ChanSpy Announcing the first two digits of my IP address

Very strange. Hanging out on Chanspy, out of no where, the woman’s voice comes on and says “SIP 94” “SIP 94” over and over for about 30 seconds as if someone is picking up the phone and putting it down. Looking at the log, it’s as if my IP address is trying to pick up the phone… or someone is trying to use the ip address as a SIP extension? Odd. This is happening every half hour or so.

Any ideas? Very weird.

Here is the log (IP address changed for security reasons):
[2013-06-27 07:28:51] VERBOSE[3041] netsock2.c: == Using SIP RTP TOS bits 184
[2013-06-27 07:28:51] VERBOSE[3041] netsock2.c: == Using SIP RTP CoS mark 5
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Executing [002972595646444@from-sip-external:1] NoOp(“SIP/94.38.99.123-0000068b”, “Received incoming SIP connection from unknown peer to 002972595646444”) in new stack
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Executing [002972595646444@from-sip-external:2] Set(“SIP/94.38.99.123-0000068b”, “DID=002972595646444”) in new stack
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Executing [002972595646444@from-sip-external:3] Goto(“SIP/94.38.99.123-0000068b”, “s,1”) in new stack
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Goto (from-sip-external,s,1)
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/94.38.99.123-0000068b”, “0?checklang:noanonymous”) in new stack
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Goto (from-sip-external,s,5)
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/94.38.99.123-0000068b”, “TIMEOUT(absolute)=15”) in new stack
[2013-06-27 07:28:51] VERBOSE[15586] func_timeout.c: Channel will hangup at 2013-06-27 07:29:06.866 PDT.
[2013-06-27 07:28:51] VERBOSE[15586] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/94.38.99.123-0000068b”, “”) in new stack
[2013-06-27 07:28:51] VERBOSE[15531] file.c: – <SIP/4003-00000675> Playing ‘spy-sip.ulaw’ (language ‘en’)
[2013-06-27 07:28:52] VERBOSE[15586] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/94.38.99.123-0000068b’
[2013-06-27 07:28:52] VERBOSE[15586] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/94.38.99.123-0000068b”, “”) in new stack
[2013-06-27 07:28:52] VERBOSE[15586] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/94.38.99.123-0000068b’
[2013-06-27 07:28:52] VERBOSE[15531] file.c: – <SIP/4003-00000675> Playing ‘digits/9.ulaw’ (language ‘en’)
[2013-06-27 07:28:53] VERBOSE[15531] file.c: – <SIP/4003-00000675> Playing ‘digits/6.ulaw’ (language ‘en’)
[2013-06-27 07:28:54] VERBOSE[15531] file.c: – <SIP/4003-00000675> Playing ‘beep.ulaw’ (language ‘en’)

Sounds like you have port 5060 open and someone is probing your system. Your CDR’s will likely look something like this:

2013-06-27 10:02:04 1372341724.237 501 Answer s (from-sip-external) ANSWERED 00:00
2013-06-27 10:02:03 1372341723.236 501 Answer s (from-sip-external) ANSWERED 00:00
2013-06-27 10:02:02 1372341722.235 501 Answer s (from-sip-external) ANSWERED 00:00
2013-06-27 10:02:01 1372341721.234 501 Answer s (from-sip-external) ANSWERED 00:00


If you don’t have a valid reason for having port 5060 open then close it, or restrict access to only known external IP addresses.

Hmmm. I do not have 5060 open but I have a different port open that is used to bind the softphones. Should that port be changed?

My CDR looks like this. As you can see, this happens a lot:

2013-06-27 07:28:51 1372343331.3281 SIP 109 Answer s ANSWERED 00:01
2013-06-27 07:28:49 1372343329.3280 SIP 109 Answer s ANSWERED 00:00
2013-06-27 07:28:46 1372343326.3279 SIP 109 Answer s ANSWERED 00:00
2013-06-27 07:28:43 1372343323.3278 SIP 109 Answer s ANSWERED 00:00
2013-06-27 07:28:41 1372343321.3277 SIP 109 Answer s ANSWERED 00:00
2013-06-27 07:28:38 1372343318.3276 SIP 109 Wait s ANSWERED 00:01
2013-06-27 07:28:34 1372343314.3275 SIP 109 Wait s ANSWERED 00:01
2013-06-27 07:28:30 1372343310.3274 SIP 109 Wait s ANSWERED 00:01
2013-06-27 07:28:29 1372343309.3273 SIP 109 Wait s ANSWERED 00:00
2013-06-27 07:28:24 1372343304.3272 SIP 109 Wait s ANSWERED 00:01
2013-06-27 07:28:20 1372343300.3271 SIP 109 Wait s ANSWERED 00:01
2013-06-27 07:15:21 1372342521.3270 SIP 177 Wait s ANSWERED 00:01
2013-06-27 07:15:17 1372342517.3269 SIP 177 Wait s ANSWERED 00:01
2013-06-27 07:15:13 1372342513.3268 SIP 177 Wait s ANSWERED 00:01
2013-06-27 07:15:10 1372342510.3267 SIP 777 Answer s ANSWERED 00:01
2013-06-27 07:15:07 1372342507.3266 SIP 777 Answer s ANSWERED 00:00
2013-06-27 07:15:03 1372342503.3265 SIP 777 Answer s ANSWERED 00:00
2013-06-27 07:14:58 1372342498.3264 SIP 177 Wait s ANSWERED 00:01
2013-06-27 07:14:55 1372342495.3263 SIP 777 Answer s ANSWERED 00:00
2013-06-27 07:14:50 1372342490.3262 SIP 177 Wait s ANSWERED 00:01
2013-06-27 07:14:46 1372342486.3261 SIP 777 Answer s ANSWERED 00:00
2013-06-27 07:14:43 1372342483.3260 SIP 177 Wait s ANSWERED 00:01