cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1284
Views
0
Helpful
10
Replies

UC540 Fraud Calls - Help

kmmehlkmmehl
Level 1
Level 1

Hi!

The last days i see on our 540 Fraud Calls. I have no idea where they come from! Sip is not accessible from external WAN Conn.

Call Duration is always unkown (for normal calls i have one)

Help! How can i find the origion.. is it internal or external?





139

22:00:25 CET Thu Nov 4 2010

1

00972599216069

<Unknown>

140

22:00:28 CET Thu Nov 4 2010

1

0972599216069

<Unknown>

141

22:00:31 CET Thu Nov 4 2010

1

2972599216069

<Unknown>

142

22:00:34 CET Thu Nov 4 2010

1

1972599216069

<Unknown>

143

22:00:38 CET Thu Nov 4 2010

1

972599216069

<Unknown>

144

22:00:40 CET Thu Nov 4 2010

1

0011972599216069

<Unknown>

145

22:01:10 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

146

22:01:21 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

147

22:01:21 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

148

22:01:22 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

149

22:01:22 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

150

22:01:23 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

151

22:01:23 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

152

22:02:06 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

153

22:02:03 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

154

22:02:05 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

155

22:02:05 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

156

22:02:06 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

157

22:02:06 CET Thu Nov 4 2010

1

0043820894307

<Unknown>

158

22:02:48 CET Thu Nov 4 2010

1

2972599216069

<Unknown>

159

22:02:49 CET Thu Nov 4 2010

1

011972599216069

<Unknown>

160

22:03:47 CET Thu Nov 4 2010

888001

00972599216069

<Unknown>

161

22:03:30 CET Thu Nov 4 2010

888001

00972599216069

<Unknown>

162

22:23:39 CET Thu Nov 4 2010

1

00972599216069

<Unknown>

163

22:23:59 CET Thu Nov 4 2010

1

0972599216069

<Unknown>

164

22:23:59 CET Thu Nov 4 2010

1

2972599216069

<Unknown>

165

22:24:00 CET Thu Nov 4 2010

1

1972599216069

<Unknown>

166

22:24:00 CET Thu Nov 4 2010

1

972599216069

<Unknown>

167

22:24:01 CET Thu Nov 4 2010

1

0011972599216069

<Unknown>

168

22:24:37 CET Thu Nov 4 2010

1

11972599216069

<Unknown>

169

05:40:09 CET Fri Nov 5 2010

1

0087204210218

<Unknown>

170

05:40:17 CET Fri Nov 5 2010

1

00972599016720

<Unknown>

10 Replies 10

Nathan Compton
Level 4
Level 4

CDR records should show what the calling number was for the calls.  Do you have any of that information? 

Hmm i enable all the logging stuff. how can i find those details?

thanks!

Hmm i upgrade to the latest 8.0.4 but i see the "call history" item in CME is gone?!?!?! now i cant see if this fraud is still happening anymore..ahhhhh

YOu should call your ISP and tell them you are noticing Fraud calls.  They will block them temporarily.  Then I would make sure you have the firewall and access-lists on your device actually enabled. 

Also to mention, I have seem fraud calls before...  They weren't to the same number, looks like you have all the calls to the same two or three numbers...  like it is someone inside dialing overseas or to the same numbers.  The fraud calls I saw were thousands of calls to all different numbers.

Dear Sir;

Can you provide some information on:

- CME version used

- Whether you used CCA to configure the system (please specify version if so).

Please take a look below, comments and instructions to secure your UC500 for toll fraud.

https://supportforums.cisco.com/message/3163226#3163226

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml

Regards
Alberto

Steven Holl
Cisco Employee
Cisco Employee

If you run 'debug voip ccapi inout' you can verify how the toll fraud is occurring.  'debug ccsip mess' and 'debug h225 asn' if you're concerned with what protocol it is actually coming in as.  It's likely either an inbound SIP or H323 call to the box that is causing it, though.

To take measures to secure your box, read these threads:

https://supportforums.cisco.com/message/3211319#3211319
https://supportforums.cisco.com/message/3163228#3163228
https://supportforums.cisco.com/message/3180799#3180799
https://supportforums.cisco.com/docs/DOC-12228

Hi!

Well the calls occured again i block h323 and sip of course (frome xternal)

Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.0(1)XA3a, SBTG Special

Small Business Support: http://www.cisco.com/go/smallbizhelp

004950: Dec 10 23:35:17.358: %ISDN-6-CONNECT: Interface Serial0/2/0:4 is now connected to 00972599016720 N/A

004951: Dec 10 23:37:03.497: %ISDN-6-CONNECT: Interface Serial0/2/0:7 is now connected to 00972598703838 N/A

004955: Dec 11 00:03:36.720: %ISDN-6-DISCONNECT: Interface Serial0/2/0:7  disconnected from 00972598703838 , call lasted 1593 seconds

004956: Dec 11 00:03:36.724: %ISDN-6-DISCONNECT: Interface Serial0/2/0:4  disconnected from 00972599016720 , call lasted 1699 seconds

004966: Dec 11 02:19:06.215: %ISDN-6-CONNECT: Interface Serial0/2/0:20 is now connected to 0025230221004 N/A

004967: Dec 11 02:19:09.640: %ISDN-6-DISCONNECT: Interface Serial0/2/0:20  disconnected from 0025230221004 , call lasted 3 seconds

004968: Dec 11 02:19:21.116: %ISDN-6-CONNECT: Interface Serial0/2/0:19 is now connected to 0025230221045 N/A

004969: Dec 11 02:19:24.524: %ISDN-6-DISCONNECT: Interface Serial0/2/0:19  disconnected from 0025230221045 , call lasted 3 seconds

004970: Dec 11 02:21:37.920: %ISDN-6-CONNECT: Interface Serial0/2/0:8 is now connected to 002525237513223 N/A

004971: Dec 11 02:21:41.380: %ISDN-6-DISCONNECT: Interface Serial0/2/0:8  disconnected from 002525237513223 , call lasted 3 seconds

You need more than that output to diagnose where the toll fraud calls are coming from.

Run:

debug voip ccapi inout

debug ccsip mess

debug h225 asn1

Then when an issue occurs, pull the log, and see where the INVITE or SETUP is coming from and what dial-peer it is matching.

Marcus Olson
Level 1
Level 1

If you can track down the dial-peer mentioned above that could really help you.. otherwise I've seen this when a dial-peer doesn't match a DID and it dumps it back to a dial-tone.

You may want to try dialing each DID until you find one that returns a dial tone, if you don't find one then its almost certainly via SIP.

Its only the beginning for you, now that they know you have an open system they could start racking up a few thousand dollars in calls in just one evening, a bill which in most cases you're forced to pay.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: