cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
4
Replies

Unauthorized INTL calls from CUCM7.1.3

Mohammed Idris
Level 1
Level 1

Service provider telephone bill shows INTL calls made to single international number several times from different internal extension though those extensions have no INTL access. Checked CDR for those dates and time and nothing found. Checked system logs,security logs but nothing is found.

Is this possible and then how to find out whats going wrong?

SP says the CUCM security is compromised. I don't know on what basis SP syas this though customer has asked the explanation. There is no direct internet connection terminated on voice gateway. Single PRI line is used for 300 DIDs. Voice gateways are added as H323 gateways.

 

4 Replies 4

manpreetsingh46
Level 1
Level 1

Please check the link below as its has alot of ways to block toll fraud.

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmetoll.html

 

in the mean time you can collect the CDR data from the call manager and also collect detailed call manager traces to see if those calls even reached call manager or not because this can also happen at the router level.

 

Post the CDR data and the detailed call manager traces here with the extensions that were involved in this.

In addition to the points suggested by Manpreet, H323 gateways running version prior on to 15.x have no security. Someone with a voip softclient can point the softclient at the H323 gateway and make calls all day long and it wont show up on CDRs. You could add an ACL to the H323 interface to only allow H323 signaling (port 1720) from CUCM or upgrade to a 15.x train. If you are on 15.x train make sure you dont have the following set: http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

Please rate useful posts.

There is neither CME nor CUBE configured on router. Still this can be the case? Please reply.

I have already checked CDR then how collecting CDR data will help? I did not understand this. Please help. Secondly which CUCM traces should be collected?

I have gone through the link which you posted and is specifically for CME and I don't have CME.

If I add the IP address list, I need to add also those internal extensions from the calls were executed as those extensions also need outside dialing. Then how will I know its fraud call?

 

dana.tong
Level 4
Level 4

Do you have a voicemail system? Unity or third-party. Check also the system Out calling / transfer rules, and restriction tables, default PINs.

These systems can often be compromised if the defaults have been left.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: