Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
8
Replies

Cisco 2901 CME makes calls by itself

janos.baros1
Level 1
Level 1

‎05-03-2016 05:38 AM - edited ‎03-17-2019 06:48 AM

We have a Cisco 2901 with CME  (Version 15.6(2)T, CME 11.0) and are testing SIP-Trunking now.
It is all fine, if we use the codec g729r8, but if we use the codec g711ulaw/alaw, the Router makes ominous things!
It makes calls by itself! The phones, which make the calls, they are not existent!
The number which will be called, are expensive foreign Number!
We do not know, is it a virus?
Did you hear this Problem yet?
Can you help us? If you need, we can send the configuration.
Thanks in advance!

Labels:
0 Helpful
8 Replies 8

Deepak Rawat
Cisco Employee
Cisco Employee

‎05-03-2016 06:01 AM

It looks like that someone is hacking into your CME and sending the calls over to it that then goes out to Telco through your CME. Please refer to below document and add a 'Trusted list' in this CME, therefore any IP Address that attempts to establish a call to the CME will be rejected if it is not assigned under the trusted list.

http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

Regards

Deepak

0 Helpful

janos.baros1
Level 1
Level 1
In response to Deepak Rawat

‎05-03-2016 06:42 AM

Thanks for your fast answer.
I knew the side above. There is a little problem with the configuration, if I configure “ip address trusted list”:
If the ip address of the SIP Provider will be changed, we will be not able to take a call from extern.
You can configure under “sip-ua” the sip-server as dns address, but you cannot configure dns address under “ip address trusted list”
Is there a solution too?
Many Thanks

0 Helpful

Deepak Rawat
Cisco Employee
Cisco Employee
In response to janos.baros1

‎05-03-2016 06:47 AM

I am sure the SIP Provider will definitely tell you that before changing it. You can simply do it then, it only takes IP Address there in the syntax.

Regards

Deepak

0 Helpful

janos.baros1
Level 1
Level 1
In response to Deepak Rawat

‎05-03-2016 06:50 AM

There is a new event!
It is indeed incredible, but I have new calls, despite I have in the ip address trusted list only one address of my SIP Provider.
Now I am really baffled!
I would like to say once more, it is happening, only I have the codec g711!

0 Helpful

Deepak Rawat
Cisco Employee
Cisco Employee
In response to janos.baros1

‎05-03-2016 06:53 AM

If it it still happening even after you have added the required IP Addresses in the Trusted List, then I think you should check with TAC for further t/s on this.

Regards

Deepak

0 Helpful

janos.baros1
Level 1
Level 1
In response to Deepak Rawat

‎05-03-2016 07:03 AM

Is it possible, that the virus is inside of the router?
I cannot understand, why it happens, if I am using g711 and it does not happen, if I am using g729?

0 Helpful

janos.baros1
Level 1
Level 1
In response to janos.baros1

‎05-04-2016 12:57 AM

It seems, there was an overlap, because the system works without suspect calls by now since over 17 hours. I hope it will stay forever so.
Many Thanks for your help!

0 Helpful

Nadeem Ahmed
Cisco Employee
Cisco Employee
In response to janos.baros1

‎05-04-2016 05:45 AM

Just to add couple of more things if this is potential threat to your phone system being hacked by someone. first of all do you have any CDR records how longs the bogus user making call to that foregin number? calling and called party numbeR??

Secondly you can apply ACL to your router and other than have lpcor/cor apply to the phone system so that everyone has some sort pin number before they make any calls or International call.

Br,
Nadeem Ahmed

Br, Nadeem Please rate all useful post.
0 Helpful
Customers Also Viewed These Support Documents