11-04-2010 11:12 PM - edited 03-21-2019 03:14 AM
Hi!
The last days i see on our 540 Fraud Calls. I have no idea where they come from! Sip is not accessible from external WAN Conn.
Call Duration is always unkown (for normal calls i have one)
Help! How can i find the origion.. is it internal or external?
139 | 22:00:25 CET Thu Nov 4 2010 | 1 | 00972599216069 | <Unknown> |
140 | 22:00:28 CET Thu Nov 4 2010 | 1 | 0972599216069 | <Unknown> |
141 | 22:00:31 CET Thu Nov 4 2010 | 1 | 2972599216069 | <Unknown> |
142 | 22:00:34 CET Thu Nov 4 2010 | 1 | 1972599216069 | <Unknown> |
143 | 22:00:38 CET Thu Nov 4 2010 | 1 | 972599216069 | <Unknown> |
144 | 22:00:40 CET Thu Nov 4 2010 | 1 | 0011972599216069 | <Unknown> |
145 | 22:01:10 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
146 | 22:01:21 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
147 | 22:01:21 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
148 | 22:01:22 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
149 | 22:01:22 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
150 | 22:01:23 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
151 | 22:01:23 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
152 | 22:02:06 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
153 | 22:02:03 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
154 | 22:02:05 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
155 | 22:02:05 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
156 | 22:02:06 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
157 | 22:02:06 CET Thu Nov 4 2010 | 1 | 0043820894307 | <Unknown> |
158 | 22:02:48 CET Thu Nov 4 2010 | 1 | 2972599216069 | <Unknown> |
159 | 22:02:49 CET Thu Nov 4 2010 | 1 | 011972599216069 | <Unknown> |
160 | 22:03:47 CET Thu Nov 4 2010 | 888001 | 00972599216069 | <Unknown> |
161 | 22:03:30 CET Thu Nov 4 2010 | 888001 | 00972599216069 | <Unknown> |
162 | 22:23:39 CET Thu Nov 4 2010 | 1 | 00972599216069 | <Unknown> |
163 | 22:23:59 CET Thu Nov 4 2010 | 1 | 0972599216069 | <Unknown> |
164 | 22:23:59 CET Thu Nov 4 2010 | 1 | 2972599216069 | <Unknown> |
165 | 22:24:00 CET Thu Nov 4 2010 | 1 | 1972599216069 | <Unknown> |
166 | 22:24:00 CET Thu Nov 4 2010 | 1 | 972599216069 | <Unknown> |
167 | 22:24:01 CET Thu Nov 4 2010 | 1 | 0011972599216069 | <Unknown> |
168 | 22:24:37 CET Thu Nov 4 2010 | 1 | 11972599216069 | <Unknown> |
169 | 05:40:09 CET Fri Nov 5 2010 | 1 | 0087204210218 | <Unknown> |
170 | 05:40:17 CET Fri Nov 5 2010 | 1 | 00972599016720 | <Unknown> |
11-05-2010 10:24 AM
CDR records should show what the calling number was for the calls. Do you have any of that information?
11-05-2010 12:01 PM
Hmm i enable all the logging stuff. how can i find those details?
thanks!
11-05-2010 03:24 PM
Hmm i upgrade to the latest 8.0.4 but i see the "call history" item in CME is gone?!?!?! now i cant see if this fraud is still happening anymore..ahhhhh
11-08-2010 04:56 AM
YOu should call your ISP and tell them you are noticing Fraud calls. They will block them temporarily. Then I would make sure you have the firewall and access-lists on your device actually enabled.
11-08-2010 04:58 AM
Also to mention, I have seem fraud calls before... They weren't to the same number, looks like you have all the calls to the same two or three numbers... like it is someone inside dialing overseas or to the same numbers. The fraud calls I saw were thousands of calls to all different numbers.
11-08-2010 08:26 AM
Dear Sir;
Can you provide some information on:
- CME version used
- Whether you used CCA to configure the system (please specify version if so).
Please take a look below, comments and instructions to secure your UC500 for toll fraud.
https://supportforums.cisco.com/message/3163226#3163226
http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml
Regards
Alberto
11-08-2010 10:31 AM
If you run 'debug voip ccapi inout' you can verify how the toll fraud is occurring. 'debug ccsip mess' and 'debug h225 asn' if you're concerned with what protocol it is actually coming in as. It's likely either an inbound SIP or H323 call to the box that is causing it, though.
To take measures to secure your box, read these threads:
https://supportforums.cisco.com/message/3211319#3211319
https://supportforums.cisco.com/message/3163228#3163228
https://supportforums.cisco.com/message/3180799#3180799
https://supportforums.cisco.com/docs/DOC-12228
12-13-2010 01:54 AM
Hi!
Well the calls occured again i block h323 and sip of course (frome xternal)
Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.0(1)XA3a, SBTG Special
Small Business Support: http://www.cisco.com/go/smallbizhelp
004950: Dec 10 23:35:17.358: %ISDN-6-CONNECT: Interface Serial0/2/0:4 is now connected to 00972599016720 N/A
004951: Dec 10 23:37:03.497: %ISDN-6-CONNECT: Interface Serial0/2/0:7 is now connected to 00972598703838 N/A
004955: Dec 11 00:03:36.720: %ISDN-6-DISCONNECT: Interface Serial0/2/0:7 disconnected from 00972598703838 , call lasted 1593 seconds
004956: Dec 11 00:03:36.724: %ISDN-6-DISCONNECT: Interface Serial0/2/0:4 disconnected from 00972599016720 , call lasted 1699 seconds
004966: Dec 11 02:19:06.215: %ISDN-6-CONNECT: Interface Serial0/2/0:20 is now connected to 0025230221004 N/A
004967: Dec 11 02:19:09.640: %ISDN-6-DISCONNECT: Interface Serial0/2/0:20 disconnected from 0025230221004 , call lasted 3 seconds
004968: Dec 11 02:19:21.116: %ISDN-6-CONNECT: Interface Serial0/2/0:19 is now connected to 0025230221045 N/A
004969: Dec 11 02:19:24.524: %ISDN-6-DISCONNECT: Interface Serial0/2/0:19 disconnected from 0025230221045 , call lasted 3 seconds
004970: Dec 11 02:21:37.920: %ISDN-6-CONNECT: Interface Serial0/2/0:8 is now connected to 002525237513223 N/A
004971: Dec 11 02:21:41.380: %ISDN-6-DISCONNECT: Interface Serial0/2/0:8 disconnected from 002525237513223 , call lasted 3 seconds
12-13-2010 06:25 AM
You need more than that output to diagnose where the toll fraud calls are coming from.
Run:
debug voip ccapi inout
debug ccsip mess
debug h225 asn1
Then when an issue occurs, pull the log, and see where the INVITE or SETUP is coming from and what dial-peer it is matching.
12-14-2010 06:41 PM
If you can track down the dial-peer mentioned above that could really help you.. otherwise I've seen this when a dial-peer doesn't match a DID and it dumps it back to a dial-tone.
You may want to try dialing each DID until you find one that returns a dial tone, if you don't find one then its almost certainly via SIP.
Its only the beginning for you, now that they know you have an open system they could start racking up a few thousand dollars in calls in just one evening, a bill which in most cases you're forced to pay.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: