Linphone Ghost Calls
-
So every so often my SIP phone gets a "ghost" call from extension 100. I say "ghost" because there is no one on the other end and the PBX doesn't register that any call passed through it. It seems to only exist on my local network (I am remote from the PBX.) Any idea what might be originating the call? The PBX is Asterisk 11, but I don't think that it is involved.
-
just found this on the googles: http://www.dslreports.com/forum/r28035253-Receiving-calls-from-name-number-100-that-don-t-get-logged
-
@J1MM3RT said:
just found this on the googles: http://www.dslreports.com/forum/r28035253-Receiving-calls-from-name-number-100-that-don-t-get-logged
Hmmm... that would suggest that the scanner is on my local network as there are no ports forwarded or open on the hardware firewall. Hmm...
-
@scottalanmiller There is also this looks to reiterate the same thing but more clear compared to the other thread. http://forums.whirlpool.net.au/archive/1977342
Other than that the rest of the sites I've seen all pretty much point to it being a scanner of some sort. -
Just got in today & was wondering if there was any luck figuring this out?
-
No, worked till late last night then hung out with my dad who is visiting from out of town. Got up and went straight to a state park with the family this morning and just got back to the house. Haven't even turned the phone on yet.
-
Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.
-
@alexntg said:
Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.
It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.
-
@scottalanmiller said:
@alexntg said:
Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.
It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.
I'm referring to the SIP interface on your phone system. Lock the firewall down to only the IP addresses of the clients that register with it (or subnets if they're dynamic). That way, the attacker won't be able to send the call over. The only other explanation is that you have your SIP ports exposed and NATted directly to your phone, which really shouldn't be necessary for normal operation.
-
@alexntg said:
@scottalanmiller said:
@alexntg said:
Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.
It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.
I'm referring to the SIP interface on your phone system. Lock the firewall down to only the IP addresses of the clients that register with it (or subnets if they're dynamic). That way, the attacker won't be able to send the call over. The only other explanation is that you have your SIP ports exposed and NATted directly to your phone, which really shouldn't be necessary for normal operation.
Neither. The call is not coming from the PBX nor are any ports forwarded. It has to be coming off of the local LAN.
-
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
@alexntg said:
Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.
It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.
I'm referring to the SIP interface on your phone system. Lock the firewall down to only the IP addresses of the clients that register with it (or subnets if they're dynamic). That way, the attacker won't be able to send the call over. The only other explanation is that you have your SIP ports exposed and NATted directly to your phone, which really shouldn't be necessary for normal operation.
Neither. The call is not coming from the PBX nor are any ports forwarded. It has to be coming off of the local LAN.
Is this the NTG phone system?
-
It's my desk phone. So yes.
-
@scottalanmiller said:
It's my desk phone. So yes.
It's likely not your phone, but the phone system instead. Other users have experienced the same thing. The only other thing it could be is multiple users swiss-cheesing their firewalls via UPnP.
-
@alexntg said:
@scottalanmiller said:
It's my desk phone. So yes.
It's likely not your phone, but the phone system instead. Other users have experienced the same thing. The only other thing it could be is multiple users swiss-cheesing their firewalls via UPnP.
Where is that getting reported? I've not seen any tickets about that.
-
I hope you figure this out soon. It's incredibly annoying to have that phone ring every 30 minutes.
-
is something on your network doing a regular scan?
-
-
@scottalanmiller said:
@Dashrender said:
is something on your network doing a regular scan?
Nope
any chance you can run a wireshark or other packet scan on things going to the phone to see if you can tell where it's coming from?
-
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
It's my desk phone. So yes.
It's likely not your phone, but the phone system instead. Other users have experienced the same thing. The only other thing it could be is multiple users swiss-cheesing their firewalls via UPnP.
Where is that getting reported? I've not seen any tickets about that.
@FiyaFly had it happen a while back.
-
Hmmm. I'll have him add a ticket so that we are collecting info on it.
