Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
7
Replies

CIsco IOS CME Hacking via E1

Go to solution
Valentine Sondoyi
Level 1
Level 1

‎05-21-2014 06:31 AM - edited ‎03-16-2019 10:51 PM

Hi

 

Is it possible for someone to make calls via cme running on ios v12.4 using E1 PRI connection?

 

May 13 2014 15:39:36 00:15:07                          00881842011129           1

May 13 2014 15:50:36 00:05:35                          00881842011146

 

As log above shows, call was made but cant tell who made the call internally???

 

May 13 2014 16:28:43 00:00:26 00881842011146                                    2

May 13 2014 16:29:13 00:00:27 00881842011129                                    2

 

The other log shows originating call as external number but no destination.

 

2014-05-13 15:54:01    Local7.Notice    172.23.100.1    97068: 097064: *May 13 15:53:36.831 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:53:03.978,cgn:213,cdn:230,frs:0,fid:65343,fcid:BCC8122FD9DC11E39449EEC1BC9630B,legID:82FC,bguid:BCC8122FD9DC11E39449EEC10BC9630B

 

2014-05-13 15:55:07    Local7.Info    172.23.100.1    97069: 097065: *May 13 15:54:43.295 GMT: %ISDN-6-DISCONNECT: Interface Serial0/3/0:29  disconnected from 00881842011129 , call lasted 900 seconds

 

2014-05-13 15:50:24    Local7.Notice    172.23.100.1    97062: 097058: *May 13 15:49:59.860 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:49:48.388,cgn:,cdn:6800,frs:0,fid:65338,fcid:48834FCED9DC11E38BE100229032E5E0,legID:82F7,bguid:48834FCED9DC11E38BE100229032E5E0

 

2014-05-13 15:50:48    Local7.Info    172.23.100.1    97063: 097059: *May 13 15:50:23.360 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:19 is now connected to N/A N/A

 

2014-05-13 15:51:08    Local7.Info    172.23.100.1    97064: 097060: *May 13 15:50:43.041 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:30 is now connected to 00881842011146 N/A

 

The above logs are from syslog.

From firewall side, all SIP, H323 ports are blocked.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
heathrw
Level 4
Level 4

‎05-21-2014 07:06 PM

I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.  

 

Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information

http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf

 

Where the spoofing was occurring the way I was able to stop this by doing the following:

- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)

- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range  only, any other destination or null you can reject the call.

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Dragan Ilic
Level 4
Level 4

‎05-21-2014 07:27 AM

What FW are you using? How did you blocked SIP?

Also if you don't use SIP at all - is SIP service "shut down"? What does output of "show sip-ua service" says?

I think that you are not hacked throw E1 - I think that someone made call throw your system (probably with SIP connection) and get out throw E1...again IMHO...

BR,

Dragan

HTH,
Dragan
0 Helpful

Go to solution
Valentine Sondoyi
Level 1
Level 1
In response to Dragan Ilic

‎05-22-2014 12:09 AM

Thanks Dragan. The service is showing that it is shut down.

0 Helpful

Go to solution
heathrw
Level 4
Level 4

‎05-21-2014 07:06 PM

I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.  

 

Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information

http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf

 

Where the spoofing was occurring the way I was able to stop this by doing the following:

- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)

- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range  only, any other destination or null you can reject the call.

 

 

0 Helpful

Go to solution
Valentine Sondoyi
Level 1
Level 1
In response to heathrw

‎05-22-2014 12:08 AM

Thanks Heathrw. I will try your suggestions and see. as for the q931 debug, should I let this run for the whole night and send to syslog?

0 Helpful

Go to solution
heathrw
Level 4
Level 4
In response to Valentine Sondoyi

‎05-22-2014 12:12 AM

Depends on how often the calls are coming in since I don't know what other load is on your router just be certain you won't impact your users.

If you know when the calls/attempts are coming in during certain periods I would try and run it then.

0 Helpful

Go to solution
Valentine Sondoyi
Level 1
Level 1
In response to heathrw

‎05-22-2014 03:50 AM

Looks set after making those changes you suggested. Thanks for your help.

0 Helpful

Go to solution
heathrw
Level 4
Level 4
In response to Valentine Sondoyi

‎05-22-2014 04:27 AM

You are welcome, if there are no other questions you may mark this discussion as correct.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents