Major long distance charges. System vulnerable/compromised?

We have a received a larger than usual bill from our trunk provider. Apparently, we have placed 3549 calls to Austria and were charged for 3549 minutes of usage. Looking at CDR/CEL logs, we do have a large number of incoming calls from a few different Austrian numbers (about 900 calls ranging from 24 to 38 seconds), but no outgoing calls to that number. The calls are obviously automated.

My question is: How would someone be able to place outgoing calls on our system without it showing up in the logs?

As far as I know, I’ve disabled all transfer functions on IVR (*2, ##).

Call log:

image1465×547 66.8 KB

Typical call:

image1710×132 14.5 KB

I would dig out your sngrep and see if the “invites” are

A) visible, and if so
B) being answered by your PBX or possible some other ‘service’ running in your network.

If neither of the above then perhaps somebody got hold of one of your credentials and is using it from some other location, perhaps your vsp’s cdr’s will help you there.

Look in extensions_custom.conf and make sure there isn’t anything in it that shouldn’t be. Which for the most part is nothing unless you’ve added something. If you haven’t and something is there, you’ve gotten compromised.

The could be generating outbound calls via Local channels which would reverse the direction of the call once answered. So the person getting called could then enter things into the PBX like they called it.

extensions_custom.conf is empty.

The 38 seconds of each call corresponds to the exact time it takes our IVR to disconnect the call if no valid prompt has been entered. Is there any way they could be doing call redirection or forwarding from the menu prompt?

None of those calls made it to completion, look elsewhere for your revenue loss.

Who is your “trunk provider” ?

Invites are visible and all traffic is to/from our PBX.

Do any of those ‘invites’ get “answered/accepted” ?
Further, where are the coming from ?

Compare any with your cdr’s from your provider.

This is the first time I’ve had to use this tool. I only see the state go to IN CALL and COMPLETED.

The methods are INVITE, SUBSCRIBE or OPTIONS.

That I understand, only INVITES will generate a call, what is the “source” ip of these invites.

Iristel. I’ll give them a call tomorrow to get a copy of their logs.

Invites are coming from our provider’s IP address.

press return on any ‘SIP’ connection to get a more detailed view (‘man sngrep’ from a shell)

Great tool for troubleshooting. Everything looks normal, as far as I can tell.

I’ll contact our line provider and see what their logs say.

I would suspect that the calls are originating from somewhere else and that your system has ‘leaked credentials’ by some method yet ‘to be determined’.

Iristel should be able to tell you where the calls originated.

Thanks for the help. I’ll post back with the results once I talk to them.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.