Multiple inbound calls over an hour turns out to be one long call

rnmixon · July 5, 2018, 6:49pm

We are running FreePBX distro "10.13.66-22 ", connected to a Digium SIP trunk.

Twice recently (middle of May and today) we’ve had a larger number of calls (193 in May and 32 today) that rang in the office - they would appear to hang up when someone answered or when they answer no one is on the line.

The CDR records show the individual calls for each time the phones rang - looks like they would choose an option on our IVR and route to a ring group. Most of the calls show a duration of 20 seconds or less, but 8 show a duration of just less than 6 minutes and one has a duration of 9:02 minutes. All are proportionally spaced across the overall duration - 8:23:06 to 9:20:05.

But when I extract all the /var/log/asterisk/full records for the first calls call id (all with e.g. “[C-00002520]” as the third field) it turns out it’s one long call.

I opened a ticket with Digium before but they were not able to shed much light on what was happening. I’ve opened a new ticket for today’s event but thought maybe it’s not specifically related to the Digium SIP Trunk.

Our main concern would be that a hacker was trying to route calls back out our trunk somehow - but looking at the CDRs this does not appear to be the case.

Before I start listing logs and other detail - does this pattern match a know problem with configuration or other issue?

If not what info is needed to comment further?

Thank you much for any insight - Richard

rnmixon · July 5, 2018, 6:54pm

Maybe this is significant/related - but not sure how.

One of the staff remembered the problem occurred both times the day after the PBX was in “holiday” mode - a staff retreat before the May incident and 4th of July holiday yesterday.

I actually called at 6:25 this morning to make sure the Time Group has changed the IVR for them - then correct recording was in place and have had no other reported issues.

Dunno.

dicko · July 5, 2018, 7:05pm

You might want to try over with your grepping, the bit in the square brackets before the C-00002520 one you used is far more “unique” and might show a little more of the legs concerned.

rnmixon · July 5, 2018, 8:43pm

Thank you, but grepping by that preceding number does not show up anything new.

In the timeframe of the call, there were only three different numbers shown before the “[C-00002520]”:

3486 - 3 three lines like
- [2018-07-05 08:23:06] VERBOSE[3486][C-00002520] netsock2.c: Using SIP RTP TOS bits 184
44536 - 3,029 lines like:
- [2018-07-05 08:23:06] VERBOSE[44536][C-00002520] pbx.c: Executing [4809616003@from-trunk-sip-Digium-SIPTrunk:1] Set("SIP/Digium-SIPTrunk-00000b71", "GROUP()=OUT_13") in new stack
52554 - two lines like:
- [2018-07-05 09:20:12] VERBOSE[52554][C-00002520] bridge_channel.c: Channel SIP/1015-00000b98 joined 'simple_bridge' basic-bridge <8a4c9a8e-ca50-429e-a9a2-e72e22b45f11>

The total was 3,034 lines - the same as when I grep with just the “[C-00002520]”

Any other thoughts?

dicko · July 5, 2018, 9:30pm

I understand you get the same count, it’s just for analysing how the various legs are interacting with each other and how they all end up in the same bridge.

system · July 5, 2019, 9:33pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.