Hacked: $120,000 Phone Bill
Submitted by simsjrg on Tue, 01/20/2009 - 6:07pm.
Got to keep your boxes off the internet and patched... amongst other things... nothing mentioned about the platform but regardless make sure you do your homework. No this is not a PSA I just found it amusing and felt like posting...
http://www.news.com.au/technology/story/0,28348,24939188-5014239,...
 
Fortunately the organization
Tue, 01/20/2009 - 7:57pm
Fortunately the organization I work for has a 7 digit PIN number stored on the provider side that must be entered before any long distance call can be made. That way even if they managed to get access to the PBX they would need to know the 7 digit PIN number before they could place the call. This shifts a lot of responsibility on to the provider. Also, I am still a little puzzled why the telco's haven't implemented a system much like banks have that warn you when your account activity starts looking funny. I would pay another $10 a month on a PRI circuit to have them hawk-eye the usage and alert me when something was up. Some of you might say, "you could write a script to do that" but if the hacker circumvented your checking methods by routing calls a different way then you would never get notified.
Just some thoughts :-)
 
Because of this story I'm
Wed, 01/21/2009 - 11:38am
Because of this story I'm writing a pro-active call volume monitor today that sends daily email alerts if call volume was abnormal or if a certain threshold of international calls was made.
I'd rather explain to a customer why they had one day worth of illegitimate calls versus a $120,000 phone bill!
I'll post the app when complete.
 
BETA TESTERS NEEDED: Sends
Mon, 01/26/2009 - 12:20pm
BETA TESTERS NEEDED:
Sends an email when any abnormal call volume levels are detected for the following:
Total outbound calls in the last 24 hours is higher than the threshold % versus average outbound calls per week day over the last 30 days
Total international outbound calls in the last 24 hours is higher than the threshold % versus average outbound international calls per week day over the last 30 days
Total outbound call duration over the last 24 hours is higher than the threshold % versus average daily outbound call duration per week day over the last 30 days
Total international outbound call duration over the last 24 hours is higher than the threshold % versus average daily outbound international call duration per week day over the last 30 days
wget http://public.schmoozecom.com/AbnormalCallVolume-1.0-1.noarch.rpm rpm -Uvh AbnormalCallVolume-1.0-1.noarch.rpm service crond restart nano /usr/local/sbin/abnormal.php
Configure it per the instructions in this file. Add email address and change any thresholds you want (default is 20% increase for each of the 4 tests above)
The script runs once a day at midnight. If you set $daily_report = true, it will email you a report every day. If you leave this false, it will only email a report if one of the thresholds is reached.
You can test it on the command line by running /usr/local/sbin/abnormal.php.
Please provide feedback.
 
Hi Ethan, i'm going to give
Thu, 01/22/2009 - 5:42am
Hi Ethan, i'm going to give this a try.
 
Ethan I wish I had half of
Thu, 01/22/2009 - 1:43pm
Ethan I wish I had half of your coding abiltiy! No wait , I'd settle for a quarter..LOL . Great work. I'm going to implement this tonight.
 
IMHO This should be included
Thu, 01/22/2009 - 1:54pm
IMHO This should be included in every distro. You can harden your server, you can harden your network, but slim as it may be there is still a chance a bad guy could enter the system. With this app in place you can pull the plug before things get out of hand. My only question is on a new installation should we wait a month or two for the database to fill up with some data beore we install the app?
Thanks again ethan
 
another kind happened to me
Thu, 01/22/2009 - 2:34pm
hi @ all
another kind happend to me !! some one stolen my PSTN line and started to Transit calls over it furtunetly we soon figured it up and found him and made him to pay a 6,000 $ bill !!!
 
The app averages daily
Thu, 01/22/2009 - 2:49pm
The app averages daily traffic in the four areas described above for weekdays over a 30 day period to try and get the best data possible. Less days to average will mean less statistical accuracy, however it should work with any amount of data since it is dealing with averages.
I made the decision to only include weekdays so averages don't get heavily skewed when most businesses aren't operating at full capacity on the weekends. If the business is a 7 day per week kind of business, the queries could be modified to get a better representation of trends.
 
more frequent checking
Fri, 01/23/2009 - 10:28am
Great concept. I am going to put it on a couple of test systems to see how it goes.
Would it be possible to set it to check 4 times per day? Another thougth might be the ability to put in an absolute number instead of averages if I want to set my own limits.
 
You can look at the code in
Fri, 01/23/2009 - 1:27pm
You can look at the code in /usr/local/sbin/abnormal.php and modify it to meet your needs. You could modify the SQL queries to make it support running multiple times per day, but you will have to think hard about how the averaging is done. As for putting in your own absolute numbers, once again, you would need to modify the queries.
 
Additional Security Measures
Tue, 01/27/2009 - 4:38am
We've attempted to collect all of the security tips we know in a single comprehensive article on Nerd Vittles today. If we've missed anything, please feel free to post a comment. It helps all of us!
 
testing
Sun, 02/01/2009 - 8:55am
Ethan,
I'm giving this a try too - nice work.
Thank you,
Andy
 
Agreed
Thu, 02/05/2009 - 8:38am
Likewise. Will test this very soon and post my findings. Thank you for your code. Will be sure to contribute any improvements. (This is what makes the open source world "go 'round", lol. Thanks again. -Bryan
 
We now have had this running
Thu, 02/05/2009 - 8:43am
We now have had this running on our customer base for over a week, and it seems to be working very well. For smaller customers, the 20% threshold seems to be too low, as call volumes fluctuate quite a bit day to day. I would consider editing the script and upping this to maybe 30 or 40%. Other than that, it seems to be working nicely.
 
Thanks for the application -
Wed, 02/25/2009 - 12:12am
Thanks for the application - this is certainly something that is needed.
I've installed it on one site and I receive the error message below
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 70 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 74 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 102 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 106 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 137 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 141 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 178 PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 185
It looks like a variable has not been defined, but I have no clue how to define/fix it.
Thanks
 
I second that i am also
Wed, 08/19/2009 - 11:50am
I second that i am also getting that PHP Notice error. Is the normal? Does the script possibly need to be updated for newer versions of the software?
The emails go out as expected, and i think the figures are correct, but im not sure.
Has anyone figured out how to fix this error?
Thanks.
 
Updates soon
Fri, 08/28/2009 - 8:27pm
Hey guys, I'll have an update out soon that addresses the issues and enhances the solution in a way I haven't thought about yet (and am open for suggestions). I can probably get it out in a few days.
 
Hi Ethan, this script works
Fri, 11/27/2009 - 8:40am
Hi Ethan, this script works great! When will you post your update?
 
were you able to fix the php
Thu, 03/18/2010 - 2:46am
were you able to fix the php errors, I'm receiving the same?
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 70
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 74
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 102
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 106
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 137
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 141
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 178
PHP Notice: Use of undefined constant DB_FETCHMODE_ARRAY - assumed 'DB_FETCHMODE_ARRAY' in /usr/local/sbin/abnormal.php on line 185
 
Member Since:
2008-04-04