Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Re: looking for advice on international fraud that took place
via an Edgemarc 200EW with FXO line installed (Matt Yaklin)
2. Re: looking for advice on international fraud that took place
via an Edgemarc 200EW with FXO line installed (Paul Timmins)
----------------------------------------------------------------------
Message: 1
Date: Fri, 1 Nov 2013 16:07:37 -0400 (EDT)
From: Matt Yaklin <[email protected]>
To: Paul Timmins <[email protected]>
Cc: [email protected]
Subject: Re: [VoiceOps] looking for advice on international fraud that
took place via an Edgemarc 200EW with FXO line installed
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-15"; Format="flowed"
I think you are on the right track.
I was reading the manual just now trying to figure out how
or where 1001 comes from. Perhaps that does not even matter.
You could make up anything.
I am just not seeing how I tell this edgemarc box to stop
allowing it yet short of using a firewall feature that this
box does not have like the newest 13.x firmware does. Maybe
it is hidden or people used the pass through rule set.
matt
On Fri, 1 Nov 2013, Paul Timmins wrote:
> Have you tried tossing an unauthenticated call at the edgemarc from outside
> using a from address of 1001@edgemarcip? looks like that's what this guy is
> doing.
> You're ignoring his registers but you may be allowing invites from an
> unregistered device.
>
> On Fri, 11/01/2013 03:33 PM, Matt?Yaklin?<[email protected]> wrote:
> They are not over lapping.
>
> The attacker finally bit just a bit ago. I only was running
> tcpdump on port 5060 on the edgemarc but i captured the SIP
> traffic for what the attacker is doing. I wish I had setup
> more.
>
>
> I blocked international via an auth code right now...
>
> x.x.139.225 = WAN ethernet port of the Edgemarc.
>
> I am going through this now and if anyone can help I would
> greatly appreciate it. I need to find out why this is happening.
>
>
>
> -----------------------
> -----------------------
> -----------------------
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> REGISTER sip:x.x.139.225 SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=e26e273f
> Via: SIP/2.0/UDP
> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
> Call-ID: b161d8122d506908
> CSeq: 1 REGISTER
> Contact: <sip:[email protected]:10181>
> Expires: 3600
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> User-Agent: eyeBeam release 3007n stamp 17816
> Cont
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> BYE sip:[email protected]:5060 SIP/2.0
> To: <sip:[email protected]>;tag=6516fea2
> From: <sip:[email protected]>;tag=214bbc47
> Via: SIP/2.0/UDP
> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport
> Call-ID: 346c8a3823657575
> CSeq: 2 BYE
> Route: <sip:[email protected];lr>
> Contact: <sip:[email protected]:10189>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE,
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP
>
> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060
> Record-Route: <sip:[email protected];lr>
> From: <sip:[email protected]>;tag=214bbc47
> To: <sip:[email protected]>;tag=6516fea2
> Call-ID: 346c8a3823657575
> CSeq: 2 BYE
> Contact: <sip:[email protected]:5060>
> User-agent: fxo/1.0
> Content-Length: 0
>
>
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
> [tos 0xb8]
> 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> INVITE sip:[email protected] SIP/2.0
> To: <sip:[email protected]>
> From: <sip:[email protected]>;tag=d909f80a
> Via: SIP/2.0/UDP
> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport
> Call-ID: 2b6a574f323db602
> CSeq: 1 INVITE
> Contact: <sip:[email protected]:10189>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INFO
> Content-Type: application/sdp
> User-Agent: eyeBeam
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
> 19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> SIP/2.0 100 Trying
> Via: SIP/2.0/UDP
> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
> From: <sip:[email protected]>;tag=d909f80a
> To: <sip:[email protected]>;tag=51a346d4
> Call-ID: 2b6a574f323db602
> CSeq: 1 INVITE
> User-agent: fxo/1.0
> Content-Length: 0
>
>
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
> [tos 0xb8]
> 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> SIP/2.0 180 Ringing
> Via: SIP/2.0/UDP
> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
> Record-Route: <sip:[email protected];lr>
> From: <sip:[email protected]>;tag=d909f80a
> To: <sip:[email protected]>;tag=51a346d4
> Call-ID: 2b6a574f323db602
> CSeq: 1 INVITE
> Contact: <sip:[email protected]:5060>
> User-agent: fxo/1.0
> Content-Length: 0
>
>
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
> [tos 0xb8]
> 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP
> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
> Record-Route: <sip:[email protected];lr>
> From: <sip:[email protected]>;tag=d909f80a
> To: <sip:[email protected]>;tag=51a346d4
> Call-ID: 2b6a574f323db602
> CSeq: 1 INVITE
> Contact: <sip:[email protected]:5060>
> User-agent: fxo/1.0
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE
> Content-Type: application/sdp
> Content-Leng
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
> [tos 0xb8]
> 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060:
> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
> ACK sip:[email protected]:5060 SIP/2.0
> To: <sip:[email protected]>;tag=51a346d4
> From: <sip:[email protected]>;tag=d909f80a
> Via: SIP/2.0/UDP
> 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport
> Call-ID: 2b6a574f323db602
> CSeq: 1 ACK
> Route: <sip:[email protected];lr>
> Contact: <sip:[email protected]:10189>
> Max-Forwards: 70
> User-Agent: eyeBeam release 3007n stamp 17816
> Content-Length: 0
>
>
> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>
>
> ---------------
> --------------
> ------------
>
> On Fri, 1 Nov 2013, Jay Hennigan wrote:
>
> > On 11/1/13 12:04 PM, Matt Yaklin wrote:
> >>
> >> Approx 60-70 calls.
> >
> > If more than one overlapping you can rule out the physical FXO port.
> >
> > --
> > Jay Hennigan - CCIE #7880 - Network Engineering - [email protected]
> > Impulse Internet Service - http://www.impulse.net/
> > Your local telephone and internet company - 805 884-6323 - WB6RDV
> > _______________________________________________
> > VoiceOps mailing list
> > [email protected]
> > https://puck.nether.net/mailman/listinfo/voiceops
> >
> _______________________________________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
------------------------------
Message: 2
Date: Fri, 1 Nov 2013 15:58:48 -0400
From: Paul Timmins <[email protected]>
To: Matt Yaklin <[email protected]>
Cc: [email protected]
Subject: Re: [VoiceOps] looking for advice on international fraud that
took place via an Edgemarc 200EW with FXO line installed
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131101/4ded0c9d/attachment.ksh>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131101/4ded0c9d/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
End of VoiceOps Digest, Vol 53, Issue 3
***************************************
