Calls to queue 0 are also going to a number not intended to go to. 18776750002
The only entry on the queue page is the correct number, the internal extension 3800,0
after reading others issues on;line i ran
grep 18776750002 /etc/asterisk/*
With no results, then i ran
rasterisk -x ‘database show’|grep 18776750002
the results are
/Queue/PersistentMembers/0 : Local/18776750002@from-queue/n;0;0;Local/18776750002@from-queue/n;Local/18776750002@from-queue/n
This number has nothing to do with our business and i can not figure out how it got there or how to remove it.
Any help appreciated.
Chris
In the asterisk cli try the below
queue remove member (membername) from (queue #)
Hitting tab after the member noun will display active members and help with the syntax. I have not tested with wildcards.
queue remove member Local/18776750002@from-queue/n from 0
Should work
Jason
Thank you
this is what i tried and the result
DENVER*CLI> queue remove member Local/18776750002@from-queue/n from 0
However it is still there
rasterisk -x ‘database show’|grep 18776750002
Please any other ideas?
Chris
dicko
March 15, 2017, 12:38am
4
Drill down :-
rasterisk -x “database show Queue”
rasterisk -x “database show Queue/PersistentMembers”
.
rasterisk -x "database del " where the family is the penultimate “show” and the key has a value of “bad”
Dicko thank you for the reply.
As i am not familiar with modifying the database directly and i do not want to make any mistakes below id the output from the commands you suggested.
[root@DENVER asterisk]# rasterisk -x “database show Queue”
Please would you show me the exact command i would need to enter to remove this based on the command output?
Thank you
Chris
Sorry the cut and paste did bot show all of the results
here are the complete results
[root@DENVER asterisk]# rasterisk -x “database show Queue”
Thank you again for your assistance.
Chris
dicko
March 15, 2017, 6:12pm
7
rasterisk -x "database get Queue/PersistentMembers 0"
if funky then
rasterisk -x "database put Queue/PersistentMembers 0 '' "
cynjut
March 15, 2017, 6:18pm
8
The quotes here are pretty confusing.
I know they all look the same, but the difference is important for this to work.
Thank you again
here is what i got
[root@DENVER asterisk]# rasterisk -x "database get Queue/PersistentMembers 0"
then i did
[root@DENVER asterisk]# rasterisk -x "database put Queue/PersistentMembers 0 ‘’ "
Hopefully this will stop the calls from going to that 877 number…
I do not know how that would have gotten there in the first place as i am the only one that makes those type of changes.
Thank you for your assistance.
Chris
dicko
March 15, 2017, 11:36pm
10
Me neither but I suspect you might have been penetrated
cynjut
March 15, 2017, 11:52pm
11
chris43:
8776750002
It’s a company called “Floor and Decor” in Falconer, NY. If you were hacked, it was an attempt to run up their 800 number charges.
Hacked sounds logical the PBX is behind a firewall with no ports forwarded to the PBX, and there is no 1 to 1 nat for the PBX either.
The SIP trunks are on a separate circuit that has no access to the internet.
If someone got in i can not imagine how.
Hopefully this wont happen again.
Thank you for all of your help.
Chris
dicko
March 16, 2017, 12:17am
13
tcp 5038 perhaps? it is often wide open !! if you have no knowledge of 18776750002, it is more that suspicious, it is also very likely that they also have been subverted, you should ask them
It is behind a Sonicwall thus i would have to manually open ports and do a 1 to 1 nat.
i just double checked the Sonicwall i am the only one with the passwords to the corporate firewalls, and there is no way in directly to the PBX.
very strange indeed.
if anyone has any ideas how they could get in i would be interested.
Thank you
Chris
dicko
March 16, 2017, 1:39am
15
The trouble with that thinking is that it “Can’t possibly happen” under any circumstances, in your case it possibly did
netstat -lntup
cynjut
March 16, 2017, 1:22pm
16
@chris43 Nothing’s preventing you from calling them and talking to their IT Guy. They might be able to offer some insight in the most bizarre hack I’ve ever seen. Maybe working together, you can figure something out. Also - they might also be victims of a hack and not even know it.
Hi
I ran the requested
netstat -lntup
Please see output below.
I did x out the telco trunks, they are public addresses on a private circuit. they are not reachable from the internet. i double checked that.
the 172.25 is the phones (behind sonic wall)
the 10.200 is trunks between offices, this is a VLAN that does not cross the internet and has no access to the internet, we have point to point circuits for Video and i run interoffice calls over that circuit.
Chris
[root@DENVER ~]# netstat -lntupxxx.xxx.xxx.xxx:123 0.0.0.0:* 1944/ntpd
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
Chain fail2ban-BadBots (0 references)
Chain fail2ban-FTP (1 references)
Chain fail2ban-SIP (2 references)
Chain fail2ban-SSH (1 references)
Chain fail2ban-apache-auth (1 references)
Chain fail2ban-recidive (1 references)
