Hack or not? Strange traffic at strange times!

Background info:
I’ve been running FreePBX for just over a year now and it has been incredibly stable with SIP trunks (no POTS). There are no ports forwarded as I am using SIP registration. Established/related traffic is allowed for time/system/firmware updates etc. Otherwise everything is on a private LAN behind a firewall.

This week I have been asked to connect a POTS line so that anyone who calls this legacy number will still get through until the contract runs out. Previously we were just using one separate phone. During testing the system connectivity between the SPA-3102 and the PBX, everything is fine. As soon as I connect the POTS line to the SPA-3102, I am receiving IPS messages from my firewall (current Unifi USG). This has occurred twice, both times about 10 minutes after connecting the SPA to the line. Since I have started using FreePBX, there have been no other IPS hits so this is new behaviour.

This is my IPS message:
Message: IPS Alert 2: Misc Attack. Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276. From:, to: mypbxaddress:48860, protocol: TCP

As far as I know port 48860 is not in use for anything so I’m puzzled as to what this could be (it could also just be a false positive!). Any input would be greatly appreciated. Thanks.

I suspect that what you are seeing is just a coincidence. Conceivably, there is something misconfigured in the SPA that’s sending outbound traffic to someone who, having learned your public IP address, is attempting an attack.

Look at the SPA’s web page in admin advanced mode. Assuming that you are not using provisioning, confirm that Provision Enable and Upgrade Enable are both no, and that the 4 Profile Rules and Upgrade Rule are blank. On the System tab, confirm that Syslog Server and Debug Server are blank (or properly set). On the WAN Setup tab, confirm that your DNS and NTP settings are not going where they shouldn’t.

Thanks, I think it was upgrade enable/rule. I updated the settings and haven’t had a warning since.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.