Linphone Ghost Calls

J1MM3RT

@scottalanmiller There is also this looks to reiterate the same thing but more clear compared to the other thread. http://forums.whirlpool.net.au/archive/1977342
Other than that the rest of the sites I've seen all pretty much point to it being a scanner of some sort.

J1MM3RT

Just got in today & was wondering if there was any luck figuring this out?

scottalanmiller

No, worked till late last night then hung out with my dad who is visiting from out of town. Got up and went straight to a state park with the family this morning and just got back to the house. Haven't even turned the phone on yet.

alexntg

Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.

scottalanmiller

@alexntg said:

Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.

It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.

alexntg

@scottalanmiller said:

@alexntg said:

Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.

It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.

I'm referring to the SIP interface on your phone system. Lock the firewall down to only the IP addresses of the clients that register with it (or subnets if they're dynamic). That way, the attacker won't be able to send the call over. The only other explanation is that you have your SIP ports exposed and NATted directly to your phone, which really shouldn't be necessary for normal operation.

scottalanmiller

@alexntg said:

@scottalanmiller said:

@alexntg said:

Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.

It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.

I'm referring to the SIP interface on your phone system. Lock the firewall down to only the IP addresses of the clients that register with it (or subnets if they're dynamic). That way, the attacker won't be able to send the call over. The only other explanation is that you have your SIP ports exposed and NATted directly to your phone, which really shouldn't be necessary for normal operation.

Neither. The call is not coming from the PBX nor are any ports forwarded. It has to be coming off of the local LAN.

alexntg

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

@alexntg said:

Sounds like SipVicious. allowing only end-user subnets to access your SIP interface should fix that issue.

It's a phone, you can't really do that. But it is not externally available, so it must be being accessed by the local subnet.

I'm referring to the SIP interface on your phone system. Lock the firewall down to only the IP addresses of the clients that register with it (or subnets if they're dynamic). That way, the attacker won't be able to send the call over. The only other explanation is that you have your SIP ports exposed and NATted directly to your phone, which really shouldn't be necessary for normal operation.

Neither. The call is not coming from the PBX nor are any ports forwarded. It has to be coming off of the local LAN.

Is this the NTG phone system?

scottalanmiller

It's my desk phone. So yes.

alexntg

@scottalanmiller said:

It's my desk phone. So yes.

It's likely not your phone, but the phone system instead. Other users have experienced the same thing. The only other thing it could be is multiple users swiss-cheesing their firewalls via UPnP.

scottalanmiller

@alexntg said:

@scottalanmiller said:

It's my desk phone. So yes.

It's likely not your phone, but the phone system instead. Other users have experienced the same thing. The only other thing it could be is multiple users swiss-cheesing their firewalls via UPnP.

Where is that getting reported? I've not seen any tickets about that.

Dominica

I hope you figure this out soon. It's incredibly annoying to have that phone ring every 30 minutes.

Dashrender

is something on your network doing a regular scan?

scottalanmiller

@Dashrender said:

is something on your network doing a regular scan?

Nope

Dashrender

@scottalanmiller said:

@Dashrender said:

is something on your network doing a regular scan?

Nope

any chance you can run a wireshark or other packet scan on things going to the phone to see if you can tell where it's coming from?

alexntg

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

It's my desk phone. So yes.

It's likely not your phone, but the phone system instead. Other users have experienced the same thing. The only other thing it could be is multiple users swiss-cheesing their firewalls via UPnP.

Where is that getting reported? I've not seen any tickets about that.

@FiyaFly had it happen a while back.

scottalanmiller

Hmmm. I'll have him add a ticket so that we are collecting info on it.

Ambarishrh

Not sure if you have the same issue, but I had this problem on our PBX server when I was using Trixbox. It was annoying that the front desk phone rings like 50 times a day and after logging a ticket with Trixbox they said its a hacking attempt due to the ports opened for remote sip phones for my branch offices. One advice from them was to only whitelist the branch office IP and check, that didn't really helped much.

I setup fail2ban which even though was not supported by trixbox, after installing that and some trial and errors, the ghost calls stopped. Then we got migrated to our parent PBX server, so its not my headache anymore!