08-03-2007 08:30 AM - edited 03-14-2019 10:55 PM
Hi folks,
I don't know if you have been going through this problem.
Many clients that have acces to Internet through ADSL service are having their phone/voice lines busy because an external user through Internet takes their lines to make world wide phone calls, charging this cost to the ADSL user.
The fraud is related to the way the hacker takes the gateway that belongs to another user in another country and provides phone services.
PLease let me know if you have heard about this. Is there any vulnerability?
Thanks in advance.
Orlando
08-03-2007 09:30 AM
You need to get in touch with the IXC or whoever is providing the SIP telephony service. They will have a CDR of all calls and the IP address that the call originated from. The reason that these fraudsters are able to make these calls is because there is basically no real authentication at the IXC SIP peer. It should require a username, password, and a hardcoded static IP address (in other words, not just any host should be able to connect to the SIP proxy and generate calls, only hosts from a specific static IP address.) If you can't do that, there will pretty much always be fraud use. Change to a telephony provider that has some security.
HTH - don't forget to rate posts!
-Shikamaru
08-03-2007 10:26 AM
Hi.
Thanks 4 your reply.
The thing is that behind the ADSL modem we have a pix and a router with CCME in the LAN that is the local PBX(With SCCP phones, there are no H323/SIP trunks). So the attack was made from internet and they reached the LAN to make phone calls (Toll Fraud) using the IP PBX in the LAN through the COs connected to that router. Do you know about any bug, or vulnerability?
Thanks once again!
Regards,
ORlando
08-03-2007 10:30 AM
I'm pasting some info collected about it.
And take a look to the following IP address:
203.121.71.211.
The following phone calls are made from somewhere in Internet taking advantage of some vulnerability.
Regards,
Orlando.
*************
WGIRtr01#sho voice call active voice compact
Total call-legs: 8
513 ANS T6 g729r8 VOIP P10101010101 203.121.71.211:18188
514 ORG T6 g729r8 TELE P9001095367356257
515 ANS T6 g729r8 VOIP P10101010101 203.121.71.211:18196
516 ORG T6 g729r8 TELE P90010951534883
517 ANS T4 g729r8 VOIP P10101010101 203.121.71.211:18204
518 ORG T4 g729r8 TELE P9001021260860325
519 ANS T5 g729r8 VOIP P10101010101 203.121.71.211:18212
520 ORG T5 g729r8 TELE P9001095015569
08-03-2007 11:33 AM
If 203.121.71.211 is not your own address, then it has nothing to do with your inside network or with a bug or exploit. Like I said before, if you SIP peer on the Internet is not secure, anyone could connect to it and make calls. It wouldn't matter where the connection came from. That's why I said that if your IXC can't lock it down properly, find another one.
Please rate this post if it helps
-Shikamaru
08-03-2007 11:46 AM
The thing is that we do not use any SIP connection through internet. It's just the CCME in the LAN that has been accesed from Internet...somehow. That CCME do not have any voice/data traffic from/to Internet, and even that, it happened.
The CCME only has dial-peers to connect to the local PSTN. We don't have dial-peers to any other system/PBX.
Regards,
Orlando
08-03-2007 12:35 PM
You didn't provide which version of Call Manager are you using?
08-03-2007 12:44 PM
the CCME version is 3.3.
IOS 12.3.14T3
thanks.
08-03-2007 01:05 PM
One vulnerability I know about is(even not using SIP):
http://www.cisco.com/en/US/products/products_security_advisory09186a00801ea156.shtml
but this shouldn't affect you. Having in mind the facts you detected, you may have do dig deeper for some configuration problems.
08-03-2007 01:13 PM
OK thanks,
let me take a look to the link
Regards,
Orlando
08-17-2007 05:30 AM
Hi Orlando . I have the same problem like you . You must stop udp:5060 and tcp:5060 whit ACL or :
Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
Router(config-sip-ua)#end
for more info : http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
08-28-2007 10:18 AM
Hi,
thanks a lot 4 your reply.
I was out of the office, and now i'm back to this case.
I'll try, and let you know if it works 4 me.
Have a nice day.
Orlando
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide