Phantom extensions placing calls!

I’ve been having an ongoing problem with my PBX making outgoing calls that are clearly not coming from my own phone.

I use exclusively extension 420 for outgoing calls, and I noticed there had been a large number of ongoing calls from extension 100 (which I use for an IVR workaround and nothing else)

I tried a number of solutions to prevent this (it’s remarkable how unintuitive the process is to prevent an extension from making outbound calls!) and eventually just decided the easiest solution was to change the extension number to 99.

This was great for a few days, maybe even a week, but now I’ve noticed my SIP account has been drained yet again and my reports are now showing calls originating from extensions that don’t even exist!

I’ve included the tail end of my reports at the bottom of this post (I’ve replaced my own server’s IP address with <IP_ADDRESS_OF_MY_PBX>), I’m hoping someone can help shed light on this situation.

I have no extension 200, no 501, no 601, and I can’t fathom my a 1-866 number would be able to use MY pbx to call out, but as you can see by the report all of that bad stuff is happening.


  1. How is it that someone is able to make calls through my PBX using extensions that don’t even exist?

  2. More importantly, how can I prevent this from happening any more?

Any help would of course be appreciated in spades!


You hide your IP address from us, but not from the BlackHats :slight_smile: One saw you on your IP and then told everyone else that you have an open UDP/5060 port the rest is obvious.

You need to protect yourself with a firewall/IDS to notice and deny access to the knuckle-draggers (remember, these KD’s are a lot cleverer than you :slight_smile: ). You say nothing of your deployment some flavors have one or both but many don’t do a good job of setting them up.

Hi dicko, thanks for your reply.

Believe me, my intent has always been to stay off any blackhat’s radar :wink:

I’m running CentOS 5.5 with IPTABLES and fail2ban

I do notice in my iptables file that UDP 5060 is indeed open. I’ve removed it for this purpose but of course my only way of testing is to wait another few days and see if there’s still any fishy-business going on.

Just to confirm, it’s safe for me to block UDP 5060? (and by “safe” I mean it won’t prevent me from making or receiving any legitimate calls?)

Thanks again!

Blocking UDP/5060 universally will stop all external SIP sessions, best way is to change all your connections away from 5060 to prevent drive by’s that means with your VSP also, some will some won’t , if they wont then there will only be a few "networks"that you need allow udp/5060 from.

I have been using fail2ban for years and it works well if properly setup, here is a good working setup recipe:-