Hi guys, I have an older Cisco Unity Express Version 2.2
The call history reports were showing international calls on all of our FXO ports, sometimes just keeping all of them locked up.
These international FXO calls lasted for sometimes 11 hours, yet no bills from our long distance provider? (I don't understand)
We have stopped the majority of SIP calls to FXO portsby setting up our Access List and applying to our interface blocking incoming (and now outgoing) TCP and UDP Port 5060 and other typical SIP ports but we still see very short duration calls via SIP and out our FXO ports.
It looks like the call is trying to use port 5060 again but no peg counts on the access list.
I was hoping you guys could help me interpret some of these call history logs or lead me in the right direction as to HOW they are getting in and what the basics are regarding SIP 2.0 and accessing our FXO ports. Can these SIP hack calls originate from an infected PC workstation?
What is the purpose of establishing a 11 hour call to Jamaica or Bermuda or Haiti? What are they getting out of it? Why am I not being billed but Call Manager shows reports of the supposed call?
The syslog reports show access from our main IP interface yet there no matches to the assigned Access List blocking port 5060???
What is Username=442099999999 ?
I'm not a Cisco expert so any help would be appreciated, thanks.
The call history reports were showing international calls on all of our FXO ports, sometimes just keeping all of them locked up.
These international FXO calls lasted for sometimes 11 hours, yet no bills from our long distance provider? (I don't understand)
We have stopped the majority of SIP calls to FXO portsby setting up our Access List and applying to our interface blocking incoming (and now outgoing) TCP and UDP Port 5060 and other typical SIP ports but we still see very short duration calls via SIP and out our FXO ports.
It looks like the call is trying to use port 5060 again but no peg counts on the access list.
I was hoping you guys could help me interpret some of these call history logs or lead me in the right direction as to HOW they are getting in and what the basics are regarding SIP 2.0 and accessing our FXO ports. Can these SIP hack calls originate from an infected PC workstation?
What is the purpose of establishing a 11 hour call to Jamaica or Bermuda or Haiti? What are they getting out of it? Why am I not being billed but Call Manager shows reports of the supposed call?
The syslog reports show access from our main IP interface yet there no matches to the assigned Access List blocking port 5060???
What is Username=442099999999 ?
I'm not a Cisco expert so any help would be appreciated, thanks.
Code:
3BCF : 300662 14106334330ms.297964 +4180 +23730 pid:9011 Originate 90111876XXXXXXX
2811#show call history voice id 3bcf
Telephony call-legs: 488
SIP call-legs: 12
H323 call-legs: 0
Call agent controlled call-legs: 0
Media call-legs: 0
Total call-legs: 500
GENERIC:
SetupTime=14106334330 ms
Index=297964
PeerAddress=90111876XXXXXXX
PeerSubAddress=
PeerId=9011
PeerIfIndex=26
LogicalIfIndex=9
DisconnectCause=66
DisconnectText=recovery on timer expiry (102)
ConnectTime=14106338510 ms
DisconnectTime=14106358060 ms
CallDuration=00:00:19 sec
CallOrigin=1
ReleaseSource=6
ChargedUnits=0
InfoType=speech
TransmitPackets=0
TransmitBytes=0
ReceivePackets=649
ReceiveBytes=15576
TELE:
ConnectionId=[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
IncomingConnectionId=[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
CallID=300662
Port=0/0/2 (300662)
BearerChannel=0/0/2
TxDuration=16410 ms
VoiceTxDuration=16410 ms
FaxTxDuration=0 ms
CoderTypeRate=g723r63
NoiseLevel=-84
ACOMLevel=6
SessionTarget=
ImgPages=0
CallerName=442099999999
CallerIDBlocked=False
Target tg label=Outbound
LongDurationCallDetected=no
LongDurCallTimeStamp=
LongDurCallDuration=
OriginalCallingNumber=442099999999
OriginalCallingOctet=0x0
OriginalCalledNumber=90111876XXXXXXX
OriginalCalledOctet=0x0
OriginalRedirectCalledNumber=
OriginalRedirectCalledOctet=0x80
TranslatedCallingNumber=442099999999
TranslatedCallingOctet=0x0
TranslatedCalledNumber=90111876XXXXXXX
TranslatedCalledOctet=0x0
TranslatedRedirectCalledNumber=
TranslatedRedirectCalledOctet=0x80
GwReceivedCalledNumber=90111876XXXXXXX
GwReceivedCalledOctet3=0x0
GwOutpulsedCalledNumber=0111876XXXXXXX
GwOutpulsedCalledOctet3=0x0
GwReceivedCallingNumber=442099999999
GwReceivedCallingOctet3=0x0
GwReceivedCallingOctet3a=0x80
GwOutpulsedCallingNumber=442099999999
GwOutpulsedCallingOctet3=0x0
GwOutpulsedCallingOctet3a=0x80
DSPIdentifier=0/1:1
GENERIC:
SetupTime=14106334310 ms
Index=297969
PeerAddress=442099999999
PeerSubAddress=
PeerId=0
PeerIfIndex=18
LogicalIfIndex=0
DisconnectCause=56
DisconnectText=call cleared (86)
ConnectTime=14106338520 ms
DisconnectTime=14106393520 ms
CallDuration=00:00:55 sec
CallOrigin=2
ReleaseSource=6
InternalErrorCode=1.1.129.7.66.0
ChargedUnits=0
InfoType=speech
TransmitPackets=649
TransmitBytes=15576
ReceivePackets=0
ReceiveBytes=0
VOIP:
ConnectionId[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
IncomingConnectionId[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
CallID=300661
RemoteIPAddress=31.210.122.82
RemoteUDPPort=12860
RemoteSignallingIPAddress=31.210.122.82
RemoteSignallingPort=5060
RemoteMediaIPAddress=187.37.88.94
RemoteMediaPort=12860
SRTP = off
TextRelay = off
Fallback Icpif=0
Fallback Loss=0
Fallback Delay=0
RoundTripDelay=0 ms
SelectedQoS=best-effort
tx_DtmfRelay=rtp-nte
FastConnect=FALSE
AnnexE=FALSE
Separate H245 Connection=FALSE
H245 Tunneling=FALSE
SessionProtocol=sipv2
ProtocolCallId=HZDckNSdukI7nRPhRqghFheMDQXM3gjwFhefyQRZB6TAFheMCQ@31.210.122.82:5060
SessionTarget=31.210.122.82
OnTimeRvPlayout=0
GapFillWithSilence=0 ms
GapFillWithPrediction=0 ms
GapFillWithInterpolation=0 ms
GapFillWithRedundancy=0 ms
HiWaterPlayoutDelay=70 ms
LoWaterPlayoutDelay=70 ms
ReceiveDelay=70 ms
LostPackets=0
EarlyPackets=0
LatePackets=0
VAD = disabled
CoderTypeRate=g723r63
CodecBytes=24
cvVoIPCallHistoryIcpif=0
MediaSetting=flow-around
CallerName=442099999999
CallerIDBlocked=False
OriginalCallingNumber=442099999999
OriginalCallingOctet=0x0
OriginalCalledNumber=90111876XXXXXXX
OriginalCalledOctet=0x0
OriginalRedirectCalledNumber=
OriginalRedirectCalledOctet=0x80
TranslatedCallingNumber=442099999999
TranslatedCallingOctet=0x0
TranslatedCalledNumber=90111876XXXXXXX
TranslatedCalledOctet=0x0
TranslatedRedirectCalledNumber=
TranslatedRedirectCalledOctet=0x80
GwReceivedCalledNumber=90111876XXXXXXX
GwReceivedCalledOctet3=0x0
GwReceivedCallingNumber=442099999999
GwReceivedCallingOctet3=0x0
GwReceivedCallingOctet3a=0x80
MediaInactiveDetected=no
MediaInactiveTimestamp=
MediaControlReceived=
LongDurationCallDetected=no
LongDurationCallTimerStamp=
LongDurationCallDuration=
Username=442099999999
2811#