Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
4
Replies

Unauthorized INTL calls from CUCM7.1.3

Mohammed Idris
Level 1
Level 1

‎04-25-2014 04:37 AM - edited ‎03-16-2019 10:34 PM

Service provider telephone bill shows INTL calls made to single international number several times from different internal extension though those extensions have no INTL access. Checked CDR for those dates and time and nothing found. Checked system logs,security logs but nothing is found.

Is this possible and then how to find out whats going wrong?

SP says the CUCM security is compromised. I don't know on what basis SP syas this though customer has asked the explanation. There is no direct internet connection terminated on voice gateway. Single PRI line is used for 300 DIDs. Voice gateways are added as H323 gateways.

 

Labels:
0 Helpful
4 Replies 4

manpreetsingh46
Level 1
Level 1

‎04-25-2014 05:03 AM

Please check the link below as its has alot of ways to block toll fraud.

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmetoll.html

 

in the mean time you can collect the CDR data from the call manager and also collect detailed call manager traces to see if those calls even reached call manager or not because this can also happen at the router level.

 

Post the CDR data and the detailed call manager traces here with the extensions that were involved in this.

0 Helpful

George Thomas
Level 10
Level 10
In response to manpreetsingh46

‎04-25-2014 08:51 AM

In addition to the points suggested by Manpreet, H323 gateways running version prior on to 15.x have no security. Someone with a voip softclient can point the softclient at the H323 gateway and make calls all day long and it wont show up on CDRs. You could add an ACL to the H323 interface to only allow H323 signaling (port 1720) from CUCM or upgrade to a 15.x train. If you are on 15.x train make sure you dont have the following set: http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

Please rate useful posts.
0 Helpful

Mohammed Idris
Level 1
Level 1
In response to manpreetsingh46

‎04-26-2014 08:58 PM

There is neither CME nor CUBE configured on router. Still this can be the case? Please reply.

I have already checked CDR then how collecting CDR data will help? I did not understand this. Please help. Secondly which CUCM traces should be collected?

I have gone through the link which you posted and is specifically for CME and I don't have CME.

If I add the IP address list, I need to add also those internal extensions from the calls were executed as those extensions also need outside dialing. Then how will I know its fraud call?

 

0 Helpful

dana.tong
Level 4
Level 4

‎05-11-2014 04:05 PM

Do you have a voicemail system? Unity or third-party. Check also the system Out calling / transfer rules, and restriction tables, default PINs.

These systems can often be compromised if the defaults have been left.

 

0 Helpful
Customers Also Viewed These Support Documents