 D21211E2 9BFA9CD4 3FA3E5CA","","","16:09:28.028 NewYork Tue Jun 11 2013","","16:09:31.888 NewYork Tue Jun 11 2013","16:09:36.378 NewYork Tue Jun 11 2013","","","answer",0,"",148,23680,6,960,"1001","1001","912462562918","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",4,"","","0","","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:912462562918","ton:0,npi:0,pi:0,si:0,#:1001","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","06/11/2013 16:09:28.032","1001","912462562918",0,11394,9345B99 D21211E2 9BFA9CD4 3FA3E5CA,2CC1,"","","","","",""

Message was edited by: walter baziuk add cme router CDR files

15362113-CME-router-CDR-files.zip
0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-12-2013 05:57 AM

You are being exploited from the Internet, as is very normal for installations done without taking adavantege of the expereince of a reputable consultant.

Check: http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml

Go to solution
walter baziuk
Level 5
Level 5
In response to paolo bevilacqua

‎06-12-2013 02:13 PM

Hello Paulo

Thank you fo rthe document. I think it will work for me!!

i have added this to the top of my incoming ACL

As i dont need any other SIP unit to call my cme, i want to drop all incoming sip calls or anything that could use my CME 

remark ============ *** Toll Fraud  prevention 
deny udp any eq 5060 any 
deny udp any any eq 5060 
deny udp any any range 16384 32767

is there anything alese that i used do to stop incoming calls.

so far , this is what my new ACL is dropping

Extended IP access list incoming-traffic
  
10 deny udp any eq 5060 any
  
20 deny udp any any eq 5060
  
30 deny udp any any range 16384 32767 (2121matches) <- after 2 hours

walter

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to walter baziuk

‎06-12-2013 02:24 PM

You are welcome, please remember to rate useful posts clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents