Over the last 3 weeks there has been a steady flow of organizations contacting use in regards to their system being hacked and massive/copious amounts of calls being generated from their systems to international destinations.
As a matter of public interest, i ask you look at the following please:
Block the following protocol and IP address on your systems firewall:
IP address: 126.96.36.199 (This is the most recent one, the previous one we have dealt with was from China)
I have been surprised on how many systems that have been presented to us over this last few weeks that have had their ACL's removed and no firewall operational, I can not stress to you how important it is for you to ensure your system is locked down fully, the sadness and heart ache we have seen in these peoples faces from the massive losses they have incurred because they were provided with a poorly configured system is a devastating thing to see, ensure you do not have to witness it and also deal with it, please double check your systems.
Here in Australia we are presenting all the information we have on hand to both the local police, and due to the amount of incidences that are arising we have also been advised that this is now going to get escalated to the federal police level. I encourage all System Engineers to advise their clients to notify their local authority, the more this gets reported the quicker they will act and put more resources into tracking down these Toll Frauds, just plugging up the holes is not good enough, they will come back with other efforts to gain entry to your system, they need to be caught and prosecuted.
We are compiling a list of other known IP addresses as they are presented to us, once I can collate the information I will post them here, however if you have any of your own, please be kind enough to post it so others can share with the benefit of your knowldge.
Some commands for your to run:
ROUTER# sh call history voice compact
If any IP addresses in this list match anything that is posted here, please re-check your system and make sure it is locked down... NOTE: This is also effecting other systems that are not Cisco based as well.
Message was edited by: David Trad