Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
4
Replies

Has your Systems been compromised?

David Trad
VIP Alumni
VIP Alumni

‎06-01-2010 10:48 PM - last edited on ‎03-25-2019 10:51 PM by Community Manager

Hi All,

Over the last 3 weeks there has been a steady flow of organizations contacting use in regards to their system being hacked and massive/copious amounts of calls being generated from their systems to international destinations.

As a matter of public interest, i ask you look at the following please:

Block the following protocol and IP address on your systems firewall:

Protocol: H.323
IP address: 64.120.151.213 (This is the most recent one, the previous one we have dealt with was from China)

I have been surprised on how many systems that have been presented to us over this last few weeks that have had their ACL's removed and no firewall operational, I can not stress to you how important it is for you to ensure your system is locked down fully, the sadness and heart ache we have seen in these peoples faces from the massive losses they have incurred because they were provided with a poorly configured system is a devastating thing to see, ensure you do not have to witness it and also deal with it, please double check your systems.

Here in Australia we are presenting all the information we have on hand to both the local police, and due to the amount of incidences that are arising we have also been advised that this is now going to get escalated to the federal police level. I encourage all System Engineers to advise their clients to notify their local authority, the more this gets reported the quicker they will act and put more resources into tracking down these Toll Frauds, just plugging up the holes is not good enough, they will come back with other efforts to gain entry to your system, they need to be caught and prosecuted.

We are compiling a list of other known IP addresses as they are presented to us, once I can collate the information I will post them here, however if you have any of your own, please be kind enough to post it so others can share with the benefit of your knowldge.

[EDIT]

Some commands for your to run:

ROUTER# sh call history voice compact

If any IP addresses in this list match anything that is posted here, please re-check your system and make sure it is locked down... NOTE: This is also effecting other systems that are not Cisco based as well.

Cheers,


David.

Message was edited by: David Trad

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
Labels:
0 Helpful
4 Replies 4

finalconnect
Level 3
Level 3

‎06-01-2010 11:35 PM

David,

We once setup a UC500 with nothing connected but the WAN/LAN ports - a honey pot. We logged call attempts from several Chinese IP blocks and have added the following to the DENY portion of our ACLs.

deny ip 117.0.0.0 0.255.255.255 host [outside UC interface]

deny ip 119.0.0.0 0.255.255.255 host  [outside UC interface]
deny ip 118.0.0.0 0.255.255.255 host  [outside UC interface]

deny ip 120.0.0.0 0.255.255.255 host  [outside UC interface]

deny ip 121.0.0.0 0.255.255.255 host [outside UC interface]

While blocking an entire 8-bit range may seem excessive, especially IP ANY, we could find no reason to allow anything from that Chinese location. We still notice that we get hits against the ACL counters from those IPs so they are still trying.

I completely support your cause that the IN ACL on the OUT interface should not be removed. It is unfortunate that many IT and end users simply take the easy path of removing an ACL instead of learning why it is in place. It is usually a costly mistake once discovered.

We have not seen the IP mentioned in your post, but we will keep an eye out for it.

Thanks as always!

0 Helpful

David Trad
VIP Alumni
VIP Alumni
In response to finalconnect

‎06-02-2010 12:25 AM

Michael,

As always thank you for your participation in the discussion, I always appreciate it

As it turns out the 117,120 & 121 subnet's are also on our list as well, these were used about 2 weeks ago, we haven't taken the extraordinary steps of blocking a complete range, it is certainly on our minds to do so, if the stupid carriers are not willing to shut these culprits down when they are advised of the incidences (Which they are in all cases), then they should be blocked by all and sundry, without reservation or concern.

Again thank you for posting, and I hope our willingness to discuss this will help others out before they find out the hard way how much this can be disruptive in more then one way.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
0 Helpful

bjames
Level 5
Level 5
In response to David Trad

‎06-02-2010 07:21 PM

Sorry guys I'm missing something here, are you saying

customer configs (not configured by you) were compromised from the outside, or hit by a dialing

party and the UC used to dial out?

In either case would not a deny first; permit only what's require correct this issue?

Like I said I'm missing something.

Thanks,

Bob James

0 Helpful

David Trad
VIP Alumni
VIP Alumni
In response to bjames

‎06-02-2010 08:44 PM

Hi Bob,

Sorry guys I'm missing something here, are you saying
customer 
configs (not configured by you) were compromised from the outside, or 
hit by a dialing
 party and the UC used to dial out?

So far all systems presented to us that have been compromised, have been due to poorly configured ACL/Firewall.

In either case would not a deny first; permit only what's require 
correct this issue?

I am not a firewall expert, I can only work up basic Access-Lists, but this is my understanding, however my colleague (CCIE) advises me that some of the hacks are quite sophisticated and they are finding holes in the Cisco IOS, if I am not mistaken one of them has been backdooring through the Mailboxes (So I am assuming this is from the CUE side), so when he re-works the system, he locks everything down including the CUE.

Again i will reiterate, we have found so far that the issue steams from poorly configued systems with security policies, or weak policies.

The thread is to just bring it to the attention of those who might be unaware of the current out break (Especially those in Australia), and to also share information with each other, I am not about to judge or criticize anyone or any system as mistakes can happen and lack of understanding can bring about issues as well (This including myself, hence why I don't touch the ACL's all that often).

If yo have any information to share, or even some suggestions for those who may have a compromised system on their hands, please post it, they may be too frightened to post on here for fear of being criticized or looked upon differently, but they will read it and hopefully can work on their system with the information.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents