asterisk2billing.org
http://forum.asterisk2billing.org/

fraud with SIP , a sophisticated hack to make free call.
http://forum.asterisk2billing.org/viewtopic.php?f=22&t=7785
Page 1 of 3

Author:  jimmy888 [ Sat Jun 12, 2010 3:28 am ]
Post subject:  fraud with SIP , a sophisticated hack to make free call.

Dear Sir:
In recent days, there has been a fraud with my system . I notice somebody was using my system to call north korea and somali, create $200 free calls out of my system . I did a log analysis for one of the successful call, and found after the initial INVITE, there is an immediate BYE, but obviously the call didn't really terminate. My a2billing didn't even register the call. but the call really lasted 17 minutes. after 17 minutes, I see the real BYE, and the call terminated. so my wholesale provider charged me for 17 minutes, but my a2billing didn't even register the call. thus the hacker made the call for free.
Does anybody know why this can happen ? How to fix this issue with a2billing ?

Jimmy


Jun 10 10:57:49 server1 /usr/sbin/opensips[7441]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:57:49 server1 /usr/sbin/opensips[7441]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] U=8407055028
Jun 10 10:57:49 server1 /usr/sbin/opensips[7441]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] retcode=1
Jun 10 10:57:49 server1 /usr/sbin/opensips[7440]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:57:50 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected]ine.com IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:57:51 server1 /usr/sbin/opensips[7442]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] U=8407055028
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] retcode=4294967295
Jun 10 10:58:02 server1 /usr/sbin/opensips[7438]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:58:02 server1 /usr/sbin/opensips[7441]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:58:03 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:58:03 server1 /usr/sbin/opensips[7442]: New request - M=INVITE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 10:58:03 server1 /usr/sbin/opensips[7442]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] R=<null>
Jun 10 10:58:04 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 10:58:04 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] R=<null>
Jun 10 10:58:04 server1 /usr/sbin/opensips[7441]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 10:58:05 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] R=<null>
Jun 10 10:58:05 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 10:58:07 server1 /usr/sbin/opensips[7441]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] R=<null>
Jun 10 10:58:07 server1 /usr/sbin/opensips[7440]: New request - M=ACK RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 10:58:15 server1 /usr/sbin/opensips[7441]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:58:15 server1 /usr/sbin/opensips[7441]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] U=8407055028
Jun 10 10:58:15 server1 /usr/sbin/opensips[7441]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] retcode=4294967295
Jun 10 10:58:15 server1 /usr/sbin/opensips[7438]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:58:16 server1 /usr/sbin/opensips[7440]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:58:16 server1 /usr/sbin/opensips[7439]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:58:42 server1 /usr/sbin/opensips[7443]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 10:58:42 server1 /usr/sbin/opensips[7443]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] U=8407055028
Jun 10 10:58:42 server1 /usr/sbin/opensips[7443]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] retcode=4294967295
Jun 10 10:58:42 server1 /usr/sbin/opensips[7439]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:58:42 server1 /usr/sbin/opensips[7439]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 10:58:42 server1 /usr/sbin/opensips[7438]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 11:00:11 server1 /usr/sbin/opensips[7442]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 11:00:12 server1 /usr/sbin/opensips[7442]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] U=8407055028
Jun 10 11:00:12 server1 /usr/sbin/opensips[7442]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] retcode=4294967295
Jun 10 11:00:12 server1 /usr/sbin/opensips[7443]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 11:00:12 server1 /usr/sbin/opensips[7443]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected]ine.com IP=89.103.211.147 [email protected] R=<null>
Jun 10 11:00:13 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: New request - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: load_balance - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] U=8407055028
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: After dispatch - M=INVITE RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected] retcode=4294967295
Jun 10 11:00:15 server1 /usr/sbin/opensips[7440]: Reply - S=100 D=Trying F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 11:00:15 server1 /usr/sbin/opensips[7440]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 11:00:15 server1 /usr/sbin/opensips[7443]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 11:00:16 server1 /usr/sbin/opensips[7438]: Reply - S=200 D=OK F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected] R=<null>
Jun 10 11:00:16 server1 /usr/sbin/opensips[7441]: New request - M=ACK RURI=sip:[email protected] F=sip:[email protected] T=sip:[email protected] IP=95.246.215.97 [email protected]
Jun 10 11:15:54 server1 /usr/sbin/opensips[7438]: New request - M=BYE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 11:15:55 server1 /usr/sbin/opensips[7438]: New request - M=BYE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]
Jun 10 11:15:56 server1 /usr/sbin/opensips[7441]: New request - M=BYE RURI=sip:[email protected]:9024 F=sip:[email protected] T=sip:[email protected] IP=89.103.211.147 [email protected]

Author:  datumaster [ Fri Jun 18, 2010 9:57 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

I have the same problem with a2billing 1.7, someone created 3 different accounts within a few hours on June 11, then paid 5 Euro using paypal to each account to be able to place a call. Then several calls were done to free call numbers in USA followed by numbers in North Korea. The call in my log lasts only a few seconds and my wholeseller charged several minutes. One of the trickers even send a customer ticked asking for a multiline access. I had to block paypal payments for now so they cannot place an initial balance. Has anyone a solution? This seems to be a serious thing.

Joerg


4. 2010-06-11 19:46:17 7015120959 0085099922379 85099922379 North Korea 0.000 EUR 0.000 EUR 00:07 7015120959 terrasip ANSWER STANDARD 0.034 EUR 0.000 EUR n/a -100.00%
5. 2010-06-11 19:37:21 7015120959 0085099922378 85099922378 North Korea 0.000 EUR 0.000 EUR 00:03 7015120959 terrasip ANSWER STANDARD 0.014 EUR 0.000 EUR n/a -100.00%
6. 2010-06-11 19:28:07 7015120959 0085099922374 85099922374 North Korea 0.000 EUR 0.000 EUR 00:03 7015120959 terrasip ANSWER STANDARD 0.014 EUR 0.000 EUR n/a -100.00%
7. 2010-06-11 19:26:16 2382486525 0085099922379 85099922379 North Korea 0.000 EUR 0.000 EUR 00:02 2382486525 terrasip ANSWER STANDARD 0.010 EUR 0.000 EUR n/a -100.00%
8. 2010-06-11 19:18:50 7015120959 0085099922379 85099922379 North Korea 0.000 EUR 0.000 EUR 00:02 7015120959 terrasip ANSWER STANDARD 0.010 EUR 0.000 EUR n/a -100.00%
9. 2010-06-11 19:15:23 7015120959 0018002036538 18002036538 USA Toll Free 0.000 EUR 0.000 EUR 00:20 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%
10. 2010-06-11 19:14:24 7015120959 0018008472911 18008472911 USA Toll Free 0.000 EUR 0.000 EUR 00:31 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%
11. 2010-06-11 19:14:02 7015120959 0018002001111 18002001111 USA Toll Free 0.000 EUR 0.000 EUR 00:03 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%
12. 2010-06-11 19:13:33 7015120959 0018002235652 18002235652 USA Toll Free 0.000 EUR 0.000 EUR 00:18 7015120959 terrasip ANSWER STANDARD 0.000 EUR 0.000 EUR n/a -100.00%




Wholesale CDR
85099922379 Korea Dem. People Rep North 11,Jun 10 20:48:33 11,Jun 10 20:56:42 08:09 EUR 2.3415
85099922379 Korea Dem. People Rep North 11,Jun 10 20:28:32 11,Jun 10 20:45:46 17:14 EUR 4.9511
85099922378 Korea Dem. People Rep North 11,Jun 10 20:39:38 11,Jun 10 20:40:10 00:32 EUR 0.1532
85099922374 Korea Dem. People Rep North 11,Jun 10 20:30:23 11,Jun 10 20:30:56 00:33 EUR 0.158
85099922379 Korea Dem. People Rep North 11,Jun 10 20:21:06 11,Jun 10 20:26:16 05:10 EUR 1.4844
18002036538 USA Toll Free 11,Jun 10 20:17:39 11,Jun 10 20:17:59 00:20 EUR 0.0005
18008472911 USA Toll Free 11,Jun 10 20:16:42 11,Jun 10 20:17:12 00:30 EUR 0.0008
18002001111 USA Toll Free 11,Jun 10 20:16:18 11,Jun 10 20:16:21 00:03 EUR 0.000

Author:  franmesa [ Fri Jul 16, 2010 2:34 am ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

i know that system, the only solution for this is not allow simultanius calls for new customers.

i hope can help you

Author:  adadekd [ Fri Jul 16, 2010 5:33 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

I have had a similar issue.
Sounds like there is no technical way around this yet??

Author:  xstrafer [ Tue Jul 20, 2010 10:08 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

same problem here.
a user had made a lots of calls to somali and by a2billing reports the calls are of 00:00 or 00:01 seconds. But the sip provider showed the same calls with 1-25-15 minutes duration.

is there a workaround with this problem?

Quote:
i know that system, the only solution for this is not allow simultanius calls for new customers.

all users on system are with individual access, no simultaneous calls sallowed.

Author:  xstrafer [ Thu Jul 22, 2010 7:33 am ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

anyone could advise something on this problem?
we badly need help.. :(

Author:  jroper [ Fri Jul 23, 2010 12:26 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hi

We need to understand how to replicate this hack in order to work out how to defend against it.

Can you work out from the logs how the hack is performed, so we can understand this more clearly.

As a sidenote, if there is a string in the asterisk "full" log that indicates when the hack is taking place, then possibly an OSSEC rule could be created to block the IP address.

Yours

Joe

Author:  xstrafer [ Fri Jul 23, 2010 12:39 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

there are log quotes above, as i can see my problem is just alike.
but i will try to extract some of my logs to publish here.

Just thought it might be a known issue if alread several people reported that faudulent activity on their servers

Author:  RobinA [ Sat Jul 24, 2010 3:31 am ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hello,
This is always a scary situation for all users. Is this problem in 1.7 only or is it in all versions?
Could this have anything to do with call transfer or callback? Are the people experiencing this using a sip proxy?

It is well worth it to know your customers. Do not let them start calling until you verify their identity. Let them sign-up with a call plan with no rates in it. You can go a step further and check if the call plan is the one you created with no rates, stop them from adding funds to their account until you are comfortable with them. The honest ones would appreciate your security measures. If you allow them to pay by PayPal, compare their information in A2B against the information at PayPal. Small price to pay. You don't need PayPal to kill your account because of chargebacks.

Good Luck,

RobinA

Author:  jroper [ Sat Jul 24, 2010 7:12 am ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hi

The OP's logs are related to opensips not to asterisk and A2Billing, we need to see if we can replicate this issue in Asterisk and A2Billing.

Joe

Author:  Avestan [ Sun Sep 12, 2010 2:05 am ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hello everyone,

I am having the same problem as someone is using my Asterisk/A2Billing system to call, North Korea, Somalia, Zimbabwe. They are using my TestBox which is mainly used for testing and personal use. Therefore, I am not having any customer activity and the few users are rather the close family members.

I have noticed that they actually used my own SIP account to make the calls. This was done yesterdays and I believe they are going to come back for more free calls. I have not disabled anything and keep everything going as it is in order to find the security issue. I am happy to give you guys a ACCESS to my system and as they are still allowed to make more calls so we can find out the security issue.

I am using A2Billing 1.3 and Asterisk 1.4 on the TestBox by the way.

Please respond ASAP before the shy away.

Thanks,

Avestan

Author:  jroper [ Sun Sep 12, 2010 9:34 am ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hi

If they are using your extension to make calls, do they cracked your password / secret for the extension, are all passwords strong and secure on the system.

Joe

Author:  Avestan [ Sun Sep 12, 2010 12:47 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hello jroper,

The password is what is generated by the A2Billing. So, I would say, it is pretty strong.

Here is my finding so far:

The account was a PrePaid account with around 6 dollars in it. The account is also associated with a DID which my A2Billing show the calls was initiated from the same DID. So, Does this mean, some how they got hold of my DID also?!!!

It appears that they made around 32 minutes of calls in Two minutes which points to the Simultaneous Access setting of the account.

What I found interesting is that they were able to continue using the account even though when the credit was gone below Zero Dollars! I don't know what made them stop but the credit was around -11 Dollars when I realized there is something is wrong with the account and that was around 24 hours after their last call.

I have attached CDR from my A2Billing which show all the calls they made.

Attachment:
North Korea.JPG
North Korea.JPG [ 60.42 KiB | Viewed 10105 times ]


Since nobody appeared interested to have access to my system to find out how they d0 it, I made some changes but haven't stop anything as I would like to understand how they can do this. :D

Who knows, I might be able to figure out how they are making this fraud calls. :mrgreen:

If you have any suggestion in regard with LOG or any setting which might be of your interest, please feel free to let me know. My offer is still there for having access to my TestBox while it appears that they are making these fraud calls.

Thanks,

Avestan

Author:  cerien [ Sun Sep 12, 2010 1:36 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

the fact that they can make cals beyond zero is a combination of simultaneous calls + reservation mechanism of a2B.

a2b is not monitoring the calls while they happen. It tells * how much time the call can last based on the remaining credit at call setup. It then updates the credit at the end of the call. So if you setup multiple concurrent calls while your credit is close to 0, before any of these calls is hung up, you will go negative.
Having a different design would be extremely costly & ressource consuming.

But still, it does not explain HOW the "hacker" got hold of your password.... that is what I would be concerned about. Did you check the asterisk log to see if someone has scanned your system ?

Author:  Avestan [ Sun Sep 12, 2010 3:34 pm ]
Post subject:  Re: fraud with SIP , a sophisticated hack to make free call.

Hello cerien,

You are spot on. I was also puzzled if someone has got hold of the account password. After checking the Asterisk Log I was amazed, how many times the Asterisk Box was attacked even before this time that they managed to get throu. Here is a small section of the Asterisk Log File:

Attachment:
Asterisk Log File.JPG
Asterisk Log File.JPG [ 152.92 KiB | Viewed 10106 times ]


Here is the list of IP Addresses which carried brute force SIP Registration attacks as show above:

64.71.145.237
41.223.224.5
211.239.92.203
213.171.206.33
68.168.208.116
68.58.177.148
174.143.159.240
87.118.82.79
83.137.48.60
80.82.119.245
85.214.132.188
64.131.90.62
59.152.224.51
62.168.59.67
85.153.28.17
83.169.6.14
174.133.3.178
61.14.189.132
210.89.62.13
94.23.196.141
212.138.82.29
209.59.3.217
209.222.4.67
78.24.4.154
211.232.57.180
216.54.161.104
69.15.32.22
183.110.185.136
201.134.229.73
218.30.5.19
67.23.126.170
41.196.155.93
74.208.225.251
70.38.54.212
70.38.12.13
109.74.1.168

If I am not mistaken, during 2005, brute force attacks on the ssh (secure shell) service became pretty popular and most probably here is an adopted version of it for SIP Registration.

I guess the approach for stopping such attacks is BLOCKING the IP address after a limited number of Try and Failure to register. I don't recall A2Billing being equipped with such but I am sure this is doable with a bit of scripting.

Here is the link to what I have in mind in order to stop these attacks:

http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/

Any thought on that one? :)

As I was searching online on the same issue, I came across the following which I thought might of your intrest:

http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/

Avestan

Page 1 of 3 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/