Mailing List Archive

Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com>
Re: Fraud calls to Cuba - Please read [ In reply to ]
Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,Ahmed Elnagar

From: cenders@homesbyavi.comTo: cisco-voip@puck.nether.netDate: Wed, 7 Jan 2009 20:26:56 -0700Subject: [cisco-voip] Fraud calls to Cuba - Please read



Hello List,

I’ve got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don’t believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I’m wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn’t possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their “digital” phone terminal has been compromised though it isn’t connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network ManagerHomes by Avi - 2007 Canadian Builder of the Year.Tel: (403) 536-7170Fax: (403) 536-7171www.homesbyavi.com

_________________________________________________________________
More than messages–check out the rest of the Windows Live™.
http://www.microsoft.com/windows/windowslive/
Re: Fraud calls to Cuba - Please read [ In reply to ]
If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar


________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
The router is on the Internet, is configured for MGCP and has ip advanced services with the firewall feature enabled (for VPN and nat). Wouldn't that block external connections?

On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com<mailto:rwest@zyedge.com>> wrote:

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don’t remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net> [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: <mailto:cenders@homesbyavi.com> cenders@homesbyavi.com<mailto:cenders@homesbyavi.com>
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar


________________________________
From: <mailto:cenders@homesbyavi.com> cenders@homesbyavi.com<mailto:cenders@homesbyavi.com>
To: <mailto:cisco-voip@puck.nether.net> cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I’ve got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don’t believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I’m wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn’t possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their “digital” phone terminal has been compromised though it isn’t connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - <http://www.avg.com> http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
The feature set doesn’t imply that CBAC is configured correctly. Check your outside ACL and since you’re only using MGCP, you can use the link below to disable SIP processing (most likely your culprit, probably a calling card company that scans for open routers). You should also disable H323 as well. To see if the router has the firewall running, issue a show ip inspect sessions. The command I was thinking of earlier is ‘show control-plan host open-ports’, which do a netstat type listing on the router.

Hope that helps.

-ryan

From: Corbett Enders [mailto:cenders@homesbyavi.com]
Sent: Wednesday, January 07, 2009 23:56
To: Ryan West
Cc: Ahmed Elnagar; VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

The router is on the Internet, is configured for MGCP and has ip advanced services with the firewall feature enabled (for VPN and nat). Wouldn't that block external connections?

On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com<mailto:rwest@zyedge.com>> wrote:
If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don’t remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net> [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com<mailto:cenders@homesbyavi.com>
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar



________________________________
From: cenders@homesbyavi.com<mailto:cenders@homesbyavi.com>
To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I’ve got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don’t believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I’m wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn’t possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their “digital” phone terminal has been compromised though it isn’t connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
I had this happen as well to a CME router which the customer connected to
the Internet and the router also had a PRI from the local telco. Customer
had put in a public ip on the router exposing it to the Internet as they
wanted to do an IPSEC tunnel as well. After investigation it was discovered
that some one was using SIP port on the router and running a script to call
numbers in CUBA and all calls were a minute call. We put in an ACL to block
SIP and H.323 on the router to stop this. I believe someone is using SIP
port (5060) from the Internet and making calls through your FXO line.


Aman

On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest@zyedge.com> wrote:

> The feature set doesn't imply that CBAC is configured correctly. Check
> your outside ACL and since you're only using MGCP, you can use the link
> below to disable SIP processing (most likely your culprit, probably a
> calling card company that scans for open routers). You should also disable
> H323 as well. To see if the router has the firewall running, issue a show
> ip inspect sessions. The command I was thinking of earlier is 'show
> control-plan host open-ports', which do a netstat type listing on the
> router.
>
>
>
> Hope that helps.
>
>
>
> -ryan
>
>
>
> *From:* Corbett Enders [mailto:cenders@homesbyavi.com]
> *Sent:* Wednesday, January 07, 2009 23:56
> *To:* Ryan West
> *Cc:* Ahmed Elnagar; VOIP Group
>
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
> The router is on the Internet, is configured for MGCP and has ip advanced
> services with the firewall feature enabled (for VPN and nat). Wouldn't that
> block external connections?
>
>
> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com> wrote:
>
> If the router is connected to the Internet, both H323 TCP/1720 and SIP
> UDP/5060 need to blocked. I don't remember the command offhand, but on some
> versions of code it is show ip sockets. Check this out to actually disable
> default SIP and H323 processing:
>
>
>
>
> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
>
> -ryan
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net [
> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> *On Behalf Of *Ahmed Elnagar
> *Sent:* Wednesday, January 07, 2009 23:13
> *To:* cenders@homesbyavi.com
> *Cc:* VOIP Group
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
>
> Wow...exaclty the same problem I had...but with PRI...I have a site in
> Egypt that the user called us one day and informed that he has a bill from
> the Teleco for 100,000$ for a period of 3 months and they never produce this
> amount of calls...all calls were for random numbers and the call never
> exceeded 1 minute and these random numbers happen to be starting with 00
> which is the internationl prefix here in Egypt.
>
> After long nights of troubleshootting...I found that the gateway was
> configured to register SIP phones from the internet and I found an IP
> address from Mexico city that is trying this random calls so frequent, the
> strange thing is that the gateway was accepting these calls and route it to
> H323 side which relay the call to the PRI.
>
> I did the following to ensure that it will not happen again...removed SIP
> at all from the gateway...converted the gateway to MGCP so that every call
> that will pass the gateway will need signalling from Callmanager and will
> leave a record in the CDR. But the strange thing the problem contiuned...
>
> During troubleshooting we noticed something strange...alot of incoming
> calls coming to the PRI from a certain local number...and it was 3 AM in the
> morning we called this number and he told us that he know no one in this
> site and he has a problem that he got high invoices from the Teleco too...so
> we come up with this conculsion...seems that the CO. equipments has some
> problems and it is generating calls on behalf of the user to random
> numbers...a strange thing I know but till now this company still going to
> discussions with the teleco to solve this problem.
>
> I suggest to do the followin...try to review CDR files and have a detailed
> bill from your Teleco and try to compare these calls with the CDR calls
> maybe this would help you...also try to activate some debugs and show
> commands "there is some tools that can automate show command every 5 mins or
> so" to know exactly when these calls happen and what is the source of it.
>
> Good luck with this strange issue.
>
> Thanks,
> Ahmed Elnagar
>
>
>
> ------------------------------
>
> From: cenders@homesbyavi.com
> To: cisco-voip@puck.nether.net
> Date: Wed, 7 Jan 2009 20:26:56 -0700
> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>
> Hello List,
>
>
>
> I've got a situation with 2 remote sites. Over the course of several days
> in late November, somehow the analog POTS line in the site (which we use for
> SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't
> really a pattern to the calls. It started with a couple of repeated calls
> to the same number and from that point, the dialed number changed (not
> dialed in any sort of sequential pattern either). Calls varied in duration
> from 0 seconds to many minutes long. Sometimes the next call would happen
> right away and other times there would be several minutes delay between
> calls. This proceeded to occur over the course of about a day and a half
> until the POTS provider called us and we blocked the line.
>
>
>
> The analog line in the show home serves 2 purposes. It is connected to the
> SRST FXO port on the Cisco 2801 router and also connects to the analog fax
> machine.
>
>
>
> At this point, the POTS provider feels that somehow the 2801 router has
> been compromised and is being used to route calls out the FXO port. We have
> a cordless phone on an ATA, and at first they felt this was the source but I
> indicated that any calls from the cordless phone would leave through our PRI
> in the main office, through the phone line on the FXO port.
>
>
>
> Even if someone had managed to guess our admin password for the console of
> the router, I don't believe that person sitting on the Internet would be
> able to get a call to connect from their computer, through the Internet, and
> leave out our FXO port in our site.
>
>
>
> I'm wondering if anyone on the list has some thoughts as to how the system
> could have been compromise or if it just isn't possible. The POTS line is
> actually a digital line provided by Shaw (a local cable/telco in Alberta).
> I feel that their "digital" phone terminal has been compromised though it
> isn't connected to the Internet in any way. One other possibility is old
> school phone phreaking where someone has actually tapped into the physical
> line but they would have been sitting outside in the cold for a very long
> time making these crazy calls.
>
>
>
> I look forward to any insight the collective brain power of this list can
> provide. The bill for these calls is over $6000.
>
>
>
> Regards,
>
> Corbett Enders.
>
>
>
> *Corbett Enders*
>
> Network Manager
> Homes by Avi - 2007 Canadian Builder of the Year.
> Tel: (403) 536-7170
> Fax: (403) 536-7171
> www.homesbyavi.com
>
>
>
>
> ------------------------------
>
> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
> 8:49 AM
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
Re: Fraud calls to Cuba - Please read [ In reply to ]
Does someone open a TAC at Cisco to talk aout it ?
What Cisco say about that ?

Nicolas

On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh@gmail.com> wrote:

> I had this happen as well to a CME router which the customer connected to
> the Internet and the router also had a PRI from the local telco. Customer
> had put in a public ip on the router exposing it to the Internet as they
> wanted to do an IPSEC tunnel as well. After investigation it was discovered
> that some one was using SIP port on the router and running a script to call
> numbers in CUBA and all calls were a minute call. We put in an ACL to block
> SIP and H.323 on the router to stop this. I believe someone is using SIP
> port (5060) from the Internet and making calls through your FXO line.
>
>
> Aman
>
> On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest@zyedge.com> wrote:
>
>> The feature set doesn't imply that CBAC is configured correctly. Check
>> your outside ACL and since you're only using MGCP, you can use the link
>> below to disable SIP processing (most likely your culprit, probably a
>> calling card company that scans for open routers). You should also disable
>> H323 as well. To see if the router has the firewall running, issue a show
>> ip inspect sessions. The command I was thinking of earlier is 'show
>> control-plan host open-ports', which do a netstat type listing on the
>> router.
>>
>>
>>
>> Hope that helps.
>>
>>
>>
>> -ryan
>>
>>
>>
>> *From:* Corbett Enders [mailto:cenders@homesbyavi.com]
>> *Sent:* Wednesday, January 07, 2009 23:56
>> *To:* Ryan West
>> *Cc:* Ahmed Elnagar; VOIP Group
>>
>> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>>
>>
>>
>> The router is on the Internet, is configured for MGCP and has ip advanced
>> services with the firewall feature enabled (for VPN and nat). Wouldn't that
>> block external connections?
>>
>>
>> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com> wrote:
>>
>> If the router is connected to the Internet, both H323 TCP/1720 and SIP
>> UDP/5060 need to blocked. I don't remember the command offhand, but on some
>> versions of code it is show ip sockets. Check this out to actually disable
>> default SIP and H323 processing:
>>
>>
>>
>>
>> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
>>
>> -ryan
>>
>>
>>
>> *From:* cisco-voip-bounces@puck.nether.net [
>> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
>> *On Behalf Of *Ahmed Elnagar
>> *Sent:* Wednesday, January 07, 2009 23:13
>> *To:* cenders@homesbyavi.com
>> *Cc:* VOIP Group
>> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>>
>>
>>
>>
>> Wow...exaclty the same problem I had...but with PRI...I have a site in
>> Egypt that the user called us one day and informed that he has a bill from
>> the Teleco for 100,000$ for a period of 3 months and they never produce this
>> amount of calls...all calls were for random numbers and the call never
>> exceeded 1 minute and these random numbers happen to be starting with 00
>> which is the internationl prefix here in Egypt.
>>
>> After long nights of troubleshootting...I found that the gateway was
>> configured to register SIP phones from the internet and I found an IP
>> address from Mexico city that is trying this random calls so frequent, the
>> strange thing is that the gateway was accepting these calls and route it to
>> H323 side which relay the call to the PRI.
>>
>> I did the following to ensure that it will not happen again...removed SIP
>> at all from the gateway...converted the gateway to MGCP so that every call
>> that will pass the gateway will need signalling from Callmanager and will
>> leave a record in the CDR. But the strange thing the problem contiuned...
>>
>> During troubleshooting we noticed something strange...alot of incoming
>> calls coming to the PRI from a certain local number...and it was 3 AM in the
>> morning we called this number and he told us that he know no one in this
>> site and he has a problem that he got high invoices from the Teleco too...so
>> we come up with this conculsion...seems that the CO. equipments has some
>> problems and it is generating calls on behalf of the user to random
>> numbers...a strange thing I know but till now this company still going to
>> discussions with the teleco to solve this problem.
>>
>> I suggest to do the followin...try to review CDR files and have a detailed
>> bill from your Teleco and try to compare these calls with the CDR calls
>> maybe this would help you...also try to activate some debugs and show
>> commands "there is some tools that can automate show command every 5 mins or
>> so" to know exactly when these calls happen and what is the source of it.
>>
>> Good luck with this strange issue.
>>
>> Thanks,
>> Ahmed Elnagar
>>
>>
>>
>> ------------------------------
>>
>> From: cenders@homesbyavi.com
>> To: cisco-voip@puck.nether.net
>> Date: Wed, 7 Jan 2009 20:26:56 -0700
>> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>>
>> Hello List,
>>
>>
>>
>> I've got a situation with 2 remote sites. Over the course of several days
>> in late November, somehow the analog POTS line in the site (which we use for
>> SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't
>> really a pattern to the calls. It started with a couple of repeated calls
>> to the same number and from that point, the dialed number changed (not
>> dialed in any sort of sequential pattern either). Calls varied in duration
>> from 0 seconds to many minutes long. Sometimes the next call would happen
>> right away and other times there would be several minutes delay between
>> calls. This proceeded to occur over the course of about a day and a half
>> until the POTS provider called us and we blocked the line.
>>
>>
>>
>> The analog line in the show home serves 2 purposes. It is connected to
>> the SRST FXO port on the Cisco 2801 router and also connects to the analog
>> fax machine.
>>
>>
>>
>> At this point, the POTS provider feels that somehow the 2801 router has
>> been compromised and is being used to route calls out the FXO port. We have
>> a cordless phone on an ATA, and at first they felt this was the source but I
>> indicated that any calls from the cordless phone would leave through our PRI
>> in the main office, through the phone line on the FXO port.
>>
>>
>>
>> Even if someone had managed to guess our admin password for the console of
>> the router, I don't believe that person sitting on the Internet would be
>> able to get a call to connect from their computer, through the Internet, and
>> leave out our FXO port in our site.
>>
>>
>>
>> I'm wondering if anyone on the list has some thoughts as to how the system
>> could have been compromise or if it just isn't possible. The POTS line is
>> actually a digital line provided by Shaw (a local cable/telco in Alberta).
>> I feel that their "digital" phone terminal has been compromised though it
>> isn't connected to the Internet in any way. One other possibility is old
>> school phone phreaking where someone has actually tapped into the physical
>> line but they would have been sitting outside in the cold for a very long
>> time making these crazy calls.
>>
>>
>>
>> I look forward to any insight the collective brain power of this list can
>> provide. The bill for these calls is over $6000.
>>
>>
>>
>> Regards,
>>
>> Corbett Enders.
>>
>>
>>
>> *Corbett Enders*
>>
>> Network Manager
>> Homes by Avi - 2007 Canadian Builder of the Year.
>> Tel: (403) 536-7170
>> Fax: (403) 536-7171
>> www.homesbyavi.com
>>
>>
>>
>>
>> ------------------------------
>>
>> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
>> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
>>
>> No virus found in this incoming message.
>> Checked by AVG - http://www.avg.com
>> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
>> 8:49 AM
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
Re: Fraud calls to Cuba - Please read [ In reply to ]
I was planning to send Cisco a letter complaining about the fact that these
'features' are enabled by default on an ISR which is positioned as the
platform that does everything (in this case being a voip gateway and
internet router). I would like to hear other thoughts about this as well.

In my view, opening a TAC case would be of lesser use. Better send a letter
to John Chambers or the like of him.

Stefan

On Thu, Jan 08, 2009 at 10:39:34AM +0100, Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh@gmail.com> wrote:
>
> > I had this happen as well to a CME router which the customer connected to
> > the Internet and the router also had a PRI from the local telco. Customer
> > had put in a public ip on the router exposing it to the Internet as they
> > wanted to do an IPSEC tunnel as well. After investigation it was discovered
> > that some one was using SIP port on the router and running a script to call
> > numbers in CUBA and all calls were a minute call. We put in an ACL to block
> > SIP and H.323 on the router to stop this. I believe someone is using SIP
> > port (5060) from the Internet and making calls through your FXO line.
> >
> >
> > Aman
> >
> > On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest@zyedge.com> wrote:
> >
> >> The feature set doesn't imply that CBAC is configured correctly. Check
> >> your outside ACL and since you're only using MGCP, you can use the link
> >> below to disable SIP processing (most likely your culprit, probably a
> >> calling card company that scans for open routers). You should also disable
> >> H323 as well. To see if the router has the firewall running, issue a show
> >> ip inspect sessions. The command I was thinking of earlier is 'show
> >> control-plan host open-ports', which do a netstat type listing on the
> >> router.
> >>
> >>
> >>
> >> Hope that helps.
> >>
> >>
> >>
> >> -ryan
> >>
> >>
> >>
> >> *From:* Corbett Enders [mailto:cenders@homesbyavi.com]
> >> *Sent:* Wednesday, January 07, 2009 23:56
> >> *To:* Ryan West
> >> *Cc:* Ahmed Elnagar; VOIP Group
> >>
> >> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >>
> >>
> >> The router is on the Internet, is configured for MGCP and has ip advanced
> >> services with the firewall feature enabled (for VPN and nat). Wouldn't that
> >> block external connections?
> >>
> >>
> >> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com> wrote:
> >>
> >> If the router is connected to the Internet, both H323 TCP/1720 and SIP
> >> UDP/5060 need to blocked. I don't remember the command offhand, but on some
> >> versions of code it is show ip sockets. Check this out to actually disable
> >> default SIP and H323 processing:
> >>
> >>
> >>
> >>
> >> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
> >>
> >> -ryan
> >>
> >>
> >>
> >> *From:* cisco-voip-bounces@puck.nether.net [
> >> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> >> *On Behalf Of *Ahmed Elnagar
> >> *Sent:* Wednesday, January 07, 2009 23:13
> >> *To:* cenders@homesbyavi.com
> >> *Cc:* VOIP Group
> >> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >>
> >>
> >>
> >> Wow...exaclty the same problem I had...but with PRI...I have a site in
> >> Egypt that the user called us one day and informed that he has a bill from
> >> the Teleco for 100,000$ for a period of 3 months and they never produce this
> >> amount of calls...all calls were for random numbers and the call never
> >> exceeded 1 minute and these random numbers happen to be starting with 00
> >> which is the internationl prefix here in Egypt.
> >>
> >> After long nights of troubleshootting...I found that the gateway was
> >> configured to register SIP phones from the internet and I found an IP
> >> address from Mexico city that is trying this random calls so frequent, the
> >> strange thing is that the gateway was accepting these calls and route it to
> >> H323 side which relay the call to the PRI.
> >>
> >> I did the following to ensure that it will not happen again...removed SIP
> >> at all from the gateway...converted the gateway to MGCP so that every call
> >> that will pass the gateway will need signalling from Callmanager and will
> >> leave a record in the CDR. But the strange thing the problem contiuned...
> >>
> >> During troubleshooting we noticed something strange...alot of incoming
> >> calls coming to the PRI from a certain local number...and it was 3 AM in the
> >> morning we called this number and he told us that he know no one in this
> >> site and he has a problem that he got high invoices from the Teleco too...so
> >> we come up with this conculsion...seems that the CO. equipments has some
> >> problems and it is generating calls on behalf of the user to random
> >> numbers...a strange thing I know but till now this company still going to
> >> discussions with the teleco to solve this problem.
> >>
> >> I suggest to do the followin...try to review CDR files and have a detailed
> >> bill from your Teleco and try to compare these calls with the CDR calls
> >> maybe this would help you...also try to activate some debugs and show
> >> commands "there is some tools that can automate show command every 5 mins or
> >> so" to know exactly when these calls happen and what is the source of it.
> >>
> >> Good luck with this strange issue.
> >>
> >> Thanks,
> >> Ahmed Elnagar
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> From: cenders@homesbyavi.com
> >> To: cisco-voip@puck.nether.net
> >> Date: Wed, 7 Jan 2009 20:26:56 -0700
> >> Subject: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >> Hello List,
> >>
> >>
> >>
> >> I've got a situation with 2 remote sites. Over the course of several days
> >> in late November, somehow the analog POTS line in the site (which we use for
> >> SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't
> >> really a pattern to the calls. It started with a couple of repeated calls
> >> to the same number and from that point, the dialed number changed (not
> >> dialed in any sort of sequential pattern either). Calls varied in duration
> >> from 0 seconds to many minutes long. Sometimes the next call would happen
> >> right away and other times there would be several minutes delay between
> >> calls. This proceeded to occur over the course of about a day and a half
> >> until the POTS provider called us and we blocked the line.
> >>
> >>
> >>
> >> The analog line in the show home serves 2 purposes. It is connected to
> >> the SRST FXO port on the Cisco 2801 router and also connects to the analog
> >> fax machine.
> >>
> >>
> >>
> >> At this point, the POTS provider feels that somehow the 2801 router has
> >> been compromised and is being used to route calls out the FXO port. We have
> >> a cordless phone on an ATA, and at first they felt this was the source but I
> >> indicated that any calls from the cordless phone would leave through our PRI
> >> in the main office, through the phone line on the FXO port.
> >>
> >>
> >>
> >> Even if someone had managed to guess our admin password for the console of
> >> the router, I don't believe that person sitting on the Internet would be
> >> able to get a call to connect from their computer, through the Internet, and
> >> leave out our FXO port in our site.
> >>
> >>
> >>
> >> I'm wondering if anyone on the list has some thoughts as to how the system
> >> could have been compromise or if it just isn't possible. The POTS line is
> >> actually a digital line provided by Shaw (a local cable/telco in Alberta).
> >> I feel that their "digital" phone terminal has been compromised though it
> >> isn't connected to the Internet in any way. One other possibility is old
> >> school phone phreaking where someone has actually tapped into the physical
> >> line but they would have been sitting outside in the cold for a very long
> >> time making these crazy calls.
> >>
> >>
> >>
> >> I look forward to any insight the collective brain power of this list can
> >> provide. The bill for these calls is over $6000.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Corbett Enders.
> >>
> >>
> >>
> >> *Corbett Enders*
> >>
> >> Network Manager
> >> Homes by Avi - 2007 Canadian Builder of the Year.
> >> Tel: (403) 536-7170
> >> Fax: (403) 536-7171
> >> www.homesbyavi.com
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> check out the rest of the Windows Live?. More than mail?Windows Live? goes
> >> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
> >>
> >> No virus found in this incoming message.
> >> Checked by AVG - http://www.avg.com
> >> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
> >> 8:49 AM
> >>
> >>
> >> _______________________________________________
> >> cisco-voip mailing list
> >> cisco-voip@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>
> >>
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >

> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip


--
E: stefan@iunxi.nl iunxi BV
M: +31 (0)6 18844094 Postbus 1315
T: +31 (0)88 5400500 1300 BH ALMERE
F: +31 (0)88 5400501
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
Cisco just blames you for not putting up a firewall (or ACLs) in the
first place.

However I couldn't agree with you more ... been there, burnt myself too,
and have heard of several others too. Just search this list ...
http://markmail.org/search/?q=list%3Anet.nether.puck.cisco-voip+sip+port+open

and this has been going on for years now. I think the keyword here is
ignorance.

Even as as an afterthought I do agree with Cisco (that ACLs, firewalls
should be put in place etc.) I still cannot accept, that this is a sane
default.

Anyway. You'll see a bunch of angry rants every time someone pops up
this question, then nothing.

regards,
Zoltan Kelemen

Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh@gmail.com
> <mailto:aman.chugh@gmail.com>> wrote:
>
> I had this happen as well to a CME router which the customer
> connected to the Internet and the router also had a PRI from the
> local telco. Customer had put in a public ip on the router
> exposing it to the Internet as they wanted to do an IPSEC tunnel
> as well. After investigation it was discovered that some one was
> using SIP port on the router and running a script to call numbers
> in CUBA and all calls were a minute call. We put in an ACL to
> block SIP and H.323 on the router to stop this. I believe someone
> is using SIP port (5060) from the Internet and making calls
> through your FXO line.
>
>
> Aman
>
> On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest@zyedge.com
> <mailto:rwest@zyedge.com>> wrote:
>
> The feature set doesn't imply that CBAC is configured
> correctly. Check your outside ACL and since you're only using
> MGCP, you can use the link below to disable SIP processing
> (most likely your culprit, probably a calling card company
> that scans for open routers). You should also disable H323 as
> well. To see if the router has the firewall running, issue a
> show ip inspect sessions. The command I was thinking of
> earlier is 'show control-plan host open-ports', which do a
> netstat type listing on the router.
>
>
>
> Hope that helps.
>
>
>
> -ryan
>
>
>
> *From:* Corbett Enders [mailto:cenders@homesbyavi.com
> <mailto:cenders@homesbyavi.com>]
> *Sent:* Wednesday, January 07, 2009 23:56
> *To:* Ryan West
> *Cc:* Ahmed Elnagar; VOIP Group
>
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
> The router is on the Internet, is configured for MGCP and has
> ip advanced services with the firewall feature enabled (for
> VPN and nat). Wouldn't that block external connections?
>
>
> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com
> <mailto:rwest@zyedge.com>> wrote:
>
> If the router is connected to the Internet, both H323
> TCP/1720 and SIP UDP/5060 need to blocked. I don't
> remember the command offhand, but on some versions of code
> it is show ip sockets. Check this out to actually disable
> default SIP and H323 processing:
>
>
>
> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
> <https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
>
> -ryan
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net
> <mailto:cisco-voip-bounces@puck.nether.net>
> [mailto:cisco-voip-bounces@puck.nether.net] *On Behalf Of
> *Ahmed Elnagar
> *Sent:* Wednesday, January 07, 2009 23:13
> *To:* cenders@homesbyavi.com <mailto:cenders@homesbyavi.com>
> *Cc:* VOIP Group
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
>
> Wow...exaclty the same problem I had...but with PRI...I
> have a site in Egypt that the user called us one day and
> informed that he has a bill from the Teleco for 100,000$
> for a period of 3 months and they never produce this
> amount of calls...all calls were for random numbers and
> the call never exceeded 1 minute and these random numbers
> happen to be starting with 00 which is the internationl
> prefix here in Egypt.
>
> After long nights of troubleshootting...I found that the
> gateway was configured to register SIP phones from the
> internet and I found an IP address from Mexico city that
> is trying this random calls so frequent, the strange thing
> is that the gateway was accepting these calls and route it
> to H323 side which relay the call to the PRI.
>
> I did the following to ensure that it will not happen
> again...removed SIP at all from the gateway...converted
> the gateway to MGCP so that every call that will pass the
> gateway will need signalling from Callmanager and will
> leave a record in the CDR. But the strange thing the
> problem contiuned...
>
> During troubleshooting we noticed something strange...alot
> of incoming calls coming to the PRI from a certain local
> number...and it was 3 AM in the morning we called this
> number and he told us that he know no one in this site and
> he has a problem that he got high invoices from the Teleco
> too...so we come up with this conculsion...seems that the
> CO. equipments has some problems and it is generating
> calls on behalf of the user to random numbers...a strange
> thing I know but till now this company still going to
> discussions with the teleco to solve this problem.
>
> I suggest to do the followin...try to review CDR files and
> have a detailed bill from your Teleco and try to compare
> these calls with the CDR calls maybe this would help
> you...also try to activate some debugs and show commands
> "there is some tools that can automate show command every
> 5 mins or so" to know exactly when these calls happen and
> what is the source of it.
>
> Good luck with this strange issue.
>
> Thanks,
> Ahmed Elnagar
>
>
>
> ------------------------------------------------------------------------
>
> From: cenders@homesbyavi.com <mailto:cenders@homesbyavi.com>
> To: cisco-voip@puck.nether.net
> <mailto:cisco-voip@puck.nether.net>
> Date: Wed, 7 Jan 2009 20:26:56 -0700
> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>
> Hello List,
>
>
>
> I've got a situation with 2 remote sites. Over the course
> of several days in late November, somehow the analog POTS
> line in the site (which we use for SRST backup) proceeded
> to make approx 4,940 calls to Cuba. There wasn't really a
> pattern to the calls. It started with a couple of
> repeated calls to the same number and from that point, the
> dialed number changed (not dialed in any sort of
> sequential pattern either). Calls varied in duration from
> 0 seconds to many minutes long. Sometimes the next call
> would happen right away and other times there would be
> several minutes delay between calls. This proceeded to
> occur over the course of about a day and a half until the
> POTS provider called us and we blocked the line.
>
>
>
> The analog line in the show home serves 2 purposes. It is
> connected to the SRST FXO port on the Cisco 2801 router
> and also connects to the analog fax machine.
>
>
>
> At this point, the POTS provider feels that somehow the
> 2801 router has been compromised and is being used to
> route calls out the FXO port. We have a cordless phone on
> an ATA, and at first they felt this was the source but I
> indicated that any calls from the cordless phone would
> leave through our PRI in the main office, through the
> phone line on the FXO port.
>
>
>
> Even if someone had managed to guess our admin password
> for the console of the router, I don't believe that person
> sitting on the Internet would be able to get a call to
> connect from their computer, through the Internet, and
> leave out our FXO port in our site.
>
>
>
> I'm wondering if anyone on the list has some thoughts as
> to how the system could have been compromise or if it just
> isn't possible. The POTS line is actually a digital line
> provided by Shaw (a local cable/telco in Alberta). I feel
> that their "digital" phone terminal has been compromised
> though it isn't connected to the Internet in any way. One
> other possibility is old school phone phreaking where
> someone has actually tapped into the physical line but
> they would have been sitting outside in the cold for a
> very long time making these crazy calls.
>
>
>
> I look forward to any insight the collective brain power
> of this list can provide. The bill for these calls is over
> $6000.
>
>
>
> Regards,
>
> Corbett Enders.
>
>
>
> *Corbett Enders*
>
> Network Manager
> Homes by Avi - 2007 Canadian Builder of the Year.
> Tel: (403) 536-7170
> Fax: (403) 536-7171
> www.homesbyavi.com <http://www.homesbyavi.com/>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> check out the rest of the Windows Liveâ„¢. More than
> mail–Windows Live™ goes way beyond your inbox. More than
> messages <http://www.microsoft.com/windows/windowslive/>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com <http://www.avg.com/>
> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release
> Date: 1/7/2009 8:49 AM
>
>
> _______________________________________________
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
Dial-peer 0 should be disabled. You should have to explicit about what you accept and from who, the router isn't supposed to be a SIP proxy...

-----Original Message-----
From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Kelemen Zoltan
Sent: Thursday, January 08, 2009 06:51
To: Nicolas
Cc: Corbett Enders; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

Cisco just blames you for not putting up a firewall (or ACLs) in the
first place.

However I couldn't agree with you more ... been there, burnt myself too,
and have heard of several others too. Just search this list ...
http://markmail.org/search/?q=list%3Anet.nether.puck.cisco-voip+sip+port+open

and this has been going on for years now. I think the keyword here is
ignorance.

Even as as an afterthought I do agree with Cisco (that ACLs, firewalls
should be put in place etc.) I still cannot accept, that this is a sane
default.

Anyway. You'll see a bunch of angry rants every time someone pops up
this question, then nothing.

regards,
Zoltan Kelemen

Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh@gmail.com
> <mailto:aman.chugh@gmail.com>> wrote:
>
> I had this happen as well to a CME router which the customer
> connected to the Internet and the router also had a PRI from the
> local telco. Customer had put in a public ip on the router
> exposing it to the Internet as they wanted to do an IPSEC tunnel
> as well. After investigation it was discovered that some one was
> using SIP port on the router and running a script to call numbers
> in CUBA and all calls were a minute call. We put in an ACL to
> block SIP and H.323 on the router to stop this. I believe someone
> is using SIP port (5060) from the Internet and making calls
> through your FXO line.
>
>
> Aman
>
> On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest@zyedge.com
> <mailto:rwest@zyedge.com>> wrote:
>
> The feature set doesn't imply that CBAC is configured
> correctly. Check your outside ACL and since you're only using
> MGCP, you can use the link below to disable SIP processing
> (most likely your culprit, probably a calling card company
> that scans for open routers). You should also disable H323 as
> well. To see if the router has the firewall running, issue a
> show ip inspect sessions. The command I was thinking of
> earlier is 'show control-plan host open-ports', which do a
> netstat type listing on the router.
>
>
>
> Hope that helps.
>
>
>
> -ryan
>
>
>
> *From:* Corbett Enders [mailto:cenders@homesbyavi.com
> <mailto:cenders@homesbyavi.com>]
> *Sent:* Wednesday, January 07, 2009 23:56
> *To:* Ryan West
> *Cc:* Ahmed Elnagar; VOIP Group
>
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
> The router is on the Internet, is configured for MGCP and has
> ip advanced services with the firewall feature enabled (for
> VPN and nat). Wouldn't that block external connections?
>
>
> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com
> <mailto:rwest@zyedge.com>> wrote:
>
> If the router is connected to the Internet, both H323
> TCP/1720 and SIP UDP/5060 need to blocked. I don't
> remember the command offhand, but on some versions of code
> it is show ip sockets. Check this out to actually disable
> default SIP and H323 processing:
>
>
>
> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
> <https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
>
> -ryan
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net
> <mailto:cisco-voip-bounces@puck.nether.net>
> [mailto:cisco-voip-bounces@puck.nether.net] *On Behalf Of
> *Ahmed Elnagar
> *Sent:* Wednesday, January 07, 2009 23:13
> *To:* cenders@homesbyavi.com <mailto:cenders@homesbyavi.com>
> *Cc:* VOIP Group
> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
>
>
>
>
> Wow...exaclty the same problem I had...but with PRI...I
> have a site in Egypt that the user called us one day and
> informed that he has a bill from the Teleco for 100,000$
> for a period of 3 months and they never produce this
> amount of calls...all calls were for random numbers and
> the call never exceeded 1 minute and these random numbers
> happen to be starting with 00 which is the internationl
> prefix here in Egypt.
>
> After long nights of troubleshootting...I found that the
> gateway was configured to register SIP phones from the
> internet and I found an IP address from Mexico city that
> is trying this random calls so frequent, the strange thing
> is that the gateway was accepting these calls and route it
> to H323 side which relay the call to the PRI.
>
> I did the following to ensure that it will not happen
> again...removed SIP at all from the gateway...converted
> the gateway to MGCP so that every call that will pass the
> gateway will need signalling from Callmanager and will
> leave a record in the CDR. But the strange thing the
> problem contiuned...
>
> During troubleshooting we noticed something strange...alot
> of incoming calls coming to the PRI from a certain local
> number...and it was 3 AM in the morning we called this
> number and he told us that he know no one in this site and
> he has a problem that he got high invoices from the Teleco
> too...so we come up with this conculsion...seems that the
> CO. equipments has some problems and it is generating
> calls on behalf of the user to random numbers...a strange
> thing I know but till now this company still going to
> discussions with the teleco to solve this problem.
>
> I suggest to do the followin...try to review CDR files and
> have a detailed bill from your Teleco and try to compare
> these calls with the CDR calls maybe this would help
> you...also try to activate some debugs and show commands
> "there is some tools that can automate show command every
> 5 mins or so" to know exactly when these calls happen and
> what is the source of it.
>
> Good luck with this strange issue.
>
> Thanks,
> Ahmed Elnagar
>
>
>
> ------------------------------------------------------------------------
>
> From: cenders@homesbyavi.com <mailto:cenders@homesbyavi.com>
> To: cisco-voip@puck.nether.net
> <mailto:cisco-voip@puck.nether.net>
> Date: Wed, 7 Jan 2009 20:26:56 -0700
> Subject: [cisco-voip] Fraud calls to Cuba - Please read
>
> Hello List,
>
>
>
> I've got a situation with 2 remote sites. Over the course
> of several days in late November, somehow the analog POTS
> line in the site (which we use for SRST backup) proceeded
> to make approx 4,940 calls to Cuba. There wasn't really a
> pattern to the calls. It started with a couple of
> repeated calls to the same number and from that point, the
> dialed number changed (not dialed in any sort of
> sequential pattern either). Calls varied in duration from
> 0 seconds to many minutes long. Sometimes the next call
> would happen right away and other times there would be
> several minutes delay between calls. This proceeded to
> occur over the course of about a day and a half until the
> POTS provider called us and we blocked the line.
>
>
>
> The analog line in the show home serves 2 purposes. It is
> connected to the SRST FXO port on the Cisco 2801 router
> and also connects to the analog fax machine.
>
>
>
> At this point, the POTS provider feels that somehow the
> 2801 router has been compromised and is being used to
> route calls out the FXO port. We have a cordless phone on
> an ATA, and at first they felt this was the source but I
> indicated that any calls from the cordless phone would
> leave through our PRI in the main office, through the
> phone line on the FXO port.
>
>
>
> Even if someone had managed to guess our admin password
> for the console of the router, I don't believe that person
> sitting on the Internet would be able to get a call to
> connect from their computer, through the Internet, and
> leave out our FXO port in our site.
>
>
>
> I'm wondering if anyone on the list has some thoughts as
> to how the system could have been compromise or if it just
> isn't possible. The POTS line is actually a digital line
> provided by Shaw (a local cable/telco in Alberta). I feel
> that their "digital" phone terminal has been compromised
> though it isn't connected to the Internet in any way. One
> other possibility is old school phone phreaking where
> someone has actually tapped into the physical line but
> they would have been sitting outside in the cold for a
> very long time making these crazy calls.
>
>
>
> I look forward to any insight the collective brain power
> of this list can provide. The bill for these calls is over
> $6000.
>
>
>
> Regards,
>
> Corbett Enders.
>
>
>
> *Corbett Enders*
>
> Network Manager
> Homes by Avi - 2007 Canadian Builder of the Year.
> Tel: (403) 536-7170
> Fax: (403) 536-7171
> www.homesbyavi.com <http://www.homesbyavi.com/>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> check out the rest of the Windows Liveâ„¢. More than
> mail–Windows Live™ goes way beyond your inbox. More than
> messages <http://www.microsoft.com/windows/windowslive/>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com <http://www.avg.com/>
> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release
> Date: 1/7/2009 8:49 AM
>
>
> _______________________________________________
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
Reminds me of a time when Windows 2000 server was shipped with EVERYTHING turned on by default (IIS, etc). And here today we have Windows 2008 which boots up with NOTHING enabled. Probably something Cisco should start doing.

-----Original Message-----
From: Stefan Baltus [mailto:stefan@iunxi.nl]
Sent: Thursday, January 08, 2009 2:48 AM
To: Nicolas
Cc: Aman Chugh; Corbett Enders; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

I was planning to send Cisco a letter complaining about the fact that these
'features' are enabled by default on an ISR which is positioned as the
platform that does everything (in this case being a voip gateway and
internet router). I would like to hear other thoughts about this as well.

In my view, opening a TAC case would be of lesser use. Better send a letter
to John Chambers or the like of him.

Stefan

On Thu, Jan 08, 2009 at 10:39:34AM +0100, Nicolas wrote:
> Does someone open a TAC at Cisco to talk aout it ?
> What Cisco say about that ?
>
> Nicolas
>
> On Thu, Jan 8, 2009 at 6:16 AM, Aman Chugh <aman.chugh@gmail.com> wrote:
>
> > I had this happen as well to a CME router which the customer connected to
> > the Internet and the router also had a PRI from the local telco. Customer
> > had put in a public ip on the router exposing it to the Internet as they
> > wanted to do an IPSEC tunnel as well. After investigation it was discovered
> > that some one was using SIP port on the router and running a script to call
> > numbers in CUBA and all calls were a minute call. We put in an ACL to block
> > SIP and H.323 on the router to stop this. I believe someone is using SIP
> > port (5060) from the Internet and making calls through your FXO line.
> >
> >
> > Aman
> >
> > On Thu, Jan 8, 2009 at 10:31 AM, Ryan West <rwest@zyedge.com> wrote:
> >
> >> The feature set doesn't imply that CBAC is configured correctly. Check
> >> your outside ACL and since you're only using MGCP, you can use the link
> >> below to disable SIP processing (most likely your culprit, probably a
> >> calling card company that scans for open routers). You should also disable
> >> H323 as well. To see if the router has the firewall running, issue a show
> >> ip inspect sessions. The command I was thinking of earlier is 'show
> >> control-plan host open-ports', which do a netstat type listing on the
> >> router.
> >>
> >>
> >>
> >> Hope that helps.
> >>
> >>
> >>
> >> -ryan
> >>
> >>
> >>
> >> *From:* Corbett Enders [mailto:cenders@homesbyavi.com]
> >> *Sent:* Wednesday, January 07, 2009 23:56
> >> *To:* Ryan West
> >> *Cc:* Ahmed Elnagar; VOIP Group
> >>
> >> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >>
> >>
> >> The router is on the Internet, is configured for MGCP and has ip advanced
> >> services with the firewall feature enabled (for VPN and nat). Wouldn't that
> >> block external connections?
> >>
> >>
> >> On Jan 7, 2009, at 9:48 PM, "Ryan West" <rwest@zyedge.com> wrote:
> >>
> >> If the router is connected to the Internet, both H323 TCP/1720 and SIP
> >> UDP/5060 need to blocked. I don't remember the command offhand, but on some
> >> versions of code it is show ip sockets. Check this out to actually disable
> >> default SIP and H323 processing:
> >>
> >>
> >>
> >>
> >> https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
> >>
> >> -ryan
> >>
> >>
> >>
> >> *From:* cisco-voip-bounces@puck.nether.net [
> >> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> >> *On Behalf Of *Ahmed Elnagar
> >> *Sent:* Wednesday, January 07, 2009 23:13
> >> *To:* cenders@homesbyavi.com
> >> *Cc:* VOIP Group
> >> *Subject:* Re: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >>
> >>
> >>
> >> Wow...exaclty the same problem I had...but with PRI...I have a site in
> >> Egypt that the user called us one day and informed that he has a bill from
> >> the Teleco for 100,000$ for a period of 3 months and they never produce this
> >> amount of calls...all calls were for random numbers and the call never
> >> exceeded 1 minute and these random numbers happen to be starting with 00
> >> which is the internationl prefix here in Egypt.
> >>
> >> After long nights of troubleshootting...I found that the gateway was
> >> configured to register SIP phones from the internet and I found an IP
> >> address from Mexico city that is trying this random calls so frequent, the
> >> strange thing is that the gateway was accepting these calls and route it to
> >> H323 side which relay the call to the PRI.
> >>
> >> I did the following to ensure that it will not happen again...removed SIP
> >> at all from the gateway...converted the gateway to MGCP so that every call
> >> that will pass the gateway will need signalling from Callmanager and will
> >> leave a record in the CDR. But the strange thing the problem contiuned...
> >>
> >> During troubleshooting we noticed something strange...alot of incoming
> >> calls coming to the PRI from a certain local number...and it was 3 AM in the
> >> morning we called this number and he told us that he know no one in this
> >> site and he has a problem that he got high invoices from the Teleco too...so
> >> we come up with this conculsion...seems that the CO. equipments has some
> >> problems and it is generating calls on behalf of the user to random
> >> numbers...a strange thing I know but till now this company still going to
> >> discussions with the teleco to solve this problem.
> >>
> >> I suggest to do the followin...try to review CDR files and have a detailed
> >> bill from your Teleco and try to compare these calls with the CDR calls
> >> maybe this would help you...also try to activate some debugs and show
> >> commands "there is some tools that can automate show command every 5 mins or
> >> so" to know exactly when these calls happen and what is the source of it.
> >>
> >> Good luck with this strange issue.
> >>
> >> Thanks,
> >> Ahmed Elnagar
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> From: cenders@homesbyavi.com
> >> To: cisco-voip@puck.nether.net
> >> Date: Wed, 7 Jan 2009 20:26:56 -0700
> >> Subject: [cisco-voip] Fraud calls to Cuba - Please read
> >>
> >> Hello List,
> >>
> >>
> >>
> >> I've got a situation with 2 remote sites. Over the course of several days
> >> in late November, somehow the analog POTS line in the site (which we use for
> >> SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't
> >> really a pattern to the calls. It started with a couple of repeated calls
> >> to the same number and from that point, the dialed number changed (not
> >> dialed in any sort of sequential pattern either). Calls varied in duration
> >> from 0 seconds to many minutes long. Sometimes the next call would happen
> >> right away and other times there would be several minutes delay between
> >> calls. This proceeded to occur over the course of about a day and a half
> >> until the POTS provider called us and we blocked the line.
> >>
> >>
> >>
> >> The analog line in the show home serves 2 purposes. It is connected to
> >> the SRST FXO port on the Cisco 2801 router and also connects to the analog
> >> fax machine.
> >>
> >>
> >>
> >> At this point, the POTS provider feels that somehow the 2801 router has
> >> been compromised and is being used to route calls out the FXO port. We have
> >> a cordless phone on an ATA, and at first they felt this was the source but I
> >> indicated that any calls from the cordless phone would leave through our PRI
> >> in the main office, through the phone line on the FXO port.
> >>
> >>
> >>
> >> Even if someone had managed to guess our admin password for the console of
> >> the router, I don't believe that person sitting on the Internet would be
> >> able to get a call to connect from their computer, through the Internet, and
> >> leave out our FXO port in our site.
> >>
> >>
> >>
> >> I'm wondering if anyone on the list has some thoughts as to how the system
> >> could have been compromise or if it just isn't possible. The POTS line is
> >> actually a digital line provided by Shaw (a local cable/telco in Alberta).
> >> I feel that their "digital" phone terminal has been compromised though it
> >> isn't connected to the Internet in any way. One other possibility is old
> >> school phone phreaking where someone has actually tapped into the physical
> >> line but they would have been sitting outside in the cold for a very long
> >> time making these crazy calls.
> >>
> >>
> >>
> >> I look forward to any insight the collective brain power of this list can
> >> provide. The bill for these calls is over $6000.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Corbett Enders.
> >>
> >>
> >>
> >> *Corbett Enders*
> >>
> >> Network Manager
> >> Homes by Avi - 2007 Canadian Builder of the Year.
> >> Tel: (403) 536-7170
> >> Fax: (403) 536-7171
> >> www.homesbyavi.com
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> check out the rest of the Windows Live?. More than mail?Windows Live? goes
> >> way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>
> >>
> >> No virus found in this incoming message.
> >> Checked by AVG - http://www.avg.com
> >> Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
> >> 8:49 AM
> >>
> >>
> >> _______________________________________________
> >> cisco-voip mailing list
> >> cisco-voip@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>
> >>
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >

> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip


--
E: stefan@iunxi.nl iunxi BV
M: +31 (0)6 18844094 Postbus 1315
T: +31 (0)88 5400500 1300 BH ALMERE
F: +31 (0)88 5400501

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we've blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar

________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
# whois 124.217.250.240
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 124.217.224.0 - 124.217.255.255
netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
admin-c: PA124-AP
tech-c: PA124-AP
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-PIRADIUS
changed: hm-changed@apnic.net 20071217
source: APNIC

person: PIRADIUS NET Administrator
nic-hdl: PA124-AP
e-mail: abuse@piradius.net
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
address: Malaysia
phone: +607 334 8605
fax-no: +607 334 8605
country: MY
changed: admin@piradius.net 20071003
mnt-by: MAINT-MY-PIRADIUS
source: APNIC


Vincent Loschiavo
Director of Consulting
[cid:image001.gif@01C9718E.C7362940]
8200 NW 41st Street, Suite 130
Miami, FL 33166
Ofc: 954-671-5669
Cell: 786-282-1164
Fax: 888-767-5905
Email: vloschiavo@data-corporation.com<mailto:vloschiavo@data-corporation.com>

"KEEPING YOUR BUSINESS HIGHLY AVAILABLE"
[cid:image002.gif@01C9718E.C7362940]

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 12:37 PM
To: Ryan West; Ahmed Elnagar
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we've blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
this is very interesting information. our routers are protected from Internet with ACLs, but I'd like to run that "show sockets" command anyways. We'll eventually have to configure them to block these ports anyways.

does anyone know what that command is? i tried running "show ip sockets" but it's not available.

i'm running 12.4(13r)T


---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Corbett Enders" <cenders@homesbyavi.com>
To: "Ryan West" <rwest@zyedge.com>, "Ahmed Elnagar" <ahmed_elnagar@hotmail.com>
Cc: "VOIP Group" <cisco-voip@puck.nether.net>
Sent: Thursday, January 8, 2009 12:37:26 PM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read




So it turns out SIP 5060 is open, after running show ip sockets.



Interestingly enough, the hacker is connected to me right now (though we’ve blocked international calls at the telco level).



His IP is 124.217.250.240.



If you read this article, http://www.honeynor.no/ , it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.







From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read



If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don’t remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:



https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router

-ryan





From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read




Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.


Thanks,
Ahmed Elnagar





From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read


Hello List,



I’ve got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.



The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.



At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.



Even if someone had managed to guess our admin password for the console of the router, I don’t believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.



I’m wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn’t possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their “digital” phone terminal has been compromised though it isn’t connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.



I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.



Regards,

Corbett Enders.



Corbett Enders

Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com







check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
Older IOS needs show ip sockets. Newer IOS (yours) use: show control-plane host open-ports


From: Lelio Fulgenzi [mailto:lelio@uoguelph.ca]
Sent: Thursday, January 08, 2009 10:48 AM
To: Corbett Enders
Cc: VOIP Group; Ryan West; Ahmed Elnagar
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

this is very interesting information. our routers are protected from Internet with ACLs, but I'd like to run that "show sockets" command anyways. We'll eventually have to configure them to block these ports anyways.

does anyone know what that command is? i tried running "show ip sockets" but it's not available.

i'm running 12.4(13r)T


---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Corbett Enders" <cenders@homesbyavi.com>
To: "Ryan West" <rwest@zyedge.com>, "Ahmed Elnagar" <ahmed_elnagar@hotmail.com>
Cc: "VOIP Group" <cisco-voip@puck.nether.net>
Sent: Thursday, January 8, 2009 12:37:26 PM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we’ve blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don’t remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I’ve got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don’t believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I’m wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn’t possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their “digital” phone terminal has been compromised though it isn’t connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM

_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
Show control-plane host open-ports. Sometimes ip sockets does not work.

From: Lelio Fulgenzi [mailto:lelio@uoguelph.ca]
Sent: Thursday, January 08, 2009 12:48
To: Corbett Enders
Cc: VOIP Group; Ryan West; Ahmed Elnagar
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

this is very interesting information. our routers are protected from Internet with ACLs, but I'd like to run that "show sockets" command anyways. We'll eventually have to configure them to block these ports anyways.

does anyone know what that command is? i tried running "show ip sockets" but it's not available.

i'm running 12.4(13r)T


---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Corbett Enders" <cenders@homesbyavi.com>
To: "Ryan West" <rwest@zyedge.com>, "Ahmed Elnagar" <ahmed_elnagar@hotmail.com>
Cc: "VOIP Group" <cisco-voip@puck.nether.net>
Sent: Thursday, January 8, 2009 12:37:26 PM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we’ve blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don’t remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router<https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_%28SIP%29_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router>
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I’ve got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn’t really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don’t believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I’m wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn’t possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their “digital” phone terminal has been compromised though it isn’t connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM

_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: Fraud calls to Cuba - Please read [ In reply to ]
What is the proposed solution if CME is using a SIP Trunk to an ITSP? I
assume an ACL would be the best way to secure the router.





From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 10:37 AM
To: Ryan West; Ahmed Elnagar
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read



So it turns out SIP 5060 is open, after running show ip sockets.



Interestingly enough, the hacker is connected to me right now (though we've
blocked international calls at the telco level).



His IP is 124.217.250.240.



If you read this article, http://www.honeynor.no/, it describes the attack
in detail. I found the article by searching the phone number initially
dialed, 52555169000.





From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read



If the router is connected to the Internet, both H323 TCP/1720 and SIP
UDP/5060 need to blocked. I don't remember the command offhand, but on some
versions of code it is show ip sockets. Check this out to actually disable
default SIP and H323 processing:



https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Se
ssion_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS
_gateway_router

-ryan



From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read




Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt
that the user called us one day and informed that he has a bill from the
Teleco for 100,000$ for a period of 3 months and they never produce this
amount of calls...all calls were for random numbers and the call never
exceeded 1 minute and these random numbers happen to be starting with 00
which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was
configured to register SIP phones from the internet and I found an IP
address from Mexico city that is trying this random calls so frequent, the
strange thing is that the gateway was accepting these calls and route it to
H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at
all from the gateway...converted the gateway to MGCP so that every call that
will pass the gateway will need signalling from Callmanager and will leave a
record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls
coming to the PRI from a certain local number...and it was 3 AM in the
morning we called this number and he told us that he know no one in this
site and he has a problem that he got high invoices from the Teleco too...so
we come up with this conculsion...seems that the CO. equipments has some
problems and it is generating calls on behalf of the user to random
numbers...a strange thing I know but till now this company still going to
discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed
bill from your Teleco and try to compare these calls with the CDR calls
maybe this would help you...also try to activate some debugs and show
commands "there is some tools that can automate show command every 5 mins or
so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.

Thanks,
Ahmed Elnagar

_____

From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read

Hello List,



I've got a situation with 2 remote sites. Over the course of several days
in late November, somehow the analog POTS line in the site (which we use for
SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't
really a pattern to the calls. It started with a couple of repeated calls
to the same number and from that point, the dialed number changed (not
dialed in any sort of sequential pattern either). Calls varied in duration
from 0 seconds to many minutes long. Sometimes the next call would happen
right away and other times there would be several minutes delay between
calls. This proceeded to occur over the course of about a day and a half
until the POTS provider called us and we blocked the line.



The analog line in the show home serves 2 purposes. It is connected to the
SRST FXO port on the Cisco 2801 router and also connects to the analog fax
machine.



At this point, the POTS provider feels that somehow the 2801 router has been
compromised and is being used to route calls out the FXO port. We have a
cordless phone on an ATA, and at first they felt this was the source but I
indicated that any calls from the cordless phone would leave through our PRI
in the main office, through the phone line on the FXO port.



Even if someone had managed to guess our admin password for the console of
the router, I don't believe that person sitting on the Internet would be
able to get a call to connect from their computer, through the Internet, and
leave out our FXO port in our site.



I'm wondering if anyone on the list has some thoughts as to how the system
could have been compromise or if it just isn't possible. The POTS line is
actually a digital line provided by Shaw (a local cable/telco in Alberta).
I feel that their "digital" phone terminal has been compromised though it
isn't connected to the Internet in any way. One other possibility is old
school phone phreaking where someone has actually tapped into the physical
line but they would have been sitting outside in the cold for a very long
time making these crazy calls.



I look forward to any insight the collective brain power of this list can
provide. The bill for these calls is over $6000.



Regards,

Corbett Enders.



Corbett Enders

Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
<http://www.homesbyavi.com/> www.homesbyavi.com





_____

check out the rest of the Windows LiveT. More than mail-Windows LiveT goes
way beyond your inbox. More than messages
<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009
8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
Yeah, just allow UDP/5060 to the proxy, deny all other SIP traffic and allow the UDP ranges above 1024. Most SIP providers do not use the 16384 - 32767 range for RTP streams.

-ryan

From: Mark Holloway [mailto:mh@markholloway.com]
Sent: Thursday, January 08, 2009 14:07
To: 'Corbett Enders'; Ryan West; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

What is the proposed solution if CME is using a SIP Trunk to an ITSP? I assume an ACL would be the best way to secure the router.


From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 10:37 AM
To: Ryan West; Ahmed Elnagar
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we've blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
Don't forget TCP/5060. I assist my companies fraud team from time to time in VoIP fraud, and when we find an open CME/CUBE or the like and we ask for it to be secured, most people forget that SIP can run on both UDP and TCP and they leave themselves vulnerable.

________________________________
From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ryan West
Sent: Thursday, January 08, 2009 2:11 PM
To: Mark Holloway; 'Corbett Enders'; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

Yeah, just allow UDP/5060 to the proxy, deny all other SIP traffic and allow the UDP ranges above 1024. Most SIP providers do not use the 16384 - 32767 range for RTP streams.

-ryan

From: Mark Holloway [mailto:mh@markholloway.com]
Sent: Thursday, January 08, 2009 14:07
To: 'Corbett Enders'; Ryan West; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

What is the proposed solution if CME is using a SIP Trunk to an ITSP? I assume an ACL would be the best way to secure the router.


From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 10:37 AM
To: Ryan West; Ahmed Elnagar
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we've blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
Well List, thank you for the assistance. I have run the following commands to all of my routers to block SIP:

voip-gateway(config)#sip-ua
voip-gateway(config-sip-ua)#no transport udp
voip-gateway(config-sip-ua)#no transport tcp

I have not acted on H.323 as it doesn't appear to be listening on that port.


From: Pender, James [mailto:James.Pender@PAETEC.com]
Sent: Thursday, January 08, 2009 12:35 PM
To: Ryan West; Mark Holloway; Corbett Enders; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

Don't forget TCP/5060. I assist my companies fraud team from time to time in VoIP fraud, and when we find an open CME/CUBE or the like and we ask for it to be secured, most people forget that SIP can run on both UDP and TCP and they leave themselves vulnerable.

________________________________
From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ryan West
Sent: Thursday, January 08, 2009 2:11 PM
To: Mark Holloway; 'Corbett Enders'; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read
Yeah, just allow UDP/5060 to the proxy, deny all other SIP traffic and allow the UDP ranges above 1024. Most SIP providers do not use the 16384 - 32767 range for RTP streams.

-ryan

From: Mark Holloway [mailto:mh@markholloway.com]
Sent: Thursday, January 08, 2009 14:07
To: 'Corbett Enders'; Ryan West; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

What is the proposed solution if CME is using a SIP Trunk to an ITSP? I assume an ACL would be the best way to secure the router.


From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 10:37 AM
To: Ryan West; Ahmed Elnagar
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we've blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM
Re: Fraud calls to Cuba - Please read [ In reply to ]
Not to beat a dead horse, but I thought you might find this interesting. A new customer was just turned up on my network and there were some install problems, so my team was involved into trying to find the root cause. While we were running the "debug ccsip messages", we noticed some unexpected traffic. This is on a router that has not even been on the internet for more than a day or so. It is absolutely amazing to see how fast something like this can happen. Someone doing "voip wardialing" international numbers on a brand new customer install.


Jan 9 18:40:41.629 GMT: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:011380442010102@64.206.168.14 SIP/2.0
Via: SIP/2.0/UDP 66.197.138.69:5060;branch=z9hG4bK7d8c5757;rport
Max-Forwards: 70
From: "BenQ Telecom" <sip:BenQ Telecom@66.197.138.69>;tag=as700507be<mailto:Telecom@66.197.138.69>;tag=as700507be>
To: <sip:011380442010102@64.206.168.14>
Contact: <sip:BenQ Telecom@66.197.138.69<mailto:Telecom@66.197.138.69>>
Call-ID: 59f021193ae6eb9506735ee36691969b@66.197.138.69<mailto:59f021193ae6eb9506735ee36691969b@66.197.138.69>
CSeq: 102 INVITE
User-Agent: BenQ Telecom
Date: Sat, 10 Jan 2009 02:41:29 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 266

v=0
o=root 1121455329 1121455329 IN IP4 66.197.138.69
s=Asterisk PBX 1.6.0.3-rc1
c=IN IP4 66.197.138.69
t=0 0
m=audio 12860 RTP/AVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

________________________________
From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 3:31 PM
To: 'VOIP Group'
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

Well List, thank you for the assistance. I have run the following commands to all of my routers to block SIP:

voip-gateway(config)#sip-ua
voip-gateway(config-sip-ua)#no transport udp
voip-gateway(config-sip-ua)#no transport tcp

I have not acted on H.323 as it doesn't appear to be listening on that port.


From: Pender, James [mailto:James.Pender@PAETEC.com]
Sent: Thursday, January 08, 2009 12:35 PM
To: Ryan West; Mark Holloway; Corbett Enders; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

Don't forget TCP/5060. I assist my companies fraud team from time to time in VoIP fraud, and when we find an open CME/CUBE or the like and we ask for it to be secured, most people forget that SIP can run on both UDP and TCP and they leave themselves vulnerable.

________________________________
From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ryan West
Sent: Thursday, January 08, 2009 2:11 PM
To: Mark Holloway; 'Corbett Enders'; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read
Yeah, just allow UDP/5060 to the proxy, deny all other SIP traffic and allow the UDP ranges above 1024. Most SIP providers do not use the 16384 - 32767 range for RTP streams.

-ryan

From: Mark Holloway [mailto:mh@markholloway.com]
Sent: Thursday, January 08, 2009 14:07
To: 'Corbett Enders'; Ryan West; 'Ahmed Elnagar'
Cc: 'VOIP Group'
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

What is the proposed solution if CME is using a SIP Trunk to an ITSP? I assume an ACL would be the best way to secure the router.


From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Corbett Enders
Sent: Thursday, January 08, 2009 10:37 AM
To: Ryan West; Ahmed Elnagar
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read

So it turns out SIP 5060 is open, after running show ip sockets.

Interestingly enough, the hacker is connected to me right now (though we've blocked international calls at the telco level).

His IP is 124.217.250.240.

If you read this article, http://www.honeynor.no/, it describes the attack in detail. I found the article by searching the phone number initially dialed, 52555169000.


From: Ryan West [mailto:rwest@zyedge.com]
Sent: Wednesday, January 07, 2009 9:50 PM
To: Ahmed Elnagar; Corbett Enders
Cc: VOIP Group
Subject: RE: [cisco-voip] Fraud calls to Cuba - Please read

If the router is connected to the Internet, both H323 TCP/1720 and SIP UDP/5060 need to blocked. I don't remember the command offhand, but on some versions of code it is show ip sockets. Check this out to actually disable default SIP and H323 processing:

https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router
-ryan

From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ahmed Elnagar
Sent: Wednesday, January 07, 2009 23:13
To: cenders@homesbyavi.com
Cc: VOIP Group
Subject: Re: [cisco-voip] Fraud calls to Cuba - Please read


Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt that the user called us one day and informed that he has a bill from the Teleco for 100,000$ for a period of 3 months and they never produce this amount of calls...all calls were for random numbers and the call never exceeded 1 minute and these random numbers happen to be starting with 00 which is the internationl prefix here in Egypt.

After long nights of troubleshootting...I found that the gateway was configured to register SIP phones from the internet and I found an IP address from Mexico city that is trying this random calls so frequent, the strange thing is that the gateway was accepting these calls and route it to H323 side which relay the call to the PRI.

I did the following to ensure that it will not happen again...removed SIP at all from the gateway...converted the gateway to MGCP so that every call that will pass the gateway will need signalling from Callmanager and will leave a record in the CDR. But the strange thing the problem contiuned...

During troubleshooting we noticed something strange...alot of incoming calls coming to the PRI from a certain local number...and it was 3 AM in the morning we called this number and he told us that he know no one in this site and he has a problem that he got high invoices from the Teleco too...so we come up with this conculsion...seems that the CO. equipments has some problems and it is generating calls on behalf of the user to random numbers...a strange thing I know but till now this company still going to discussions with the teleco to solve this problem.

I suggest to do the followin...try to review CDR files and have a detailed bill from your Teleco and try to compare these calls with the CDR calls maybe this would help you...also try to activate some debugs and show commands "there is some tools that can automate show command every 5 mins or so" to know exactly when these calls happen and what is the source of it.

Good luck with this strange issue.
Thanks,
Ahmed Elnagar
________________________________
From: cenders@homesbyavi.com
To: cisco-voip@puck.nether.net
Date: Wed, 7 Jan 2009 20:26:56 -0700
Subject: [cisco-voip] Fraud calls to Cuba - Please read
Hello List,

I've got a situation with 2 remote sites. Over the course of several days in late November, somehow the analog POTS line in the site (which we use for SRST backup) proceeded to make approx 4,940 calls to Cuba. There wasn't really a pattern to the calls. It started with a couple of repeated calls to the same number and from that point, the dialed number changed (not dialed in any sort of sequential pattern either). Calls varied in duration from 0 seconds to many minutes long. Sometimes the next call would happen right away and other times there would be several minutes delay between calls. This proceeded to occur over the course of about a day and a half until the POTS provider called us and we blocked the line.

The analog line in the show home serves 2 purposes. It is connected to the SRST FXO port on the Cisco 2801 router and also connects to the analog fax machine.

At this point, the POTS provider feels that somehow the 2801 router has been compromised and is being used to route calls out the FXO port. We have a cordless phone on an ATA, and at first they felt this was the source but I indicated that any calls from the cordless phone would leave through our PRI in the main office, through the phone line on the FXO port.

Even if someone had managed to guess our admin password for the console of the router, I don't believe that person sitting on the Internet would be able to get a call to connect from their computer, through the Internet, and leave out our FXO port in our site.

I'm wondering if anyone on the list has some thoughts as to how the system could have been compromise or if it just isn't possible. The POTS line is actually a digital line provided by Shaw (a local cable/telco in Alberta). I feel that their "digital" phone terminal has been compromised though it isn't connected to the Internet in any way. One other possibility is old school phone phreaking where someone has actually tapped into the physical line but they would have been sitting outside in the cold for a very long time making these crazy calls.

I look forward to any insight the collective brain power of this list can provide. The bill for these calls is over $6000.

Regards,
Corbett Enders.

Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com/>


________________________________
check out the rest of the Windows Live(tm). More than mail-Windows Live(tm) goes way beyond your inbox. More than messages<http://www.microsoft.com/windows/windowslive/>

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM