Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Re: looking for advice on international fraud that took place
via an Edgemarc 200EW with FXO line installed (Matt Yaklin)
2. Re: looking for advice on international fraud that took place
via an Edgemarc 200EW with FXO line installed (Keith Croxford)
3. Re: looking for advice on international fraud that took place
via an Edgemarc 200EW with FXO line installed (Paul Timmins)
----------------------------------------------------------------------
Message: 1
Date: Fri, 1 Nov 2013 17:30:39 -0400 (EDT)
From: Matt Yaklin <[email protected]>
To: Paul Timmins <[email protected]>
Cc: [email protected]
Subject: Re: [VoiceOps] looking for advice on international fraud that
took place via an Edgemarc 200EW with FXO line installed
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-15"; Format="flowed"
List,
The problem was I missing a check box labeled:
"Limit Inbound to listed Proxies / SIP Servers"
Under the SIP settings page.
This was my first Edgemarc that had the survivability license with
it so it took some playing around to get everything to work. I must
have unchecked it while trying to fix an issue during setup and never
came back to it.
No problem found. Operator error that probably cost G4 $300 bucks
easy on toll charges.
Thank you all for responding. Now I just need a way to get revenge
on the hacker. Anyone have any contacts in the Gaza Strip? :-(
I know this has been discussed here before but why in the world
would a Palestinian be calling Grenada? How does one make money off
that situation. Sigh...
[email protected]
On Fri, 1 Nov 2013, Matt Yaklin wrote:
>
> I think you are on the right track.
>
> I was reading the manual just now trying to figure out how
> or where 1001 comes from. Perhaps that does not even matter.
> You could make up anything.
>
> I am just not seeing how I tell this edgemarc box to stop
> allowing it yet short of using a firewall feature that this
> box does not have like the newest 13.x firmware does. Maybe
> it is hidden or people used the pass through rule set.
>
> matt
>
> On Fri, 1 Nov 2013, Paul Timmins wrote:
>
>> Have you tried tossing an unauthenticated call at the edgemarc from outside
>> using a from address of 1001@edgemarcip? looks like that's what this guy is
>> doing.
>> You're ignoring his registers but you may be allowing invites from an
>> unregistered device.
>>
>> On Fri, 11/01/2013 03:33 PM, Matt?Yaklin?<[email protected]> wrote:
>> They are not over lapping.
>>
>> The attacker finally bit just a bit ago. I only was running
>> tcpdump on port 5060 on the edgemarc but i captured the SIP
>> traffic for what the attacker is doing. I wish I had setup
>> more.
>>
>>
>> I blocked international via an auth code right now...
>>
>> x.x.139.225 = WAN ethernet port of the Edgemarc.
>>
>> I am going through this now and if anyone can help I would
>> greatly appreciate it. I need to find out why this is happening.
>>
>>
>>
>> -----------------------
>> -----------------------
>> -----------------------
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> REGISTER sip:x.x.139.225 SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=e26e273f
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
>> Call-ID: b161d8122d506908
>> CSeq: 1 REGISTER
>> Contact: <sip:[email protected]:10181>
>> Expires: 3600
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Cont
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> BYE sip:[email protected]:5060 SIP/2.0
>> To: <sip:[email protected]>;tag=6516fea2
>> From: <sip:[email protected]>;tag=214bbc47
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport
>> Call-ID: 346c8a3823657575
>> CSeq: 2 BYE
>> Route: <sip:[email protected];lr>
>> Contact: <sip:[email protected]:10189>
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE,
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 200 OK
>> Via: SIP/2.0/UDP
>>
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060
>> Record-Route: <sip:[email protected];lr>
>> From: <sip:[email protected]>;tag=214bbc47
>> To: <sip:[email protected]>;tag=6516fea2
>> Call-ID: 346c8a3823657575
>> CSeq: 2 BYE
>> Contact: <sip:[email protected]:5060>
>> User-agent: fxo/1.0
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> INVITE sip:[email protected] SIP/2.0
>> To: <sip:[email protected]>
>> From: <sip:[email protected]>;tag=d909f80a
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> Contact: <sip:[email protected]:10189>
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO
>> Content-Type: application/sdp
>> User-Agent: eyeBeam
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>> 19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 100 Trying
>> Via: SIP/2.0/UDP
>>
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
>> From: <sip:[email protected]>;tag=d909f80a
>> To: <sip:[email protected]>;tag=51a346d4
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> User-agent: fxo/1.0
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 180 Ringing
>> Via: SIP/2.0/UDP
>>
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
>> Record-Route: <sip:[email protected];lr>
>> From: <sip:[email protected]>;tag=d909f80a
>> To: <sip:[email protected]>;tag=51a346d4
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> Contact: <sip:[email protected]:5060>
>> User-agent: fxo/1.0
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> SIP/2.0 200 OK
>> Via: SIP/2.0/UDP
>>
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
>> Record-Route: <sip:[email protected];lr>
>> From: <sip:[email protected]>;tag=d909f80a
>> To: <sip:[email protected]>;tag=51a346d4
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 INVITE
>> Contact: <sip:[email protected]:5060>
>> User-agent: fxo/1.0
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE
>> Content-Type: application/sdp
>> Content-Leng
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>> [tos 0xb8]
>> 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060:
>> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
>> ACK sip:[email protected]:5060 SIP/2.0
>> To: <sip:[email protected]>;tag=51a346d4
>> From: <sip:[email protected]>;tag=d909f80a
>> Via: SIP/2.0/UDP
>> 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport
>> Call-ID: 2b6a574f323db602
>> CSeq: 1 ACK
>> Route: <sip:[email protected];lr>
>> Contact: <sip:[email protected]:10189>
>> Max-Forwards: 70
>> User-Agent: eyeBeam release 3007n stamp 17816
>> Content-Length: 0
>>
>>
>> <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
>>
>>
>> ---------------
>> --------------
>> ------------
>>
>> On Fri, 1 Nov 2013, Jay Hennigan wrote:
>>
>> > On 11/1/13 12:04 PM, Matt Yaklin wrote:
>> >>
>> >> Approx 60-70 calls.
>> >
>> > If more than one overlapping you can rule out the physical FXO
>> port.
>> >
>> > --
>> > Jay Hennigan - CCIE #7880 - Network Engineering - [email protected]
>> > Impulse Internet Service - http://www.impulse.net/
>> > Your local telephone and internet company - 805 884-6323 - WB6RDV
>> > _______________________________________________
>> > VoiceOps mailing list
>> > [email protected]
>> > https://puck.nether.net/mailman/listinfo/voiceops
>> >
>> _______________________________________________
>> VoiceOps mailing list
>> [email protected]
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
>>
>
------------------------------
Message: 2
Date: Fri, 1 Nov 2013 09:43:53 -0700
From: Keith Croxford <[email protected]>
To: Matt Yaklin <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] looking for advice on international fraud that
took place via an Edgemarc 200EW with FXO line installed
Message-ID:
<cahwxyod4lf-eq2pblbthiyud_dbmmnigi3rfa8pxwebvjd3...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Do you have the 'read only' user password changed on the Edgemarc? I've
seen interesting problems occur when the 'read only' account is vulnerable.
Keith
On Fri, Nov 1, 2013 at 9:30 AM, Matt Yaklin <[email protected]> wrote:
>
> Hi all,
>
> I had some toll fraud to Grenada last night which we stopped as soon
> as we became aware of it. Example numbers being dialed were:
>
> 1-473-405-0085
> 1-473-405-0084
> 1-473-405-0088
>
> Normally I can track down how it happened to figure out who was at fault.
> But this time I am having a hard time.
>
> The customer has two types of service from us. Yealink phones connected
> to our Broadsoft system with an Edgemarc 200EW installed at the customer
> premise. They also have some POTS line with us for faxing. One of those
> POTS lines is connected to the Edgemarc 200EW via the built in FXO port
> for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has
> a failure they can at least have one line to dial out on in case of an
> emergency. That is about the only time it would ever be used except for
> faxing.
>
> The toll fraud CPN just happens to be that POTS line connected to the
> Edgemarc. That POTS line is also connected to a very basic fax machine.
>
> In the Edgemarc for that FXO port two stage dialing is disabled in
> both directions. We had incoming calls on the FXO line being forward to a
> Yealink phone but that would never function properly due to the customer
> having a fax line picking up first. Just leftover config during the
> install where we made an assumption the customer might want it.
>
> The Yealink phones are behind the Edgemarc (NAT) and not reachable via the
> internet. The Edgemarc is using radius for user auth and has strong
> passwords set. I cannot find any config in Broadsoft where a user
> had call forwarding setup or whatever that would cause this. I cannot find
> any settings in the Edgemarc that would allow this to take place. As in
> a config mistake.
>
> The Edgemarc is running code Version 11.6.19.
> The Yealink phones are also up2date with the newest code from the vendor's
> website.
>
> I do not think this fraud was done on site via physical means. It is
> a school and I just cannot picture a student or faculty having a need
> to call Grenada.
>
> The Edgemarc does have port 5060 open to the world but it is just a ?proxy?
> I was under the impression that one cannot brute force an account on a
> proxy device that has no config as such like an asterisk box would. You
> would be basically brute forcing against Broadsoft in that case?
>
> Either way I am still digging into things but I thought by sending this
> email someone might have some advice to clue me into something I am
> missing when it comes to Edgemarc and FXO security.
>
> Thanks,
>
> [email protected]
>
>
> ______________________________**_________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/**mailman/listinfo/voiceops<https://puck.nether.net/mailman/listinfo/voiceops>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131101/112a7104/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 1 Nov 2013 19:14:07 -0400
From: Paul Timmins <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: [VoiceOps] looking for advice on international fraud that
took place via an Edgemarc 200EW with FXO line installed
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131101/897028e5/attachment.ksh>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20131101/897028e5/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
End of VoiceOps Digest, Vol 53, Issue 4
***************************************
