Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unauthorized INTL calls from CUCM7.1.3

Service provider telephone bill shows INTL calls made to single international number several times from different internal extension though those extensions have no INTL access. Checked CDR for those dates and time and nothing found. Checked system logs,security logs but nothing is found.

Is this possible and then how to find out whats going wrong?

SP says the CUCM security is compromised. I don't know on what basis SP syas this though customer has asked the explanation. There is no direct internet connection terminated on voice gateway. Single PRI line is used for 300 DIDs. Voice gateways are added as H323 gateways.

 

4 REPLIES
New Member

Please check the link below

Please check the link below as its has alot of ways to block toll fraud.

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmetoll.html

 

in the mean time you can collect the CDR data from the call manager and also collect detailed call manager traces to see if those calls even reached call manager or not because this can also happen at the router level.

 

Post the CDR data and the detailed call manager traces here with the extensions that were involved in this.

In addition to the points

In addition to the points suggested by Manpreet, H323 gateways running version prior on to 15.x have no security. Someone with a voip softclient can point the softclient at the H323 gateway and make calls all day long and it wont show up on CDRs. You could add an ACL to the H323 interface to only allow H323 signaling (port 1720) from CUCM or upgrade to a 15.x train. If you are on 15.x train make sure you dont have the following set: http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

Please rate useful posts.
New Member

There is neithwer CME nor

There is neither CME nor CUBE configured on router. Still this can be the case? Please reply.

I have already checked CDR then how collecting CDR data will help? I did not understand this. Please help. Secondly which CUCM traces should be collected?

I have gone through the link which you posted and is specifically for CME and I don't have CME.

If I add the IP address list, I need to add also those internal extensions from the calls were executed as those extensions also need outside dialing. Then how will I know its fraud call?

 

New Member

Do you have a voicemail

Do you have a voicemail system? Unity or third-party. Check also the system Out calling / transfer rules, and restriction tables, default PINs.

These systems can often be compromised if the defaults have been left.

 

45
Views
0
Helpful
4
Replies
CreatePlease to create content