Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help identifying SIP hacking to FXO ports

Status
Not open for further replies.
Funk49

Funk49

MIS
May 13, 2009
118
0
0
US
Hi guys, I have an older Cisco Unity Express Version 2.2

The call history reports were showing international calls on all of our FXO ports, sometimes just keeping all of them locked up.
These international FXO calls lasted for sometimes 11 hours, yet no bills from our long distance provider? (I don't understand)

We have stopped the majority of SIP calls to FXO portsby setting up our Access List and applying to our interface blocking incoming (and now outgoing) TCP and UDP Port 5060 and other typical SIP ports but we still see very short duration calls via SIP and out our FXO ports.
It looks like the call is trying to use port 5060 again but no peg counts on the access list.

I was hoping you guys could help me interpret some of these call history logs or lead me in the right direction as to HOW they are getting in and what the basics are regarding SIP 2.0 and accessing our FXO ports. Can these SIP hack calls originate from an infected PC workstation?

What is the purpose of establishing a 11 hour call to Jamaica or Bermuda or Haiti? What are they getting out of it? Why am I not being billed but Call Manager shows reports of the supposed call?

The syslog reports show access from our main IP interface yet there no matches to the assigned Access List blocking port 5060???

What is Username=442099999999 ?

I'm not a Cisco expert so any help would be appreciated, thanks.

Code: 
3BCF : 300662 14106334330ms.297964 +4180 +23730 pid:9011 Originate 90111876XXXXXXX

2811#show call history voice id 3bcf
Telephony call-legs: 488
SIP call-legs: 12
H323 call-legs: 0
Call agent controlled call-legs: 0
Media call-legs: 0
Total call-legs: 500


GENERIC:
SetupTime=14106334330 ms
Index=297964
PeerAddress=90111876XXXXXXX
PeerSubAddress=
PeerId=9011
PeerIfIndex=26
LogicalIfIndex=9
DisconnectCause=66
DisconnectText=recovery on timer expiry (102)
ConnectTime=14106338510 ms
DisconnectTime=14106358060 ms
CallDuration=00:00:19 sec
CallOrigin=1
ReleaseSource=6
ChargedUnits=0
InfoType=speech
TransmitPackets=0
TransmitBytes=0
ReceivePackets=649
ReceiveBytes=15576
TELE:
ConnectionId=[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
IncomingConnectionId=[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
CallID=300662
Port=0/0/2 (300662)
BearerChannel=0/0/2
TxDuration=16410 ms
VoiceTxDuration=16410 ms
FaxTxDuration=0 ms
CoderTypeRate=g723r63
NoiseLevel=-84
ACOMLevel=6
SessionTarget=
ImgPages=0
CallerName=442099999999
CallerIDBlocked=False
Target tg label=Outbound
LongDurationCallDetected=no
LongDurCallTimeStamp=
LongDurCallDuration=
OriginalCallingNumber=442099999999
OriginalCallingOctet=0x0
OriginalCalledNumber=90111876XXXXXXX
OriginalCalledOctet=0x0
OriginalRedirectCalledNumber=
OriginalRedirectCalledOctet=0x80
TranslatedCallingNumber=442099999999
TranslatedCallingOctet=0x0
TranslatedCalledNumber=90111876XXXXXXX
TranslatedCalledOctet=0x0
TranslatedRedirectCalledNumber=
TranslatedRedirectCalledOctet=0x80
GwReceivedCalledNumber=90111876XXXXXXX
GwReceivedCalledOctet3=0x0
GwOutpulsedCalledNumber=0111876XXXXXXX
GwOutpulsedCalledOctet3=0x0
GwReceivedCallingNumber=442099999999
GwReceivedCallingOctet3=0x0
GwReceivedCallingOctet3a=0x80
GwOutpulsedCallingNumber=442099999999
GwOutpulsedCallingOctet3=0x0
GwOutpulsedCallingOctet3a=0x80
DSPIdentifier=0/1:1

GENERIC:
SetupTime=14106334310 ms
Index=297969
PeerAddress=442099999999
PeerSubAddress=
PeerId=0
PeerIfIndex=18
LogicalIfIndex=0
DisconnectCause=56
DisconnectText=call cleared (86)
ConnectTime=14106338520 ms
DisconnectTime=14106393520 ms
CallDuration=00:00:55 sec
CallOrigin=2
ReleaseSource=6
InternalErrorCode=1.1.129.7.66.0
ChargedUnits=0
InfoType=speech
TransmitPackets=649
TransmitBytes=15576
ReceivePackets=0
ReceiveBytes=0
VOIP:
ConnectionId[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
IncomingConnectionId[0x52511E40 0xE6C511E3 0xA9ECDA01 0x16416E5B]
CallID=300661
RemoteIPAddress=31.210.122.82
RemoteUDPPort=12860
RemoteSignallingIPAddress=31.210.122.82
RemoteSignallingPort=5060
RemoteMediaIPAddress=187.37.88.94
RemoteMediaPort=12860
SRTP = off
TextRelay = off
Fallback Icpif=0
Fallback Loss=0
Fallback Delay=0
RoundTripDelay=0 ms
SelectedQoS=best-effort
tx_DtmfRelay=rtp-nte
FastConnect=FALSE
AnnexE=FALSE
Separate H245 Connection=FALSE
H245 Tunneling=FALSE
SessionProtocol=sipv2
ProtocolCallId=HZDckNSdukI7nRPhRqghFheMDQXM3gjwFhefyQRZB6TAFheMCQ@31.210.122.82:5060
SessionTarget=31.210.122.82
OnTimeRvPlayout=0
GapFillWithSilence=0 ms
GapFillWithPrediction=0 ms
GapFillWithInterpolation=0 ms
GapFillWithRedundancy=0 ms
HiWaterPlayoutDelay=70 ms
LoWaterPlayoutDelay=70 ms
ReceiveDelay=70 ms
LostPackets=0
EarlyPackets=0
LatePackets=0
VAD = disabled
CoderTypeRate=g723r63
CodecBytes=24
cvVoIPCallHistoryIcpif=0
MediaSetting=flow-around
CallerName=442099999999
CallerIDBlocked=False
OriginalCallingNumber=442099999999
OriginalCallingOctet=0x0
OriginalCalledNumber=90111876XXXXXXX
OriginalCalledOctet=0x0
OriginalRedirectCalledNumber=
OriginalRedirectCalledOctet=0x80
TranslatedCallingNumber=442099999999
TranslatedCallingOctet=0x0
TranslatedCalledNumber=90111876XXXXXXX
TranslatedCalledOctet=0x0
TranslatedRedirectCalledNumber=
TranslatedRedirectCalledOctet=0x80
GwReceivedCalledNumber=90111876XXXXXXX
GwReceivedCalledOctet3=0x0
GwReceivedCallingNumber=442099999999
GwReceivedCallingOctet3=0x0
GwReceivedCallingOctet3a=0x80
MediaInactiveDetected=no
MediaInactiveTimestamp=
MediaControlReceived=
LongDurationCallDetected=no
LongDurationCallTimerStamp=
LongDurationCallDuration=
Username=442099999999
2811#

 
Sort by date Sort by votes
Well I believe we have finally blocked this hacker through our access list but I was more curious of what it is that they're gaining.

What is the purpose of establishing a 11 hour calls to Jamaica or Bermuda or Haiti?

Why am I not being billed by our long distance provider for these calls but Call Manager showed reports (multiple) 11 hour calls?

Any insight on how these hackers find Cisco or other IP communication servers and call out the POTS lines via an IP/SIP session?
How are they initiating SIP calls so easily without any security/password issues?

I'm just asking for the basics of how and why they hack into our systems, and for no apparent gain?

 
Upvote 0 Downvote
This is a prime example of why its recommended that you protect a voice gateway with a dedicated firewall or at the very least a Zone Based Firewall. Usually calls such as this are generated by script kiddies and serve no real purpose other than to run up your bill. Additionally they are also used to call toll numbers that will turn around and show up on your bill.

It is also time to upgrade your system as version 2.2 is very old.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Gnjiro
  • Question
Cisco Ip Phone 7841, 7821 Delay when making call both inbound and outbound in sip protocol
Replies
0
Views
78
Gnjiro
Gnjiro
Diya Freahat
  • Locked
  • Question
called name between avaya I P office & CUCM via SIP trunk
Replies
1
Views
73
Diya Freahat
Diya Freahat
mikedphones
  • Question
MASS - Looking for a Cisco Call Manager support tech to move and reconfigure
Replies
0
Views
81
mikedphones
mikedphones
SA.panasonic
  • Locked
  • Question
7921g need usb driver
Replies
0
Views
72
SA.panasonic
SA.panasonic
DTGMI
  • Locked
  • Question
Nortel to Cisco VG310 & 4431 SIP GWs
Replies
0
Views
43
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top