Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help identifying SIP hacking to FXO ports

Status
Not open for further replies.

Funk49

MIS
May 13, 2009
118
US
Hi guys, I have an older Cisco Unity Express Version 2.2

The call history reports were showing international calls on all of our FXO ports, sometimes just keeping all of them locked up.
These international FXO calls lasted for sometimes 11 hours, yet no bills from our long distance provider? (I don't understand)

We have stopped the majority of SIP calls to FXO portsby setting up our Access List and applying to our interface blocking incoming (and now outgoing) TCP and UDP Port 5060 and other typical SIP ports but we still see very short duration calls via SIP and out our FXO ports.
It looks like the call is trying to use port 5060 again but no peg counts on the access list.

I was hoping you guys could help me interpret some of these call history logs or lead me in the right direction as to HOW they are getting in and what the basics are regarding SIP 2.0 and accessing our FXO ports. Can these SIP hack calls originate from an infected PC workstation?

What is the purpose of establishing a 11 hour call to Jamaica or Bermuda or Haiti? What are they getting out of it? Why am I not being billed but Call Manager shows reports of the supposed call?

The syslog reports show access from our main IP interface yet there no matches to the assigned Access List blocking port 5060???

What is Username=442099999999 ?

I'm not a Cisco expert so any help would be appreciated, thanks.

Code:
3BCF : 300662 14106334330ms.297964 +4180 +23730 pid:9011 Originate 90111876XXXXXXX

2811#show call history voice id 3bcf
Telephony call-legs: 488
SIP call-legs: 12
H323 call-legs: 0
Call agent controlled call-legs: 0
Media call-legs: 0
Total call-legs: 500


GENERIC:
SetupTime=14106334330 ms
Index=297964
PeerAddress=90111876XXXXXXX
PeerSubAddress=
PeerId=9011
PeerIfIndex=26
LogicalIfIndex=9
DisconnectCause=66
DisconnectText=recovery on timer expiry (102)
ConnectTime=14106338510 ms
DisconnectTime=14106358060 ms
CallDuration=00:00:19 sec
CallOrigin=1
ReleaseSource=6
ChargedUnits=0
InfoType=speech
TransmitPackets=0
TransmitBytes=0
ReceivePackets=649
ReceiveBytes=15576
TELE:
ConnectionId=[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
IncomingConnectionId=[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
CallID=300662
Port=0/0/2 (300662)
BearerChannel=0/0/2
TxDuration=16410 ms
VoiceTxDuration=16410 ms
FaxTxDuration=0 ms
CoderTypeRate=g723r63
NoiseLevel=-84
ACOMLevel=6
SessionTarget=
ImgPages=0
CallerName=442099999999
CallerIDBlocked=False
Target tg label=Outbound
LongDurationCallDetected=no
LongDurCallTimeStamp=
LongDurCallDuration=
OriginalCallingNumber=442099999999
OriginalCallingOctet=0x0
OriginalCalledNumber=90111876XXXXXXX
OriginalCalledOctet=0x0
OriginalRedirectCalledNumber=
OriginalRedirectCalledOctet=0x80
TranslatedCallingNumber=442099999999
TranslatedCallingOctet=0x0
TranslatedCalledNumber=90111876XXXXXXX
TranslatedCalledOctet=0x0
TranslatedRedirectCalledNumber=
TranslatedRedirectCalledOctet=0x80
GwReceivedCalledNumber=90111876XXXXXXX
GwReceivedCalledOctet3=0x0
GwOutpulsedCalledNumber=0111876XXXXXXX
GwOutpulsedCalledOctet3=0x0
GwReceivedCallingNumber=442099999999
GwReceivedCallingOctet3=0x0
GwReceivedCallingOctet3a=0x80
GwOutpulsedCallingNumber=442099999999
GwOutpulsedCallingOctet3=0x0
GwOutpulsedCallingOctet3a=0x80
DSPIdentifier=0/1:1

GENERIC:
SetupTime=14106334310 ms
Index=297969
PeerAddress=442099999999
PeerSubAddress=
PeerId=0
PeerIfIndex=18
LogicalIfIndex=0
DisconnectCause=56
DisconnectText=call cleared (86)
ConnectTime=14106338520 ms
DisconnectTime=14106393520 ms
CallDuration=00:00:55 sec
CallOrigin=2
ReleaseSource=6
InternalErrorCode=1.1.129.7.66.0
ChargedUnits=0
InfoType=speech
TransmitPackets=649
TransmitBytes=15576
ReceivePackets=0
ReceiveBytes=0
VOIP:
ConnectionId[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
IncomingConnectionId[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
CallID=300661
RemoteIPAddress=31.210.122.82
RemoteUDPPort=12860
RemoteSignallingIPAddress=31.210.122.82
RemoteSignallingPort=5060
RemoteMediaIPAddress=187.37.88.94
RemoteMediaPort=12860
SRTP = off
TextRelay = off
Fallback Icpif=0
Fallback Loss=0
Fallback Delay=0
RoundTripDelay=0 ms
SelectedQoS=best-effort
tx_DtmfRelay=rtp-nte
FastConnect=FALSE
AnnexE=FALSE
Separate H245 Connection=FALSE
H245 Tunneling=FALSE
SessionProtocol=sipv2
ProtocolCallId=HZDckNSdukI7nRPhRqghFheMDQXM3gjwFhefyQRZB6TAFheMCQ@31.210.122.82:5060
SessionTarget=31.210.122.82
OnTimeRvPlayout=0
GapFillWithSilence=0 ms
GapFillWithPrediction=0 ms
GapFillWithInterpolation=0 ms
GapFillWithRedundancy=0 ms
HiWaterPlayoutDelay=70 ms
LoWaterPlayoutDelay=70 ms
ReceiveDelay=70 ms
LostPackets=0
EarlyPackets=0
LatePackets=0
VAD = disabled
CoderTypeRate=g723r63
CodecBytes=24
cvVoIPCallHistoryIcpif=0
MediaSetting=flow-around
CallerName=442099999999
CallerIDBlocked=False
OriginalCallingNumber=442099999999
OriginalCallingOctet=0x0
OriginalCalledNumber=90111876XXXXXXX
OriginalCalledOctet=0x0
OriginalRedirectCalledNumber=
OriginalRedirectCalledOctet=0x80
TranslatedCallingNumber=442099999999
TranslatedCallingOctet=0x0
TranslatedCalledNumber=90111876XXXXXXX
TranslatedCalledOctet=0x0
TranslatedRedirectCalledNumber=
TranslatedRedirectCalledOctet=0x80
GwReceivedCalledNumber=90111876XXXXXXX
GwReceivedCalledOctet3=0x0
GwReceivedCallingNumber=442099999999
GwReceivedCallingOctet3=0x0
GwReceivedCallingOctet3a=0x80
MediaInactiveDetected=no
MediaInactiveTimestamp=
MediaControlReceived=
LongDurationCallDetected=no
LongDurationCallTimerStamp=
LongDurationCallDuration=
Username=442099999999
2811#

 
Well I believe we have finally blocked this hacker through our access list but I was more curious of what it is that they're gaining.

What is the purpose of establishing a 11 hour calls to Jamaica or Bermuda or Haiti?

Why am I not being billed by our long distance provider for these calls but Call Manager showed reports (multiple) 11 hour calls?

Any insight on how these hackers find Cisco or other IP communication servers and call out the POTS lines via an IP/SIP session?
How are they initiating SIP calls so easily without any security/password issues?

I'm just asking for the basics of how and why they hack into our systems, and for no apparent gain?

 
This is a prime example of why its recommended that you protect a voice gateway with a dedicated firewall or at the very least a Zone Based Firewall. Usually calls such as this are generated by script kiddies and serve no real purpose other than to run up your bill. Additionally they are also used to call toll numbers that will turn around and show up on your bill.

It is also time to upgrade your system as version 2.2 is very old.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top