We have a received a larger than usual bill from our trunk provider. Apparently, we have placed 3549 calls to Austria and were charged for 3549 minutes of usage. Looking at CDR/CEL logs, we do have a large number of incoming calls from a few different Austrian numbers (about 900 calls ranging from 24 to 38 seconds), but no outgoing calls to that number. The calls are obviously automated.
My question is: How would someone be able to place outgoing calls on our system without it showing up in the logs?
As far as I know, Iâve disabled all transfer functions on IVR (*2, ##).
I would dig out your sngrep and see if the âinvitesâ are
A) visible, and if so
B) being answered by your PBX or possible some other âserviceâ running in your network.
If neither of the above then perhaps somebody got hold of one of your credentials and is using it from some other location, perhaps your vspâs cdrâs will help you there.
Look in extensions_custom.conf and make sure there isnât anything in it that shouldnât be. Which for the most part is nothing unless youâve added something. If you havenât and something is there, youâve gotten compromised.
The could be generating outbound calls via Local channels which would reverse the direction of the call once answered. So the person getting called could then enter things into the PBX like they called it.
The 38 seconds of each call corresponds to the exact time it takes our IVR to disconnect the call if no valid prompt has been entered. Is there any way they could be doing call redirection or forwarding from the menu prompt?
I would suspect that the calls are originating from somewhere else and that your system has âleaked credentialsâ by some method yet âto be determinedâ.
Iristel should be able to tell you where the calls originated.