News items for tag asterisk - Koos van den Hout

Post-mortem overview of a broken-into asterisk install: Asterisk hack post-mortem - Tom Keating tncnet. Nice article, showing how researching a system after a break-in can go from one strange thing to another. Using asterisk .call files to make calls is an interesting new approach to me.

Interesting patterns in trying to reach mobile numbers in the Middle-East. Patterns I have seen several times before on an asterisk server. Keep it safe, especially on asterisk where this can cost real money.

Found via @teamcymru on twitter.

More attempts to reach Palistinian telephone numbers (+972) via my SIP server, exactly like the attempts last July to reach Palestina mobile numbers. But the upstream audio is the same professional-sounding voice as I heard last December trying to reach a US number. An interesting combination of factors.

So I'm asking the lazywebs: does someone recognize this voice?

Another weird thing recorded on the SIP honeypot: Something which to me sounds like a recording of a voice artist (or 'golden voice'). It was an attempt to use the server from a Palestinian IP to reach +1-404-260-5390, a US phone number for a conferencing system. The recording is attached: note that the audio is very choppy, probably due to packet-loss between the originator in Palestina and my server.

Like in July, attempts to reach Jawwal telecom mobile numbers in Palestina via an asterisk server. But this time with incoming audio, I hear kids in the background and some talking. Very garbled: lots of packet loss on the line and the audio clips. So somebody got a bit of a disappointment when this route for free calls wasn't working out.

Most of the attempts at toll fraud through an asterisk server set to catch and record these are lately for a number matching +97259xxxxxxx which according to Telephone numbers in Israel - Wikipedia is a 'Jawwal' mobile number in Palestina. Interesting... not a really expensive call to make but I can imagine a certain interest in hard-to-trace calls to that part of the world, especially since these seem to be routed via Israel. According to the explanation on Telephone numbers in the Palestinian territories - Wikipedia +970 is also the country code for Palestina but it depends on which country you are calling from whether +970, +972 or both work. Politics in phone numbers. The +970 route was never tried via my asterisk.

First good catch after updating the scripts for capturing the audio on attempts at toll fraud through an asterisk server, some calls with incoming audio logged to disk, and some with absolute silence. The calls with audio have serious noise in the background, my best guess is airco noise. But some typing can be heard, some other sounds and one even with a word at the end. I added some audio from that last one.

Boiler-room type telecoms fraud operation? You decide!

What this does mean to me is that someone is actually doing real work to find opportunities for routing calls without paying. This is not an automated script, this is an actual person doing the work.

I updated the scripts for capturing the audio on attempts at toll fraud through an asterisk server so there is some call progress sound before the 'wrong number' recording is played. I also switched from MixMonitor to Monitor which saves incoming and outgoing audio separately, so it is easier (for me) to check the incoming audio for interesting bits.

This is what the asterisk code now looks like:

exten => _00.,1,Set(filename=${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => _00.,n,Monitor(wav,wrongnum-${filename})
exten => _00.,n,Playback(wrong/callprogress)
exten => _00.,n,Goto(wrongnumber,s,1)

And you can hear what the 'caller' would hear in the attached mp3 file.

I captured some audio in asterisk using the MixMonitor command, like:

exten => _00.,1,Set(filename=${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => _00.,n,NoOp(${CHANNEL} tried to reach ${EXTEN} logging to wrongnum-${filename})
exten => _00.,n,MixMonitor(wrongnum-${filename})
exten => _00.,n,Goto(wrongnumber,s,1)

But I wanted to listen to the audio. Which turned out to be a bit of searching. In the end I found the right sox call:

$ play -e signed -r 8000 -b 16 -c 1 keep-20110604-184522.raw

keep-20110604-184522.raw:

 File Size: 647k      Bit Rate: 128k
  Encoding: Signed PCM    
  Channels: 1 @ 16-bit   
Samplerate: 8000Hz       
Replaygain: off         
  Duration: 00:00:40.42  

In:58.3% 00:00:23.55 [00:00:16.87] Out:188k  [!=====|=====!] Hd:0.0 Clip:0    

Converting to a .wav to process in audacity is easy too:

$ sox -e signed -r 8000 -b 16 -c 1 keep-20110604-184522.raw wrongnum-20110604-184522.wav

Just had a call with a caller-id in Djibouti and when I answered I heard a short beep followed by silence and the word "Goodbye" clearly from an Alison recording as available in Asterisk.

I guess at least a voip server somewhere in Djibouti has an abuse problem.

Voor het weerbericht in Asterisk gebruik ik nu festival open source speech synthesis (spraak generator). Ik heb voor de aardigheid eens gespeeld met de demo-versie van Cepstral text-to-speech en dat klinkt stukken beter. Als ik iets serieuzer dan 'demo scriptje' text to speech zou willen zou ik wel cepstral aanschaffen en gebruiken.