Do you have DISA setup?  We're seeing lots of attackers running scripts that 
send digits until they strike a DISA, misconfigured mailbox, etc.  (Assuming it 
wasn't a stupid employee forwarding an inbound call to a 9xxxxxxx number etc).

Have a look at SecAst (www.generationd.com) - it detects callers sending too 
many digits, monitors digit dialing speeds, etc. to help identify and block 
these types of attacks.  The free version is better than nothing (but if you've 
already suffered one $25k attack then you probably don't mind spending a bit of 
money).  Or have a look at http://www.voip-info.org/wiki/view/Asterisk+security 
for other ideas.

There were some (at least one) critical FreePBX weaknesses discovered this 
summer (you'll find them if you google).  Even if you don't expose the 
management interface to the internet, don't trust FreePBX security alone.

-MD-

My opinions expressed are my own and do not necessarily reflect those of my 
employer.  However, as an employee of Generation D Systems my opinions are 
probably biased.



________________________________________
From: asterisk-users-boun...@lists.digium.com 
<asterisk-users-boun...@lists.digium.com> on behalf of Administrator TOOTAI 
<ad...@tootai.net>
Sent: Wednesday, January 28, 2015 5:07 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Investigating international calls fraud

Le 28/01/2015 22:03, Steven McCann a écrit :
> Hello,

Hi

>
> I'm investigating a situation where there was a hundreds of minutes of
> calls from an internal SIP extension to an 855 number in Cambodia,
> resulting in a crazy ($25,000+) bill from the phone company. I'm
> investigating, but can anyone provide some feedback on what's happened
> here? I'm investigating how this happened as well as what types of
> arrangements can be made with the phone company (CenturyLink in Texas).
>
> Some details:
> * PBX is located in Texas
> * Phone carrier is CenturyLink
> * FreePBX distro running asterisk 1.8.14
> * source SIP extension is Mitel 5212, firmware 08.00.00.04, default
> admin password (argh!). Phone is used by many different people.
>
> More PBX setting details:
> * inbound SIP traffic is not allowed through the firewall
> * internal network is not accessed by many
> * FreePBX web interface
>
> *Questions I have at this moment:*
> 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
> Asterisk PBX?

Check your logs. In the full log with verbosity 3 you can follow how
calls were treated. Also the CDR should give you informations like the
extension(s) who placed those calls

[...]

--
Daniel

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to