Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Office Toll Fraud Stumper

Status
Not open for further replies.

Cat5Jive

Vendor
May 14, 2012
106
CA
Hi all,

Hoping to get an assist with toll fraud on an IP Office V 9.0.200.860

I have the following ports forwarded to the IP Office:

5060
3478
49152-53246
1718-1720

I am using SIP trunking, remote H323 sets and analog trunking.

Despite having changed all my default passwords, disabling all but the Administrator account, complex passwords for both the password field and Login Code field, and tested ARS tables disabling 0 from being dialed, I still have fraudulent calls being made after hours. None of the calls have come from users that have Remote User enabled. The office is secure after hours so I know the cleaners are not calling home. I am using SMDR and my logs indicate the fraudulent calls are being made from local digital sets in the office.

I'm tearing my hair out trying to figure out how this could possibly be happening with these safeguards in place. I have read other threads that suggest TAPI hacking but i'm not clear on how that could be happening or how it could be bypassing the ARS tables.

Any thoughts would be greatly appreciated!!




 
I have not read this entire thread, but how do you know the calls were made via the IPO?

The users have seen the handsets go off hook and start dialling numbers by themselves, what more proof do you need :)

 
I have the following ports forwarded to the IP Office:

5060
3478
49152-53246
1718-1720
There is your problem right there

why do you even have any port forwarding to the IP office?

SIP trunks DO NOT NEED IT
h323 remote extns are a pain, you are better of with VPN handsets.
unless you have one-x mobility configured for android/iPhone remote users then there is almost certainly no need to forward any ports to the IPO.

Passwords are the 2nd line of defence & protects you should an internal user be attempting to compromise the system (either deliberately or because their PC is infected).
Not exposing the system to the internet in the first place is the most essential first line of defence.




A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
 
So let me get this straight... Some devious hacker is making digital handsets go off hook to make calls. Why would someone do this? I don't see how the hacker is benefiting from the call if it a digital handset is going off hook? All I can think of is he is calling a number that is billing you a fee that he then gets. I don't buy it. I think employees are making calls and don't want to take the blame. What are the numbers, have you reached them on the internet? are they know scam number? Sorry do buy that you are hacked.
 
So let me get this straight... Some devious hacker is making digital handsets go off hook to make calls. Why would someone do this

They can call themselves/others and then transfer calls to wherever they like avoiding tolls, or call a premium rate number many times that they collect the revenues on :)

 
Yes I agree with the second idea, not the first although possible. Sorry, don't buy it. OP does the SMDR support this theory of amriddle's?
 
lol, I don't care if you buy it or not. I have helped people who's systems were mid hack and I could see exactly what they were doing and how. ~I have also helped people secure their systems against the hackers.
By all means put my theory to the test, forward some ports to your system, post the address and I'll show you how easy it is.
In the meantime casting doubt on what we are telling the OP due to your own assumptions/beliefs isn't helping him or anyone else really :)

 
It seems like you are taking this personally. I'm just doubting if he was hacked. I think your assessment is valid, I just don't think this is happening. Hey I don't have all the info in front of me, I don't think you do either. Sometimes the big high tech answer is not the solution. Just offering a different view based on my experience, as are you.
 
I don't have all the info no, but we do have:

1) Calls are being made when nobody is in the office
2) They are intelligently controlled calls as they are valid numbers and repeatedly so, not what a faulty system/handset could randomly dial
3) They are using the handsets on the system to make calls (SMDR and employees have confirmed this)
4) His system is accessible from the internet and locally to PCs
5) This has happened in the exact same way to hundreds of people/systems in the last few months
6) The OP doesn't appear to be an idiot, he himself thinks/knows the system has been compromised

Draw your own conclusions, but what do you think is happening if not hacking?

 
StubbedmytoeonIPO
just accept what is being told to you , these guys have endless testing and proof some that have invoked avavya to issue pcn`s ... you need to take on board what is being said as all the proof is out there ...unfortunately you are not privy to it ... 2 reasons you are a non believer and probably have customers at risk , or you are trying to enhance you own hacking ability ...................... bottom line trust the guys who know what they are saying , there is always good reason to question things but this is so well documented and known about im sure if you carry on you will end up looking rather silly

APSS (SME)
ACSS (SME)
ACIS (UC)
 
I never made any comments about anyone's abilities or intelligence. All I said was that I don't buy into this system being hacked based on what I read, then re-read. I take hacking very seriously because I am seeing it more and more, mainly because less than skilled installer/do-it-yourselfers are putting the IPO on the public internet. When I get a chance to learn more about a potential hack I'm interested. That's why I commented because it didn't add up to me.

After 18 years in this business I have come to question the facts as presented to me when troubleshooting problems especially by the customer. I can only troubleshoot a problem with the facts, and not the facts as someone presents them to me, but the real facts. In all the hacking I have seen, I have not seen a case where the phone was going off hook and making calls and that was an effective way to make cheap calls. I am not saying it doesn't happen.

I do find it odd that employees are seeing the phone go off hook and dial and are willing to point it out, yet there is no evidence that I have seen here to say "someone remotely dialed a call and transferred it to another number." Show me evidence of that and I will probably agree with you, until then I will put in the column of "User did something wrong and covering his butt."

Who here has not had the system blamed for a problem when it was really user error or CYA?
 
Hi all.

Thanks again for your very helpful and insightful commentary. This community is truly a wealth of knowledge and experience and your time and assistance is very much appreciated.


 
What a bizzare turn this thread has taken!

Allow me to extend that list of evidence

7) Changed all my default passwords, disabling all but the Administrator account, 8) Complex passwords for both the password field and Login Code field
9) Tested ARS tables disabling 0 from being dialed
10) The office is secure after hours so I know the cleaners are not calling home.

OP got hacked, had the guts to admit it, came here for advice and got plenty....except for one who felt an urge to send him off on a wild goose chase.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 
install a trial of Xima's Chronicall and see where the calls are originating from. cradle to grave should reveal enough to show you whats going on.

ACSS - SME
General Geek

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top