Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Thu Mar 28, 2024 8:08 pm
VoIP Billing solution


All times are UTC




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Security issue?
PostPosted: Sun Aug 29, 2010 6:04 pm 
Offline

Joined: Tue Feb 12, 2008 11:34 am
Posts: 87
Location: Germany
Dear A2Billing developers and users,
today i have come across something i am unable to figure out how could this happen.
I have allowed to call SIP/IAX friends for free using the default prefix 555.
Now this is what happened.

First the user made a call to Honduras Mobile Mobile, the call length was 3 seconds

+---------------------+----------+---------------+-----------------+-------------+
| starttime | src | calledstation | destination | sessiontime |
+---------------------+----------+---------------+-----------------+-------------+
| 2010-08-28 20:48:49 | 01901423 | 50487306760 | Honduras Mobile | 4 |


the call was disconnected after 4 seconds. the next call was and SIP call which lasted 285 seconds. (a free call)


+---------------------+-------------+---------------+---------------------------------+-------------+
| starttime | src | calledstation | destination | sessiontime |
+---------------------+-------------+---------------+---------------------------------+-------------+
| 2010-08-28 20:48:54 | 50487306760 | 01901423 | SIP CALL | 285 |


Please note the src field on both calls. in First call the src is 01901423 thats fine. this is the correct one.
in second call the src is the the number which the user dialed in first call.

Now the first call was terminated through a TDM switch. which shows a call duration of 289 seconds. so sum of first call and second call 4+285

There were 17 such calls made. each time. first a normal call then after a couple of seconds SIP call. where src is the destination number of first call.

I have looked into a2billing agi log but couldn't find how this was possible.

This user had Individual Access set. So no conference call could have attempted.

I have tried to reproduce the scenerio different ways but couldn't succeed. I made the first call and
then tried to make sip call from mobile phone during the call by dialing the SIP friend number, but this doesn't
dial the number.


I have disabled the SIP Free calls in my system. i hope this is a good precaution against this type of miuse.

but i will be grateful if somebody can comment on my message.


Top
 Profile  
 
 Post subject: Re: Security issue?
PostPosted: Sun Aug 29, 2010 7:15 pm 
Offline

Joined: Tue Aug 24, 2010 9:14 am
Posts: 14
Hello,

I have had the same problem the last few days EXACTLY like you. Yesterday I had the same exact activity. They even called the same exact numbers. Here are a few from my cdr:

8. 2010-08-28 11:26:25 8831171020 100 50487306760 Honduras 00:01 8831171020
9. 2010-08-28 11:25:38 8831171020 100 50487306760 Honduras 00:00 8831171020
10. 2010-08-28 11:24:51 8831171020 100 50487306760 Honduras 00:00 8831171020
11. 2010-08-28 11:24:16 8831171020 100 50487306784 Honduras 00:00 8831171020

And just like you my provider and Asterisk show calls originating from the trunk and going to Music On Hold or a test number, and the calls last several minutes as you describe. However A2Billing doesn't see them at all, or sees 1 second maximum, and simultaneous calls is off, but my provider has charged me for 50 or so calls from a few seconds to 5 or 6 minutes. I was being charged a dollar or two for these calls, which added up to around $50 in all. It is not the callback. I have checked the logs and even watched the CLI while this was going on, and it seems that somehow they are transferring or conferencing the calls. This is a lot like this post: http://forum.asterisk2billing.org/viewtopic.php?f=8&t=5567&start=30

Joe Roper mentioned in there that having an 'i' in the dialcommand string is a possiblity, and sure enough I didn't have it. I still don't get how they are getting away with this, except that they found some exploit using SIP and reinvite or transfer activity. Also my SIP free calls are off, so the only thing I know that could have caused it is the i dial command option. I'm going to look into that today. Apparently these scammers are out there so watch out!!

Regards,
Steve


mazhar996 wrote:
Dear A2Billing developers and users,
today i have come across something i am unable to figure out how could this happen.
I have allowed to call SIP/IAX friends for free using the default prefix 555.
Now this is what happened.

First the user made a call to Honduras Mobile Mobile, the call length was 3 seconds

+---------------------+----------+---------------+-----------------+-------------+
| starttime | src | calledstation | destination | sessiontime |
+---------------------+----------+---------------+-----------------+-------------+
| 2010-08-28 20:48:49 | 01901423 | 50487306760 | Honduras Mobile | 4 |


the call was disconnected after 4 seconds. the next call was and SIP call which lasted 285 seconds. (a free call)


+---------------------+-------------+---------------+---------------------------------+-------------+
| starttime | src | calledstation | destination | sessiontime |
+---------------------+-------------+---------------+---------------------------------+-------------+
| 2010-08-28 20:48:54 | 50487306760 | 01901423 | SIP CALL | 285 |


Please note the src field on both calls. in First call the src is 01901423 thats fine. this is the correct one.
in second call the src is the the number which the user dialed in first call.

Now the first call was terminated through a TDM switch. which shows a call duration of 289 seconds. so sum of first call and second call 4+285

There were 17 such calls made. each time. first a normal call then after a couple of seconds SIP call. where src is the destination number of first call.

I have looked into a2billing agi log but couldn't find how this was possible.

This user had Individual Access set. So no conference call could have attempted.

I have tried to reproduce the scenerio different ways but couldn't succeed. I made the first call and
then tried to make sip call from mobile phone during the call by dialing the SIP friend number, but this doesn't
dial the number.


I have disabled the SIP Free calls in my system. i hope this is a good precaution against this type of miuse.

but i will be grateful if somebody can comment on my message.


Top
 Profile  
 
 Post subject: Re: Security issue?
PostPosted: Sun Aug 29, 2010 7:54 pm 
Offline

Joined: Tue Feb 12, 2008 11:34 am
Posts: 87
Location: Germany
Hi thewoose,
i found the problem and fix, its mentioned in this post.
viewtopic.php?f=22&t=6977

they were doing transfers. So it can be fixed by using

sip.conf
[general]
allowoverlap=no
allowtransfer=no

Thanks to marek100

it saved me.


Top
 Profile  
 
 Post subject: Re: Security issue?
PostPosted: Sun Aug 29, 2010 8:19 pm 
Offline

Joined: Tue Feb 12, 2008 11:34 am
Posts: 87
Location: Germany
Hi Steve,
i have read the post again. thats true. they dialed exactly the same numbers.
and i see now that they had already tried a few weeks ago. I saw some suspicious calls at 3 a.m. a few weeks ago and blocked their accout. I reported it to Moneybookers too.

you won't believe, as soon as i blocked their account. they called me and demanded to activate the account. they had an Italian Number, i have a number where i called them
0039069023113 , he was tellling me that he will go to courts etc. etc. I reported to moneybookers and they confirmed of Fraudulent account.
and email [email protected]

we should rewise the dialcodes and block any premium numbers. this is really MAFIA


Top
 Profile  
 
 Post subject: Re: Security issue?
PostPosted: Sun Aug 29, 2010 9:56 pm 
Offline

Joined: Tue Aug 24, 2010 9:14 am
Posts: 14
Hello mazhar996,

Unbelievable! I've got the SAME scammer from Italy -- the email I have is [url][email protected][/url] Not just the same country, the same person!! And yes, thanks so much for the advice ... I made sure that:
in sip.conf:

allowtransfer=no
cancallforward=no
allowoverlap=no

and I checked the SIP client configs and changed them as well. It looks like cancallforward was defaulting to yes so I disabled that in the sip_iax info global settings. And I made SURE that the dialcommand included the 'i' option as Jroper said.

Wow, pretty amazing we got the same scammer. At least the word is out on them. They were pretty annoying in their emails to me as well, they didn't much like being blocked!

Thanks a lot for sharing all that, it has helped me out a good deal and hopefully others.

Regards,
Steve


Top
 Profile  
 
 Post subject: Re: Security issue?
PostPosted: Mon Aug 30, 2010 12:01 am 
Offline

Joined: Tue Feb 12, 2008 11:34 am
Posts: 87
Location: Germany
hi Steve,
he signed up with that exact hotmail address too but i blocked it as well. infact with many other email addresses. anyhow i won't recommend setting allowoverlap to no if you provide services where DTMF are in use or you the caller doesn't dial the number fast. because if you have some users who take longer time to press digits, you may miss some of the digits. overlap dialing providers longer timeout. But it might also be ok with ovelap set to no. you can test it urself. i just wanted to point that out.

btw "i" in dialcommand didn't stop that transfer of call. I had "i" included in dialcommand but as you know it still caused that issue.

A2Billing developers need to make it a little more intelligent where it can sense the call transfer and bill accordingly.

best regards

mazhar


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 
Hosted Voice Broadcast


All times are UTC


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group