Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CIsco IOS CME Hacking via E1

Hi

 

Is it possible for someone to make calls via cme running on ios v12.4 using E1 PRI connection?

 

May 13 2014 15:39:36 00:15:07                          00881842011129           1

May 13 2014 15:50:36 00:05:35                          00881842011146

 

As log above shows, call was made but cant tell who made the call internally???

 

May 13 2014 16:28:43 00:00:26 00881842011146                                    2

May 13 2014 16:29:13 00:00:27 00881842011129                                    2

 

The other log shows originating call as external number but no destination.

 

2014-05-13 15:54:01    Local7.Notice    172.23.100.1    97068: 097064: *May 13 15:53:36.831 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:53:03.978,cgn:213,cdn:230,frs:0,fid:65343,fcid:BCC8122FD9DC11E39449EEC1BC9630B,legID:82FC,bguid:BCC8122FD9DC11E39449EEC10BC9630B

 

2014-05-13 15:55:07    Local7.Info    172.23.100.1    97069: 097065: *May 13 15:54:43.295 GMT: %ISDN-6-DISCONNECT: Interface Serial0/3/0:29  disconnected from 00881842011129 , call lasted 900 seconds

 

2014-05-13 15:50:24    Local7.Notice    172.23.100.1    97062: 097058: *May 13 15:49:59.860 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:49:48.388,cgn:,cdn:6800,frs:0,fid:65338,fcid:48834FCED9DC11E38BE100229032E5E0,legID:82F7,bguid:48834FCED9DC11E38BE100229032E5E0

 

2014-05-13 15:50:48    Local7.Info    172.23.100.1    97063: 097059: *May 13 15:50:23.360 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:19 is now connected to N/A N/A

 

2014-05-13 15:51:08    Local7.Info    172.23.100.1    97064: 097060: *May 13 15:50:43.041 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:30 is now connected to 00881842011146 N/A

 

The above logs are from syslog.

From firewall side, all SIP, H323 ports are blocked.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

I have seen only one

I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.  

 

Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information

http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf

 

Where the spoofing was occurring the way I was able to stop this by doing the following:

- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)

- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range  only, any other destination or null you can reject the call.

 

 

7 REPLIES
Silver

What FW are you using? How

What FW are you using? How did you blocked SIP?

Also if you don't use SIP at all - is SIP service "shut down"? What does output of "show sip-ua service" says?

I think that you are not hacked throw E1 - I think that someone made call throw your system (probably with SIP connection) and get out throw E1...again IMHO...

BR,

Dragan

HTH, Dragan
New Member

Thanks Dragan. The service is

Thanks Dragan. The service is showing that it is shut down.

Bronze

I have seen only one

I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.  

 

Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information

http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf

 

Where the spoofing was occurring the way I was able to stop this by doing the following:

- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)

- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range  only, any other destination or null you can reject the call.

 

 

New Member

Thanks Heathrw. I will try

Thanks Heathrw. I will try your suggestions and see. as for the q931 debug, should I let this run for the whole night and send to syslog?

Bronze

Depends on how often the

Depends on how often the calls are coming in since I don't know what other load is on your router just be certain you won't impact your users.

If you know when the calls/attempts are coming in during certain periods I would try and run it then.

New Member

Looks set after making those

Looks set after making those changes you suggested. Thanks for your help.

Bronze

You are welcome, if there are

You are welcome, if there are no other questions you may mark this discussion as correct.

119
Views
0
Helpful
7
Replies