DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Fruadulent calls being made through a 2820IPPBX

  • orangehand
  • Topic Author
  • Offline
  • New Member
  • New Member
More
26 Jan 2011 10:43 #65865 by orangehand
This is a copy of an email I have sent to Draytek AND Draytel support: anyone have anything to add?

I have installed at the end of last year a 2820IPPBX with a client, with one Vigorphone 350 set up as a VOIP test for a possible migration to an all VOIP system. They complained last week that their call credit with Draytel (their only outgoing trunk of any type) was being sapped rapidly.

On examining the call records, all the calls, all to international destinations, were coming from x901, which was set up as the analog extension in index 50. I am sure that I never enabled either the Analog extension nor the ISDN extension in indexes 49 and 50, but they were enabled when I checked. Are these extensions enabled or disabled by default?

Following this discovery I did the following:

Checked that there was no analog phone plugged into the router - there was none
Changed the Draytel SIP password and entered the new one in the router
Changed the router admin password
Disabled indexes 49 and 50.

This was done on the 20th Jan

HOWEVER, from the attached screenshot, (not attached here, but it shows loads of calls being made to dodgy countries from x901, both before and after the changes I have outlined here) outgoing calls are still being made from 901, which is disabled in the extension settings on index 50 (ie analog phone) and has been since the morning of Jan 20th. The call failures are possibly due to there being no credit on the account, on my advice, until this is sorted.

How on earth can this be happening? There seems to be a backdoor thing going on here. I am a little peeved that Draytel informed us all that they had not had any actual incidences of this in their advisory email, when I had already reported this to them.

Please Log in or Create an account to join the conversation.

More
26 Jan 2011 10:46 #65866 by voodle
Is that with 3.5.5 or 3.5.5.1? If it's with the latter, do you have registration over the WAN disabled?

Please Log in or Create an account to join the conversation.

  • orangehand
  • Topic Author
  • Offline
  • New Member
  • New Member
More
26 Jan 2011 10:48 #65867 by orangehand
Replied by orangehand on topic The firmware is 3.5.5_232201
see subject!

Please Log in or Create an account to join the conversation.

More
26 Jan 2011 21:15 #65883 by voodle
I see, yeah you should update to the 3.5.5.1 firmware, which you can get here:
ftp://ftp.draytek.com/VigorIPPBX%202820/Firmware/V3.5.5.1/AnnexA/IPPBX2820V3.5.5.1A232201.zip

That's got an option under IPPBX > PBX System > SIP Proxy settings to disable registration from the WAN - if you've only got local extensions then try that and see if it helps.

Please Log in or Create an account to join the conversation.

More
26 Jan 2011 23:58 #65890 by admin

orangehand wrote: not had any actual incidences of this in their advisory email, when I had already reported this to them.



Assuming you're quoting accurately, presumably they sent or wrote their email BEFORE you reported your problem, in which case, that's quite unfair!



Forum Administrator

Please Log in or Create an account to join the conversation.

  • orangehand
  • Topic Author
  • Offline
  • New Member
  • New Member
More
27 Jan 2011 12:40 #65903 by orangehand

admin wrote:

orangehand wrote: not had any actual incidences of this in their advisory email, when I had already reported this to them.



Assuming you're quoting accurately, presumably they sent or wrote their email BEFORE you reported your problem, in which case, that's quite unfair!



If so I apologise, but I sent my email to them before I received the advisory from them. Am happy to accept that they may well have crossed in the post!
Mea Culpa.

Please Log in or Create an account to join the conversation.

Moderators: Sami