[asterisk-users] Investigating international calls fraud

Steven McCann steven.r.mccann at gmail.com
Wed Jan 28 16:45:31 CST 2015


Hi Michelle,

DISA is not in use. I'll check out the SecAst product you mentioned for
rebuilding the server.

I'm digging into the logs to get some more information.

Thanks,
Steve

On Wed, Jan 28, 2015 at 5:30 PM, Michelle Dupuis <mdupuis at ocg.ca> wrote:

> Do you have DISA setup?  We're seeing lots of attackers running scripts
> that send digits until they strike a DISA, misconfigured mailbox, etc.
> (Assuming it wasn't a stupid employee forwarding an inbound call to a
> 9xxxxxxx number etc).
>
> Have a look at SecAst (www.generationd.com) - it detects callers sending
> too many digits, monitors digit dialing speeds, etc. to help identify and
> block these types of attacks.  The free version is better than nothing (but
> if you've already suffered one $25k attack then you probably don't mind
> spending a bit of money).  Or have a look at
> http://www.voip-info.org/wiki/view/Asterisk+security for other ideas.
>
> There were some (at least one) critical FreePBX weaknesses discovered this
> summer (you'll find them if you google).  Even if you don't expose the
> management interface to the internet, don't trust FreePBX security alone.
>
> -MD-
>
> My opinions expressed are my own and do not necessarily reflect those of
> my employer.  However, as an employee of Generation D Systems my opinions
> are probably biased.
>
>
>
> ________________________________________
> From: asterisk-users-bounces at lists.digium.com <
> asterisk-users-bounces at lists.digium.com> on behalf of Administrator
> TOOTAI <admin at tootai.net>
> Sent: Wednesday, January 28, 2015 5:07 PM
> To: Asterisk Users List
> Subject: Re: [asterisk-users] Investigating international calls fraud
>
> Le 28/01/2015 22:03, Steven McCann a écrit :
> > Hello,
>
> Hi
>
> >
> > I'm investigating a situation where there was a hundreds of minutes of
> > calls from an internal SIP extension to an 855 number in Cambodia,
> > resulting in a crazy ($25,000+) bill from the phone company. I'm
> > investigating, but can anyone provide some feedback on what's happened
> > here? I'm investigating how this happened as well as what types of
> > arrangements can be made with the phone company (CenturyLink in Texas).
> >
> > Some details:
> > * PBX is located in Texas
> > * Phone carrier is CenturyLink
> > * FreePBX distro running asterisk 1.8.14
> > * source SIP extension is Mitel 5212, firmware 08.00.00.04, default
> > admin password (argh!). Phone is used by many different people.
> >
> > More PBX setting details:
> > * inbound SIP traffic is not allowed through the firewall
> > * internal network is not accessed by many
> > * FreePBX web interface
> >
> > *Questions I have at this moment:*
> > 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
> > Asterisk PBX?
>
> Check your logs. In the full log with verbosity 3 you can follow how
> calls were treated. Also the CDR should give you informations like the
> extension(s) who placed those calls
>
> [...]
>
> --
> Daniel
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150128/582433c2/attachment.html>


More information about the asterisk-users mailing list