Calls to queue going to a outside number

Calls to queue 0 are also going to a number not intended to go to. 18776750002

The only entry on the queue page is the correct number, the internal extension 3800,0

after reading others issues on;line i ran

grep 18776750002 /etc/asterisk/*

With no results, then i ran

rasterisk -x ‘database show’|grep 18776750002

the results are

/Queue/PersistentMembers/0 : Local/[email protected]/n;0;0;Local/[email protected]/n;Local/[email protected]/n

This number has nothing to do with our business and i can not figure out how it got there or how to remove it.

Any help appreciated.

Chris

In the asterisk cli try the below

queue remove member (membername) from (queue #)

Hitting tab after the member noun will display active members and help with the syntax. I have not tested with wildcards.

queue remove member Local/[email protected]/n from 0

Should work

Jason

Thank you

this is what i tried and the result

DENVER*CLI> queue remove member Local/[email protected]/n from 0
Unable to remove interface ‘Local/18776[email protected]/n’ from queue ‘0’: Not there
Command ‘queue remove member Local/[email protected]/n from 0’ failed.

However it is still there

rasterisk -x ‘database show’|grep 18776750002
/Queue/PersistentMembers/0 : Local/[email protected]/n;0;0;Local/[email protected]/n;Local/[email protected]/n
[[email protected] asterisk]#

Please any other ideas?

Chris

Drill down :-

rasterisk -x “database show Queue”

rasterisk -x “database show Queue/PersistentMembers”

.
.
.
when you have isolated the entry

rasterisk -x "database del " where the family is the penultimate “show” and the key has a value of “bad”

Dicko thank you for the reply.

As i am not familiar with modifying the database directly and i do not want to make any mistakes below id the output from the commands you suggested.

[[email protected] asterisk]# rasterisk -x “database show Queue”
/Queue/PersistentMembers/0 : Local/[email protected]/n;0;0;Local/[email protected]/n;Local/[email protected]/n
1 results found.
[[email protected] asterisk]# rasterisk -x “database show Queue/PersistentMembers”

Please would you show me the exact command i would need to enter to remove this based on the command output?

Thank you

Chris

Sorry the cut and paste did bot show all of the results

here are the complete results

[[email protected] asterisk]# rasterisk -x “database show Queue”
/Queue/PersistentMembers/0 : Local/[email protected]/n;0;0;Local/[email protected]/n;Local/[email protected]/n
1 results found.
[[email protected] asterisk]# rasterisk -x “database show Queue/PersistentMembers”
/Queue/PersistentMembers/0 : Local/[email protected]/n;0;0;Local/[email protected]/n;Local/[email protected]/n
1 results found.

Thank you again for your assistance.

Chris

rasterisk -x "database get Queue/PersistentMembers 0"

if funky then

rasterisk -x "database put Queue/PersistentMembers 0 '' "

The quotes here are pretty confusing.
The first is a quotation mark. (")
The second and third are single ticks (’’)
The last is another quotation mark (")

I know they all look the same, but the difference is important for this to work.

Thank you again

here is what i got

[[email protected] asterisk]# rasterisk -x "database get Queue/PersistentMembers 0"
Value: Local/[email protected]/n;0;0;Local/[email protected]/n;Local/[email protected]/n

then i did

[[email protected] asterisk]# rasterisk -x "database put Queue/PersistentMembers 0 ‘’ "
Updated database successfully
[[email protected] asterisk]# rasterisk -x "database get Queue/PersistentMembers 0"
Value: ‘’

Hopefully this will stop the calls from going to that 877 number…

I do not know how that would have gotten there in the first place as i am the only one that makes those type of changes.

Thank you for your assistance.

Chris

Me neither but I suspect you might have been penetrated

It’s a company called “Floor and Decor” in Falconer, NY. If you were hacked, it was an attempt to run up their 800 number charges.

Hacked sounds logical the PBX is behind a firewall with no ports forwarded to the PBX, and there is no 1 to 1 nat for the PBX either.

The SIP trunks are on a separate circuit that has no access to the internet.

If someone got in i can not imagine how.

Hopefully this wont happen again.

Thank you for all of your help.

Chris

tcp 5038 perhaps? it is often wide open !! if you have no knowledge of 18776750002, it is more that suspicious, it is also very likely that they also have been subverted, you should ask them :wink:

It is behind a Sonicwall thus i would have to manually open ports and do a 1 to 1 nat.

i just double checked the Sonicwall i am the only one with the passwords to the corporate firewalls, and there is no way in directly to the PBX.

very strange indeed.

if anyone has any ideas how they could get in i would be interested.

Thank you

Chris

The trouble with that thinking is that it “Can’t possibly happen” under any circumstances, in your case it possibly did :slight_smile:

netstat -lntup
iptables -L -n

@chris43 Nothing’s preventing you from calling them and talking to their IT Guy. They might be able to offer some insight in the most bizarre hack I’ve ever seen. Maybe working together, you can figure something out. Also - they might also be victims of a hack and not even know it.

Hi

I ran the requested

netstat -lntup
iptables -L -n

Please see output below.

I did x out the telco trunks, they are public addresses on a private circuit. they are not reachable from the internet. i double checked that.

the 172.25 is the phones (behind sonic wall)

the 10.200 is trunks between offices, this is a VLAN that does not cross the internet and has no access to the internet, we have point to point circuits for Video and i run interoffice calls over that circuit.

Chris

[[email protected] ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5038 0.0.0.0:* LISTEN 3379/asterisk
tcp 0 0 127.0.0.1:5582 0.0.0.0:* LISTEN 2240/lua
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1664/rpcbind
tcp 0 0 0.0.0.0:5269 0.0.0.0:* LISTEN 2240/lua
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1966/vsftpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1916/dnsmasq
tcp 0 0 0.0.0.0:33589 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1928/sshd
tcp 0 0 0.0.0.0:51030 0.0.0.0:* LISTEN 1859/rpc.mountd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2202/master
tcp 0 0 0.0.0.0:57275 0.0.0.0:* LISTEN 1682/rpc.statd
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN 2387/fop2_server
tcp 0 0 0.0.0.0:57631 0.0.0.0:* LISTEN 1859/rpc.mountd
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 2240/lua
tcp 0 0 0.0.0.0:54400 0.0.0.0:* LISTEN 1859/rpc.mountd
tcp 0 0 0.0.0.0:5281 0.0.0.0:* LISTEN 2240/lua
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5347 0.0.0.0:* LISTEN 2240/lua
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 2240/lua
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2110/mysqld
tcp 0 0 :::57389 :::* LISTEN 1859/rpc.mountd
tcp 0 0 :::111 :::* LISTEN 1664/rpcbind
tcp 0 0 :::50000 :::* LISTEN 2344/java
tcp 0 0 :::80 :::* LISTEN 2212/httpd
tcp 0 0 :::50001 :::* LISTEN 2344/java
tcp 0 0 :::81 :::* LISTEN 2212/httpd
tcp 0 0 :::50002 :::* LISTEN 2344/java
tcp 0 0 :::82 :::* LISTEN 2212/httpd
tcp 0 0 :::50003 :::* LISTEN 2344/java
tcp 0 0 :::84 :::* LISTEN 2212/httpd
tcp 0 0 :::53 :::* LISTEN 1916/dnsmasq
tcp 0 0 :::39381 :::* LISTEN 1682/rpc.statd
tcp 0 0 :::22 :::* LISTEN 1928/sshd
tcp 0 0 :::88 :::* LISTEN 2212/httpd
tcp 0 0 ::1:25 :::* LISTEN 2202/master
tcp 0 0 :::443 :::* LISTEN 2212/httpd
tcp 0 0 :::39645 :::* LISTEN 1859/rpc.mountd
tcp 0 0 :::55487 :::* LISTEN 1859/rpc.mountd
tcp 0 0 :::96 :::* LISTEN 2212/httpd
tcp 0 0 :::2049 :::* LISTEN -
tcp 0 0 :::60003 :::* LISTEN -
udp 0 0 0.0.0.0:111 0.0.0.0:* 1664/rpcbind
udp 0 0 0.0.0.0:1010 0.0.0.0:* 1682/rpc.statd
udp 0 0 xxx.xxx.xxx.xxx:123 0.0.0.0:* 1944/ntpd
udp 0 0 10.200.25.200:123 0.0.0.0:* 1944/ntpd
udp 0 0 172.25.200.200:123 0.0.0.0:* 1944/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 1944/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 1944/ntpd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:647 0.0.0.0:* 1505/portreserve
udp 0 0 0.0.0.0:45615 0.0.0.0:* 1859/rpc.mountd
udp 0 0 0.0.0.0:53 0.0.0.0:* 1916/dnsmasq
udp 0 0 0.0.0.0:59455 0.0.0.0:* 1859/rpc.mountd
udp 0 0 0.0.0.0:5060 0.0.0.0:* 3379/asterisk
udp 0 0 0.0.0.0:69 0.0.0.0:* 1936/xinetd
udp 0 0 0.0.0.0:56523 0.0.0.0:* 1859/rpc.mountd
udp 0 0 0.0.0.0:44622 0.0.0.0:* 1725/avahi-daemon
udp 0 0 0.0.0.0:847 0.0.0.0:* 1505/portreserve
udp 0 0 0.0.0.0:4569 0.0.0.0:* 3379/asterisk
udp 0 0 0.0.0.0:47070 0.0.0.0:* 1682/rpc.statd
udp 0 0 0.0.0.0:55007 0.0.0.0:* -
udp 0 0 0.0.0.0:991 0.0.0.0:* 1664/rpcbind
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1725/avahi-daemon
udp 0 0 :::36843 :::* 1859/rpc.mountd
udp 0 0 :::111 :::* 1664/rpcbind
udp 0 0 fe80::21a:4bff:fe54:c2be:123 :::* 1944/ntpd
udp 0 0 fe80::21b:21ff:feba:70fa:123 :::* 1944/ntpd
udp 0 0 fe80::21b:21ff:feba:70fb:123 :::* 1944/ntpd
udp 0 0 ::1:123 :::* 1944/ntpd
udp 0 0 :::123 :::* 1944/ntpd
udp 0 0 :::2049 :::* -
udp 0 0 :::34581 :::* 1682/rpc.statd
udp 0 0 :::53 :::* 1916/dnsmasq
udp 0 0 :::37701 :::* 1859/rpc.mountd
udp 0 0 :::35535 :::* 1859/rpc.mountd
udp 0 0 :::35793 :::* -
udp 0 0 :::991 :::* 1664/rpcbind
[[email protected] ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (0 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (2 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
[[email protected] ~]#