Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Tue Mar 19, 2024 7:32 am
VoIP Billing solution


All times are UTC




Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sat Jun 12, 2010 3:28 am 
Offline

Joined: Wed Apr 01, 2009 6:09 am
Posts: 5
Dear Sir:
In recent days, there has been a fraud with my system . I notice somebody was using my system to call north korea and somali, create $200 free calls out of my system . I did a log analysis for one of the successful call, and found after the initial INVITE, there is an immediate BYE, but obviously the call didn't really terminate. My a2billing didn't even register the call. but the call really lasted 17 minutes. after 17 minutes, I see the real BYE, and the call terminated. so my wholesale provider charged me for 17 minutes, but my a2billing didn't even register the call. thus the hacker made the call for free.
Does anybody know why this can happen ? How to fix this issue with a2billing ?

Jimmy


Jun 10 10:57:49 server1 /usr/sbin/opensips[7441]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:57:49 server1 /usr/sbin/opensips[7441]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh U=8407055028
Jun 10 10:57:49 server1 /usr/sbin/opensips[7441]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh retcode=1
Jun 10 10:57:49 server1 /usr/sbin/opensips[7440]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:57:50 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:57:51 server1 /usr/sbin/opensips[7442]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh U=8407055028
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh retcode=4294967295
Jun 10 10:58:02 server1 /usr/sbin/opensips[7438]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:03 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:03 server1 /usr/sbin/opensips[7442]: New request - M=INVITE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:03 server1 /usr/sbin/opensips[7442]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:04 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:04 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:04 server1 /usr/sbin/opensips[7441]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:05 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:05 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:07 server1 /usr/sbin/opensips[7441]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:07 server1 /usr/sbin/opensips[7440]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:15 server1 /usr/sbin/opensips[7441]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:15 server1 /usr/sbin/opensips[7441]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh U=8407055028
Jun 10 10:58:15 server1 /usr/sbin/opensips[7441]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh retcode=4294967295
Jun 10 10:58:15 server1 /usr/sbin/opensips[7438]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:16 server1 /usr/sbin/opensips[7440]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:16 server1 /usr/sbin/opensips[7439]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:42 server1 /usr/sbin/opensips[7443]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 10:58:42 server1 /usr/sbin/opensips[7443]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh U=8407055028
Jun 10 10:58:42 server1 /usr/sbin/opensips[7443]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh retcode=4294967295
Jun 10 10:58:42 server1 /usr/sbin/opensips[7439]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:42 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 10:58:42 server1 /usr/sbin/opensips[7438]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:00:11 server1 /usr/sbin/opensips[7442]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:00:12 server1 /usr/sbin/opensips[7442]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh U=8407055028
Jun 10 11:00:12 server1 /usr/sbin/opensips[7442]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh retcode=4294967295
Jun 10 11:00:12 server1 /usr/sbin/opensips[7443]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 11:00:12 server1 /usr/sbin/opensips[7443]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 11:00:13 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh U=8407055028
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh retcode=4294967295
Jun 10 11:00:15 server1 /usr/sbin/opensips[7440]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 11:00:15 server1 /usr/sbin/opensips[7440]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:00:16 server1 /usr/sbin/opensips[7438]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh R=<null>
Jun 10 11:00:16 server1 /usr/sbin/opensips[7441]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:15:54 server1 /usr/sbin/opensips[7438]: New request - M=BYE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:15:55 server1 /usr/sbin/opensips[7438]: New request - M=BYE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh
Jun 10 11:15:56 server1 /usr/sbin/opensips[7441]: New request - M=BYE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 ID=443a5d218c7bf938@bHVuYS1mM2M5NjAwMDZh


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Fri Jun 18, 2010 9:57 pm 
Offline

Joined: Fri Jun 18, 2010 9:43 pm
Posts: 1
I have the same problem with a2billing 1.7, someone created 3 different accounts within a few hours on June 11, then paid 5 Euro using paypal to each account to be able to place a call. Then several calls were done to free call numbers in USA followed by numbers in North Korea. The call in my log lasts only a few seconds and my wholeseller charged several minutes. One of the trickers even send a customer ticked asking for a multiline access. I had to block paypal payments for now so they cannot place an initial balance. Has anyone a solution? This seems to be a serious thing.

Joerg


4. 2010-06-11 19:46:17 7015120959 0085099922379 85099922379 North Korea 0.000 EUR 0.000 EUR 00:07 7015120959 terrasip ANSWER STANDARD 0.034 EUR 0.000 EUR n/a -100.00%
5. 2010-06-11 19:37:21 7015120959 0085099922378 85099922378 North Korea 0.000 EUR 0.000 EUR 00:03 7015120959 terrasip ANSWER STANDARD 0.014 EUR 0.000 EUR n/a -100.00%
6. 2010-06-11 19:28:07 7015120959 0085099922374 85099922374 North Korea 0.000 EUR 0.000 EUR 00:03 7015120959 terrasip ANSWER STANDARD 0.014 EUR 0.000 EUR n/a -100.00%
7. 2010-06-11 19:26:16 2382486525 0085099922379 85099922379 North Korea 0.000 EUR 0.000 EUR 00:02 2382486525 terrasip ANSWER STANDARD 0.010 EUR 0.000 EUR n/a -100.00%
8. 2010-06-11 19:18:50 7015120959 0085099922379 85099922379 North Korea 0.000 EUR 0.000 EUR 00:02 7015120959 terrasip ANSWER STANDARD 0.010 EUR 0.000 EUR n/a -100.00%
9. 2010-06-11 19:15:23 7015120959 0018002036538 18002036538 USA Toll Free 0.000 EUR 0.000 EUR 00:20 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%
10. 2010-06-11 19:14:24 7015120959 0018008472911 18008472911 USA Toll Free 0.000 EUR 0.000 EUR 00:31 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%
11. 2010-06-11 19:14:02 7015120959 0018002001111 18002001111 USA Toll Free 0.000 EUR 0.000 EUR 00:03 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%
12. 2010-06-11 19:13:33 7015120959 0018002235652 18002235652 USA Toll Free 0.000 EUR 0.000 EUR 00:18 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%




Wholesale CDR
85099922379 Korea Dem. People Rep North 11,Jun 10 20:48:33 11,Jun 10 20:56:42 08:09 EUR 2.3415
85099922379 Korea Dem. People Rep North 11,Jun 10 20:28:32 11,Jun 10 20:45:46 17:14 EUR 4.9511
85099922378 Korea Dem. People Rep North 11,Jun 10 20:39:38 11,Jun 10 20:40:10 00:32 EUR 0.1532
85099922374 Korea Dem. People Rep North 11,Jun 10 20:30:23 11,Jun 10 20:30:56 00:33 EUR 0.158
85099922379 Korea Dem. People Rep North 11,Jun 10 20:21:06 11,Jun 10 20:26:16 05:10 EUR 1.4844
18002036538 USA Toll Free 11,Jun 10 20:17:39 11,Jun 10 20:17:59 00:20 EUR 0.0005
18008472911 USA Toll Free 11,Jun 10 20:16:42 11,Jun 10 20:17:12 00:30 EUR 0.0008
18002001111 USA Toll Free 11,Jun 10 20:16:18 11,Jun 10 20:16:21 00:03 EUR 0.000


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Fri Jul 16, 2010 2:34 am 
Offline

Joined: Sun Nov 15, 2009 2:07 am
Posts: 6
i know that system, the only solution for this is not allow simultanius calls for new customers.

i hope can help you


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Fri Jul 16, 2010 5:33 pm 
Offline

Joined: Fri Apr 16, 2010 4:22 pm
Posts: 7
I have had a similar issue.
Sounds like there is no technical way around this yet??


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Tue Jul 20, 2010 10:08 pm 
Offline

Joined: Tue Jul 20, 2010 10:03 pm
Posts: 4
same problem here.
a user had made a lots of calls to somali and by a2billing reports the calls are of 00:00 or 00:01 seconds. But the sip provider showed the same calls with 1-25-15 minutes duration.

is there a workaround with this problem?

Quote:
i know that system, the only solution for this is not allow simultanius calls for new customers.

all users on system are with individual access, no simultaneous calls sallowed.


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Thu Jul 22, 2010 7:33 am 
Offline

Joined: Tue Jul 20, 2010 10:03 pm
Posts: 4
anyone could advise something on this problem?
we badly need help.. :(


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Fri Jul 23, 2010 12:26 pm 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

We need to understand how to replicate this hack in order to work out how to defend against it.

Can you work out from the logs how the hack is performed, so we can understand this more clearly.

As a sidenote, if there is a string in the asterisk "full" log that indicates when the hack is taking place, then possibly an OSSEC rule could be created to block the IP address.

Yours

Joe


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Fri Jul 23, 2010 12:39 pm 
Offline

Joined: Tue Jul 20, 2010 10:03 pm
Posts: 4
there are log quotes above, as i can see my problem is just alike.
but i will try to extract some of my logs to publish here.

Just thought it might be a known issue if alread several people reported that faudulent activity on their servers


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sat Jul 24, 2010 3:31 am 
Offline

Joined: Sat May 10, 2008 4:19 pm
Posts: 132
Location: Wilmington, DE
Hello,
This is always a scary situation for all users. Is this problem in 1.7 only or is it in all versions?
Could this have anything to do with call transfer or callback? Are the people experiencing this using a sip proxy?

It is well worth it to know your customers. Do not let them start calling until you verify their identity. Let them sign-up with a call plan with no rates in it. You can go a step further and check if the call plan is the one you created with no rates, stop them from adding funds to their account until you are comfortable with them. The honest ones would appreciate your security measures. If you allow them to pay by PayPal, compare their information in A2B against the information at PayPal. Small price to pay. You don't need PayPal to kill your account because of chargebacks.

Good Luck,

RobinA


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sat Jul 24, 2010 7:12 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

The OP's logs are related to opensips not to asterisk and A2Billing, we need to see if we can replicate this issue in Asterisk and A2Billing.

Joe


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Sep 12, 2010 2:05 am 
Offline

Joined: Mon Mar 15, 2010 4:43 pm
Posts: 19
Hello everyone,

I am having the same problem as someone is using my Asterisk/A2Billing system to call, North Korea, Somalia, Zimbabwe. They are using my TestBox which is mainly used for testing and personal use. Therefore, I am not having any customer activity and the few users are rather the close family members.

I have noticed that they actually used my own SIP account to make the calls. This was done yesterdays and I believe they are going to come back for more free calls. I have not disabled anything and keep everything going as it is in order to find the security issue. I am happy to give you guys a ACCESS to my system and as they are still allowed to make more calls so we can find out the security issue.

I am using A2Billing 1.3 and Asterisk 1.4 on the TestBox by the way.

Please respond ASAP before the shy away.

Thanks,

Avestan


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Sep 12, 2010 9:34 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

If they are using your extension to make calls, do they cracked your password / secret for the extension, are all passwords strong and secure on the system.

Joe


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Sep 12, 2010 12:47 pm 
Offline

Joined: Mon Mar 15, 2010 4:43 pm
Posts: 19
Hello jroper,

The password is what is generated by the A2Billing. So, I would say, it is pretty strong.

Here is my finding so far:

The account was a PrePaid account with around 6 dollars in it. The account is also associated with a DID which my A2Billing show the calls was initiated from the same DID. So, Does this mean, some how they got hold of my DID also?!!!

It appears that they made around 32 minutes of calls in Two minutes which points to the Simultaneous Access setting of the account.

What I found interesting is that they were able to continue using the account even though when the credit was gone below Zero Dollars! I don't know what made them stop but the credit was around -11 Dollars when I realized there is something is wrong with the account and that was around 24 hours after their last call.

I have attached CDR from my A2Billing which show all the calls they made.

Attachment:
North Korea.JPG
North Korea.JPG [ 60.42 KiB | Viewed 26305 times ]


Since nobody appeared interested to have access to my system to find out how they d0 it, I made some changes but haven't stop anything as I would like to understand how they can do this. :D

Who knows, I might be able to figure out how they are making this fraud calls. :mrgreen:

If you have any suggestion in regard with LOG or any setting which might be of your interest, please feel free to let me know. My offer is still there for having access to my TestBox while it appears that they are making these fraud calls.

Thanks,

Avestan


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Sep 12, 2010 1:36 pm 
Offline

Joined: Tue Mar 17, 2009 4:00 pm
Posts: 153
Location: Where the sun shines
the fact that they can make cals beyond zero is a combination of simultaneous calls + reservation mechanism of a2B.

a2b is not monitoring the calls while they happen. It tells * how much time the call can last based on the remaining credit at call setup. It then updates the credit at the end of the call. So if you setup multiple concurrent calls while your credit is close to 0, before any of these calls is hung up, you will go negative.
Having a different design would be extremely costly & ressource consuming.

But still, it does not explain HOW the "hacker" got hold of your password.... that is what I would be concerned about. Did you check the asterisk log to see if someone has scanned your system ?


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Sep 12, 2010 3:34 pm 
Offline

Joined: Mon Mar 15, 2010 4:43 pm
Posts: 19
Hello cerien,

You are spot on. I was also puzzled if someone has got hold of the account password. After checking the Asterisk Log I was amazed, how many times the Asterisk Box was attacked even before this time that they managed to get throu. Here is a small section of the Asterisk Log File:

Attachment:
Asterisk Log File.JPG
Asterisk Log File.JPG [ 152.92 KiB | Viewed 26309 times ]


Here is the list of IP Addresses which carried brute force SIP Registration attacks as show above:

64.71.145.237
41.223.224.5
211.239.92.203
213.171.206.33
68.168.208.116
68.58.177.148
174.143.159.240
87.118.82.79
83.137.48.60
80.82.119.245
85.214.132.188
64.131.90.62
59.152.224.51
62.168.59.67
85.153.28.17
83.169.6.14
174.133.3.178
61.14.189.132
210.89.62.13
94.23.196.141
212.138.82.29
209.59.3.217
209.222.4.67
78.24.4.154
211.232.57.180
216.54.161.104
69.15.32.22
183.110.185.136
201.134.229.73
218.30.5.19
67.23.126.170
41.196.155.93
74.208.225.251
70.38.54.212
70.38.12.13
109.74.1.168

If I am not mistaken, during 2005, brute force attacks on the ssh (secure shell) service became pretty popular and most probably here is an adopted version of it for SIP Registration.

I guess the approach for stopping such attacks is BLOCKING the IP address after a limited number of Try and Failure to register. I don't recall A2Billing being equipped with such but I am sure this is doable with a bit of scripting.

Here is the link to what I have in mind in order to stop these attacks:

http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/

Any thought on that one? :)

As I was searching online on the same issue, I came across the following which I thought might of your intrest:

http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/

Avestan


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2, 3  Next
VoIP Billing solution


All times are UTC


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group