Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Tue Mar 19, 2024 7:28 am
VoIP Billing solution


All times are UTC




Post new topic Reply to topic  [ 32 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Sep 12, 2010 9:17 pm 
Offline

Joined: Fri Apr 16, 2010 4:22 pm
Posts: 7
Doesnt any one use fail2ban anymore? I use it to block ssh and sip failures. The program will email you the network and the abuse contact email the attack is coming from

I used to get one brute force attach every 6 months now i get about 5 a week. I think hackers are registering with a2billing to get the sip gateway ip then trying the brute force attack.


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Mon Sep 13, 2010 12:53 am 
Offline

Joined: Tue Mar 17, 2009 4:00 pm
Posts: 153
Location: Where the sun shines
- install fail2ban
- have customize iptables filters
- buy a sip firewall

googling this will point you to the right directions....


remember that reading the log is the foundation of system security

j.


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Mon Sep 13, 2010 12:55 am 
Offline

Joined: Tue Mar 17, 2009 4:00 pm
Posts: 153
Location: Where the sun shines
adadekd wrote:
Doesnt any one use fail2ban anymore? I use it to block ssh and sip failures. The program will email you the network and the abuse contact email the attack is coming from

I used to get one brute force attach every 6 months now i get about 5 a week. I think hackers are registering with a2billing to get the sip gateway ip then trying the brute force attack.


f2b will do a bit more... it will automatically ban the ip generating more than x error messages. it needs to be correctly configured, and each time you see something strange in the log, you need to update the filters so it captures this as well

for f2b to run efficiently, you need to have gamin/fam installed, and rotate your logs regularily


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Mon Sep 13, 2010 9:21 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

On our commercial installs, we use OSSEC to block brute force attacks which is pretty effective. It is similar to Fail2Ban

However, I suspect your fraud is different from the ones above in this thread. I think yours is a password crack, whereas the others are from a registered customer who is using a transfer to bypass A2Billing, which can be stopped by including "i" in the dial command parameter.

The difference is with the former, is that all the calls show a very small duration, but you still get charged by the carrier. I suspect that your best course of action is to install OSSEC/Fail2ban, and change your secret.

Joe


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Tue Sep 14, 2010 12:36 pm 
Offline

Joined: Mon Mar 15, 2010 4:43 pm
Posts: 19
Hello everyone,

I am starting to get the feeling that I am getting into the button of this. :) I was puzzled how they would distinguish between a valid and invalid username! It appears that Asterisk SIP Responses Expose Valid Usernames in some versions. I think the following link shade some light into this question:

http://www.securiteam.com/unixfocus/5FP011PQUQ.html

and I am running Asterisk 1.4.23 on the testbox.

I think once they know a Valid User name, the hack is going to be just a matter of time running a loop to check for the password and it is just a matter of time to crack it.

The button line is that we have to block brute force attacks and I am going to into some of the solution suggested here.

Thanks very much for all your inputs

Avestan :D


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Tue Sep 14, 2010 12:55 pm 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

Ossec or Fail2Ban is the answer, personally, I prefer OSSEC. It's an easy install from source with its own install script.

You could also use the permit and deny directives to restrict access from certain IP addresses as a short term measure.

Joe


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Wed Sep 15, 2010 7:31 pm 
Offline

Joined: Mon Mar 15, 2010 4:43 pm
Posts: 19
Hello jroper,

I agree with you that the fraud calls was made in a different way than the reason this thread was originally opened. But I thought they both can be security measures which needs to be taken by the Asterisk/A2Billing users.

Could you also shade some light on ""including 'i' in the dial command parameter, when you said:

Quote:
..., whereas the others are from a registered customer who is using a transfer to bypass A2Billing, which can be stopped by including "i" in the dial command parameter.


If I am not mistaken you are referring to:

http://www.voip-info.org/wiki/view/Asterisk+i+extension

but I don't see how it could stop the fraud call on " jimmy888" system. :?

Thanks,

Avestan :)


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Wed Sep 15, 2010 7:53 pm 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
You are mistaken

http://www.voip-info.org/wiki/view/Asterisk+cmd+Dial


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Wed Sep 15, 2010 9:02 pm 
Offline

Joined: Tue Mar 17, 2009 4:00 pm
Posts: 153
Location: Where the sun shines
jroper wrote:
... from a registered customer who is using a transfer to bypass A2Billing, which can be stopped by including "i" in the dial command parameter.


Joe, could you elaborate on this ?

is it a situation where a customer establishes a call to a free destination, through A2B, and then issue a transfer to another destination, which is not then trapped and controlled by a2B ? the i your indicating needs to be added in the agi-conf command ?


thanks for the feedback,

J.


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Feb 27, 2011 9:50 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
we are getting attacks everyday, u need to install fail2ban on asterisk to block them.

cheers


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Jun 12, 2011 10:01 am 
Offline

Joined: Wed Sep 15, 2010 9:09 am
Posts: 96
xstrafer wrote:
same problem here.
a user had made a lots of calls to somali and by a2billing reports the calls are of 00:00 or 00:01 seconds. But the sip provider showed the same calls with 1-25-15 minutes duration.

is there a workaround with this problem?

Quote:
i know that system, the only solution for this is not allow simultanius calls for new customers.

all users on system are with individual access, no simultaneous calls sallowed.


Hi all,
I have same problem. A user as hacker, he has made some calls, but In log A2B reports calls are 00:00 or 00:01 seconds. But my whole sale voip provider show calls : 10-20 minutes.

In my system, all user are individual access.
Please check this issue.
Thank in advance for all helps!
Ryan.


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Jun 12, 2011 10:04 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
you need to block for the prefixes they make these calls to a dummy trunk,

here is what I have discovered so far, please paste your call records and perhaps we can complete a better black list.

Regards

Code:
ascension   247
austria - special services   43820
austria - special services   43810
austria - special services   43780
austria - special services   43740
austria - special services   43730
austria - special services   43720
austria - special services   43711
bulgaria - mobile maxtel   35999
dr of congo - mobile others   24396
dr of congo - mobile others   24395
dr of congo - mobile others   24394
dr of congo - mobile others   24393
dr of congo - mobile others   24392
dr of congo - mobile others   24391
dr of congo - mobile others   24390
dr of congo - mobile others   24389
dr of congo - mobile others   24387
dr of congo - mobile others   24386
dr of congo - mobile others   24385
dr of congo - mobile others   24384
dr of congo - mobile others   24378
dr of congo - mobile others   24373
dr of congo - special services   24343
dr of congo - special services   24342
dummy   2
dummy   7
dummy   1
dummy   3
dummy   4
dummy   6
dummy   5
dummy   7
dummy   8
dummy   8
dummy   9
estonia - special services   37270
falklands   500
inmarsat aero snac   8705
inmarsat b (snac) except pacific   87038
inmarsat b (snac) except pacific   87037
inmarsat b (snac) except pacific   87036
inmarsat b (snac) except pacific   87035
inmarsat b (snac) except pacific   87034
inmarsat b (snac) except pacific   87033
inmarsat b (snac) except pacific   87032
inmarsat b (snac) except pacific   87031
inmarsat b (snac) except pacific   87030
inmarsat bgan hsd snac   87078
inmarsat bgan snac   87077
inmarsat hsd snac except pacific   87039
inmarsat m (snac) except pacific   87069
inmarsat m (snac) except pacific   87068
inmarsat m (snac) except pacific   87067
inmarsat m (snac) except pacific   87066
inmarsat m (snac) except pacific   87065
inmarsat m (snac) except pacific   87064
inmarsat m (snac) except pacific   87063
inmarsat m (snac) except pacific   87062
inmarsat m (snac) except pacific   87061
inmarsat m4 snac   87060
inmarsat mini-m (snac) except pacific   87076
italy - special services   398
italy - special services   390
ivory coast - special services   22590409
ivory coast - special services   2252170
latvia - fixed   3719
latvia - mobility services   371810
latvia - mobility services   37168504
latvia - mobility services   37165159
latvia - mobility services   37165158
latvia - mobility services   37165153
latvia - mobility services   3712900
liechtenstein - fixed   423
liechtenstein - special services   42387
lithuania - special services   370910
romania - special services rodasy   40900010
romania - special services rodasy   40906010
sao tome and principe - others   2392
sierra leone - fixed   232
sierra leone - mobile   23225
sierra leone - mobile   23230
sierra leone - mobile   23233
sierra leone - mobile   23244
sierra leone - mobile   23255
sierra leone - mobile   23256
sierra leone - mobile   23276
sierra leone - mobile   23277
sierra leone - mobile   23278
sierra leone - mobile   23288
slovenia - mobile ipko   386430
slovenia - mobile ipko   386431
slovenia - mobile ipko   386432
slovenia - mobile ipko   386433
slovenia - mobile ipko   386434
slovenia - mobile ipko   386435
slovenia - mobile ipko   386437
slovenia - mobile ipko   386438
slovenia - mobile ipko   386439
slovenia - mobile ipko   38649
solomon islands - fixed   677
solomon islands - mobile   67774
solomon islands - mobile   677750
somalia - fixed hormuud   25243
somalia - mobility services   252609
spain - special services   3451
st helena   290
switzerland - mobile others   4174
switzerland - mobile others   417698
switzerland - mobile others   417699
switzerland - mobile others   41777
switzerland - mobile others   4179977
switzerland - mobile others   4179978
switzerland - mobile others   4179979
switzerland - mobile others   418607698
switzerland - mobile others   418607699
switzerland - mobile others   41860777
switzerland - mobile others   4186079977
switzerland - mobile others   4186079978
switzerland - mobile others   4186079979
zimbabwe - mobile econet   26391



Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Jun 12, 2011 2:23 pm 
Offline

Joined: Wed Sep 15, 2010 9:09 am
Posts: 96
hellbound wrote:
you need to block for the prefixes they make these calls to a dummy trunk,

here is what I have discovered so far, please paste your call records and perhaps we can complete a better black list.

Regards


Thank your for your reply,
I have a small question. How to block for these prefixes in rate card A2Billing ? Because I add rate for Myanmar with prefix : 95xxxxxxx .So all calls to Myanmar can pass through A2Billing.

In my case, these numbers that they make these calls to a dummy trunk are :
Code:
Myanmar - 9552580657
Myanmar - 9552580694
Myanmar - 9552580658
Myanmar - 9552580656

Italy - 393276874424


Thank in advance for all helps!
Best regards,
Ryan.


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Jun 12, 2011 2:35 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
ryan_mu wrote:
hellbound wrote:
you need to block for the prefixes they make these calls to a dummy trunk,

here is what I have discovered so far, please paste your call records and perhaps we can complete a better black list.

Regards


Thank your for your reply,
I have a small question. How to block for these prefixes in rate card A2Billing ? Because I add rate for Myanmar with prefix : 95xxxxxxx .So all calls to Myanmar can pass through A2Billing.

In my case, these numbers that they make these calls to a dummy trunk are :
Code:
Myanmar - 9552580657
Myanmar - 9552580694
Myanmar - 9552580658
Myanmar - 9552580656

Italy - 393276874424


Thank in advance for all helps!
Best regards,
Ryan.



1. create a dummy trunk with a dummy ip without failover
2. add these prefixes to that.
but yours is a little odd to crack, most of the attack to my servers were into none existing providers or number that somehow a backbone provider would benefit

in your case according https://www.numberingplans.com/?page=pl ... ent_page=9
the number 95-52-58XXXX falls in no city

the nearest valid city is 95-52-50XXXX and 95-52-58XXXX

it's a little difficut job to crack but we need the full list of numbering plan from https://www.numberingplans.com/?page=pl ... ent_page=9

to create a list of world's valid prefixes and take out everything else.

Cheers


Top
 Profile  
 
 Post subject: Re: fraud with SIP , a sophisticated hack to make free call.
PostPosted: Sun Jun 12, 2011 3:48 pm 
Offline

Joined: Wed Sep 15, 2010 9:09 am
Posts: 96
hellbound wrote:
1. create a dummy trunk with a dummy ip without failover
2. add these prefixes to that.

Thank you for your reply,
I can create a dummy trunk but IP without failover. So it is difficult to have a dummy IP without fail-over. Can you suggest me an example to have a dummy IP without fail-over ?

Thank in advance for all helps!
Best regards,
Ryan.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page Previous  1, 2, 3  Next
VoIP Billing solution


All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group