We have a Cisco CME that last week got toll fraud quiete badly. To stop this we but an after hours call block on 0011 and 0015 numbers but how did they get into the system into the first place to even commit the toll fruad? As far as I know DISA was never enabled, how is someone getting in?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
CME and Toll Fraud
- Thread starter Bucky101
- Start date
Through your network perhaps? This is ip telephony and not traditional phone system that the only way to hack it was to dial in and break someones vm password or disa.
You probably have a security breach in your network and if you don't have the inhouse expertees to ts this I suggest you hire someone as you will have this happen again.
Meanwhile we can help if you give us a little more info on your network and post a config of your router.
Is your CME also serving as your internet facing router?
Is there a firewall in your network?
You probably have a security breach in your network and if you don't have the inhouse expertees to ts this I suggest you hire someone as you will have this happen again.
Meanwhile we can help if you give us a little more info on your network and post a config of your router.
Is your CME also serving as your internet facing router?
Is there a firewall in your network?
- Thread starter
- #3
I an not saying that they are not getting in through a users voice mail. I really doubt it's disa as it's not an enabled feature. TO make sure that is not voice mail make sure you restrict all outbound calls to the PSTN from CUE. I do that on all my installs unless vm outdial is required, which is very rare these days.
If I were you I would take all the pswds and public IP's before posting the config so your system wouldn't be compromised.
You didn't answer any of the question I asked on my first response.
If I were you I would take all the pswds and public IP's before posting the config so your system wouldn't be compromised.
You didn't answer any of the question I asked on my first response.
- Thread starter
- #5
No worries,
No the CME is not the router for the Internet, it is purely acting as a PABX on the internal network, and there is a firewall on the network.
Here is config, I have not included the usernames and the dn's
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AirMasterCME
!
boot-start-marker
boot-end-marker
!
card type e1 0 0
logging message-counter syslog
logging buffered 100000000
!
no aaa new-model
clock timezone AEST 10
clock summer-time ESST recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 172.16.1.80
!
ip dhcp pool Voice
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
option 150 ip 172.16.1.1
lease 7
!
!
ip name-server 10.0.0.2
no ipv6 cef
ntp master
ntp update-calendar
ntp server 10.0.0.2 prefer
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-net5
!
!
!
voice service pots
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
controller E1 0/0/0
pri-group timeslots 1-21
!
!
translation-rule 1
Rule 1 ^1 001
Rule 2 ^2 002
Rule 3 ^3 003
Rule 4 ^4 004
Rule 5 ^5 005
Rule 6 ^6 006
Rule 7 ^7 007
Rule 8 ^8 008
Rule 9 ^9 009
!
!
translation-rule 2
Rule 1 ^555083 3
Rule 2 ^03555083 3
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.0.0.233 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
!
interface Service-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.0.0.232 255.255.255.0
service-module ip default-gateway 10.0.0.233
!
interface Group-Async0
physical-layer async
no ip address
encapsulation slip
no group-range
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.252
ip route 10.0.0.232 255.255.255.255 Service-Engine1/0
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:/gui
!
!
!
!
!
!
!
!
tftp-server flash
esktops/320x212x12/CampusNight.png
tftp-server flashesktops/320x212x12/CiscoFountain.png
tftp-server flashesktops/320x212x12/MorroRock.png
tftp-server flashesktops/320x212x12/NantucketFlowers.png
tftp-server flashesktops/320x212x12/TN-CampusNight.png
tftp-server flashesktops/320x212x12/TN-CiscoFountain.png
tftp-server flashesktops/320x212x12/TN-Fountain.png
tftp-server flashesktops/320x212x12/TN-MorroRock.png
tftp-server flashesktops/320x212x12/TN-NantucketFlowers.png
tftp-server flashesktops/320x212x12/Fountain.png
tftp-server flashesktops/320x212x12/CiscoLogo.png
tftp-server flashesktops/320x212x12/TN-CiscoLogo.png
tftp-server flashesktops/320x212x12/List.xml
tftp-server flashesktops/320x216x16/List.xml
tftp-server flashesktops/320x212x16/List.xml
tftp-server flash:gui/admin_user.html
tftp-server flash:gui/admin_user.js
tftp-server flash:gui/CiscoLogo.gif
tftp-server flash:gui/Delete.gif
tftp-server flash:gui/dom.js
tftp-server flash:gui/downarrow.gif
tftp-server flash:gui/ephone_admin.html
tftp-server flash:gui/logohome.gif
tftp-server flash:gui/normal_user.html
tftp-server flash:gui/normal_user.js
tftp-server flash:gui/Plus.gif
tftp-server flash:gui/sxiconad.gif
tftp-server flash:gui/Tab.gif
tftp-server flash:gui/telephony_service.html
tftp-server flash:gui/uparrow.gif
tftp-server flash:gui/xml-test.html
tftp-server flash:gui/xml.template
tftp-server flash:APPS-1.2.1.SBN
tftp-server flash:SYS-1.2.1.SBN
tftp-server flash:GUI-1.2.1.SBN
tftp-server flash:CP7921G-1.2.1.LOADS
tftp-server flash:TNUX-1.2.1.SBN
tftp-server flash:TNUXR-1.2.1.SBN
tftp-server flash:WLAN-1.2.1.SBN
tftp-server flash:apps37sccp.1-2-1-0.bin
tftp-server flash:APPSH-1.3.1.SBN
tftp-server flash:GUIH-1.3.1.SBN
tftp-server flash:CP7925G-1.3.1.LOADS
tftp-server flash:SYSH-1.3.1.SBN
tftp-server flash:TNUXH-1.3.1.SBN
tftp-server flash:WLANH-1.3.1.SBN
tftp-server flash:S00105000300.sbn
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flashrums1.raw
tftp-server flashrums2.raw
tftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flashiano1.raw
tftp-server flashiano2.raw
tftp-server flashop.raw
tftp-server flashulse1.raw
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
tftp-server flash:RingList.xml
tftp-server flashistinctiveRingList.xml
!
control-plane
!
!
!
voice-port 0/0/0:15
translate calling 1
translate called 2
cptone AU
!
voice-port 0/1/0
signal loopStart live-feed
!
voice-port 0/1/1
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
dial-peer voice 1000 pots
description Live MOH from FXO
destination-pattern 723
port 0/1/0
!
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:10.0.0.232
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 1 pots
incoming called-number 03555083..
direct-inward-dial
!
dial-peer voice 2 pots
incoming called-number 555083..
direct-inward-dial
!
dial-peer voice 100 pots
description Emergency Services
destination-pattern 0000
port 0/0/0:15
forward-digits 3
!
dial-peer voice 101 pots
description Network Services
destination-pattern 012T
port 0/0/0:15
!
dial-peer voice 102 pots
description Community Numbers
destination-pattern 0119.
port 0/0/0:15
forward-digits 4
!
dial-peer voice 103 pots
description 1300 FreeCall 10 Digit
destination-pattern 0130.......
port 0/0/0:15
forward-digits 10
!
dial-peer voice 104 pots
description 1300 FreeCall 6 Digit
destination-pattern 013[1-9]...
port 0/0/0:15
forward-digits 6
!
dial-peer voice 106 pots
description National and Mobile
destination-pattern 00[2-9]........
port 0/0/0:15
forward-digits 10
!
dial-peer voice 107 pots
description Local Calls
destination-pattern 0[2-9].......
port 0/0/0:15
forward-digits 8
!
dial-peer voice 109 pots
description Dial Before you Dig
destination-pattern 01100
port 0/0/0:15
forward-digits 4
!
dial-peer voice 108 pots
description International Dialing
destination-pattern 0T
port 0/0/0:15
!
dial-peer voice 9 voip
destination-pattern 69..
session target ipv4:10.0.9.100
!
!
num-exp 9 333
!
!
telephony-service
authentication credential admin cisco
xml user admin password cisco 15
max-ephones 110
max-dn 200
ip source-address 172.16.1.1 port 2000
auto assign 1 to 100
timeouts ringing 120
system message Airmaster
url services url authentication cnf-file location flash:
load 7914 S00105000300.sbn
load 7906 SCCP11.8-4-2S.loads
load 7911 SCCP11.8-4-2S.loads
load 7921 CP7921G-1.2.1
load 7925 CP7925G-1.3.1
load 7931 SCCP31.8-4-2S.loads
load 7937 apps37sccp.1-2-1-0.bin
load 7941 SCCP41.8-4-2S.loads
load 7942 SCCP42.8-4-2S.loads
load 7945 SCCP45.8-4-2S.loads
load 7961 SCCP41.8-4-2S.loads
load 7962 SCCP42.8-4-2S.loads
load 7965 SCCP45.8-4-2S.loads
load 7970 SCCP70.8-4-2S.loads
load 7971 SCCP70.8-4-2S.loads
load 7975 SCCP75.8-4-2S.loads
load ata ATA030203SCCP051201A.zup
time-zone 48
date-format dd-mm-yy
dialplan-pattern 1 03973083.. extension-length 3
voicemail 500
max-conferences 8 gain -6
moh music-on-hold.au
web admin system name admin password cisco
dn-webedit
time-webedit
transfer-system full-consult dss
transfer-pattern 0
after-hours block pattern 1 00011 7-24
after-hours block pattern 2 01900
after-hours block pattern 3 01800
after-hours block pattern 4 015
after-hours block pattern 5 00015
after-hours block pattern 6 00015 7-24
after-hours day Sun 00:00 23:59
after-hours day Mon 17:00 07:00
after-hours day Tue 17:00 07:00
after-hours day Wed 17:00 07:00
after-hours day Thu 17:00 07:00
after-hours day Fri 17:00 07:00
after-hours day Sat 00:00 23:59
No the CME is not the router for the Internet, it is purely acting as a PABX on the internal network, and there is a firewall on the network.
Here is config, I have not included the usernames and the dn's
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AirMasterCME
!
boot-start-marker
boot-end-marker
!
card type e1 0 0
logging message-counter syslog
logging buffered 100000000
!
no aaa new-model
clock timezone AEST 10
clock summer-time ESST recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 172.16.1.80
!
ip dhcp pool Voice
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
option 150 ip 172.16.1.1
lease 7
!
!
ip name-server 10.0.0.2
no ipv6 cef
ntp master
ntp update-calendar
ntp server 10.0.0.2 prefer
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-net5
!
!
!
voice service pots
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
controller E1 0/0/0
pri-group timeslots 1-21
!
!
translation-rule 1
Rule 1 ^1 001
Rule 2 ^2 002
Rule 3 ^3 003
Rule 4 ^4 004
Rule 5 ^5 005
Rule 6 ^6 006
Rule 7 ^7 007
Rule 8 ^8 008
Rule 9 ^9 009
!
!
translation-rule 2
Rule 1 ^555083 3
Rule 2 ^03555083 3
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.0.0.233 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
!
interface Service-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.0.0.232 255.255.255.0
service-module ip default-gateway 10.0.0.233
!
interface Group-Async0
physical-layer async
no ip address
encapsulation slip
no group-range
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.252
ip route 10.0.0.232 255.255.255.255 Service-Engine1/0
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:/gui
!
!
!
!
!
!
!
!
tftp-server flash
esktops/320x212x12/CampusNight.pngtftp-server flash
esktops/320x212x12/CiscoFountain.pngtftp-server flash
esktops/320x212x12/MorroRock.pngtftp-server flash
esktops/320x212x12/NantucketFlowers.pngtftp-server flash
esktops/320x212x12/TN-CampusNight.pngtftp-server flash
esktops/320x212x12/TN-CiscoFountain.pngtftp-server flash
esktops/320x212x12/TN-Fountain.pngtftp-server flash
esktops/320x212x12/TN-MorroRock.pngtftp-server flash
esktops/320x212x12/TN-NantucketFlowers.pngtftp-server flash
esktops/320x212x12/Fountain.pngtftp-server flash
esktops/320x212x12/CiscoLogo.pngtftp-server flash
esktops/320x212x12/TN-CiscoLogo.pngtftp-server flash
esktops/320x212x12/List.xmltftp-server flash
esktops/320x216x16/List.xmltftp-server flash
esktops/320x212x16/List.xmltftp-server flash:gui/admin_user.html
tftp-server flash:gui/admin_user.js
tftp-server flash:gui/CiscoLogo.gif
tftp-server flash:gui/Delete.gif
tftp-server flash:gui/dom.js
tftp-server flash:gui/downarrow.gif
tftp-server flash:gui/ephone_admin.html
tftp-server flash:gui/logohome.gif
tftp-server flash:gui/normal_user.html
tftp-server flash:gui/normal_user.js
tftp-server flash:gui/Plus.gif
tftp-server flash:gui/sxiconad.gif
tftp-server flash:gui/Tab.gif
tftp-server flash:gui/telephony_service.html
tftp-server flash:gui/uparrow.gif
tftp-server flash:gui/xml-test.html
tftp-server flash:gui/xml.template
tftp-server flash:APPS-1.2.1.SBN
tftp-server flash:SYS-1.2.1.SBN
tftp-server flash:GUI-1.2.1.SBN
tftp-server flash:CP7921G-1.2.1.LOADS
tftp-server flash:TNUX-1.2.1.SBN
tftp-server flash:TNUXR-1.2.1.SBN
tftp-server flash:WLAN-1.2.1.SBN
tftp-server flash:apps37sccp.1-2-1-0.bin
tftp-server flash:APPSH-1.3.1.SBN
tftp-server flash:GUIH-1.3.1.SBN
tftp-server flash:CP7925G-1.3.1.LOADS
tftp-server flash:SYSH-1.3.1.SBN
tftp-server flash:TNUXH-1.3.1.SBN
tftp-server flash:WLANH-1.3.1.SBN
tftp-server flash:S00105000300.sbn
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flash
rums1.rawtftp-server flash
rums2.rawtftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flash
iano1.rawtftp-server flash
iano2.rawtftp-server flash
op.rawtftp-server flash
ulse1.rawtftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
tftp-server flash:RingList.xml
tftp-server flash
istinctiveRingList.xml!
control-plane
!
!
!
voice-port 0/0/0:15
translate calling 1
translate called 2
cptone AU
!
voice-port 0/1/0
signal loopStart live-feed
!
voice-port 0/1/1
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
dial-peer voice 1000 pots
description Live MOH from FXO
destination-pattern 723
port 0/1/0
!
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:10.0.0.232
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 1 pots
incoming called-number 03555083..
direct-inward-dial
!
dial-peer voice 2 pots
incoming called-number 555083..
direct-inward-dial
!
dial-peer voice 100 pots
description Emergency Services
destination-pattern 0000
port 0/0/0:15
forward-digits 3
!
dial-peer voice 101 pots
description Network Services
destination-pattern 012T
port 0/0/0:15
!
dial-peer voice 102 pots
description Community Numbers
destination-pattern 0119.
port 0/0/0:15
forward-digits 4
!
dial-peer voice 103 pots
description 1300 FreeCall 10 Digit
destination-pattern 0130.......
port 0/0/0:15
forward-digits 10
!
dial-peer voice 104 pots
description 1300 FreeCall 6 Digit
destination-pattern 013[1-9]...
port 0/0/0:15
forward-digits 6
!
dial-peer voice 106 pots
description National and Mobile
destination-pattern 00[2-9]........
port 0/0/0:15
forward-digits 10
!
dial-peer voice 107 pots
description Local Calls
destination-pattern 0[2-9].......
port 0/0/0:15
forward-digits 8
!
dial-peer voice 109 pots
description Dial Before you Dig
destination-pattern 01100
port 0/0/0:15
forward-digits 4
!
dial-peer voice 108 pots
description International Dialing
destination-pattern 0T
port 0/0/0:15
!
dial-peer voice 9 voip
destination-pattern 69..
session target ipv4:10.0.9.100
!
!
num-exp 9 333
!
!
telephony-service
authentication credential admin cisco
xml user admin password cisco 15
max-ephones 110
max-dn 200
ip source-address 172.16.1.1 port 2000
auto assign 1 to 100
timeouts ringing 120
system message Airmaster
url services url authentication cnf-file location flash:
load 7914 S00105000300.sbn
load 7906 SCCP11.8-4-2S.loads
load 7911 SCCP11.8-4-2S.loads
load 7921 CP7921G-1.2.1
load 7925 CP7925G-1.3.1
load 7931 SCCP31.8-4-2S.loads
load 7937 apps37sccp.1-2-1-0.bin
load 7941 SCCP41.8-4-2S.loads
load 7942 SCCP42.8-4-2S.loads
load 7945 SCCP45.8-4-2S.loads
load 7961 SCCP41.8-4-2S.loads
load 7962 SCCP42.8-4-2S.loads
load 7965 SCCP45.8-4-2S.loads
load 7970 SCCP70.8-4-2S.loads
load 7971 SCCP70.8-4-2S.loads
load 7975 SCCP75.8-4-2S.loads
load ata ATA030203SCCP051201A.zup
time-zone 48
date-format dd-mm-yy
dialplan-pattern 1 03973083.. extension-length 3
voicemail 500
max-conferences 8 gain -6
moh music-on-hold.au
web admin system name admin password cisco
dn-webedit
time-webedit
transfer-system full-consult dss
transfer-pattern 0
after-hours block pattern 1 00011 7-24
after-hours block pattern 2 01900
after-hours block pattern 3 01800
after-hours block pattern 4 015
after-hours block pattern 5 00015
after-hours block pattern 6 00015 7-24
after-hours day Sun 00:00 23:59
after-hours day Mon 17:00 07:00
after-hours day Tue 17:00 07:00
after-hours day Wed 17:00 07:00
after-hours day Thu 17:00 07:00
after-hours day Fri 17:00 07:00
after-hours day Sat 00:00 23:59
- Status
Similar threads
- Locked
- Question
- Locked
- Question