Phantom extensions placing calls!

1337ingDisorder · May 14, 2013, 6:51pm

I’ve been having an ongoing problem with my PBX making outgoing calls that are clearly not coming from my own phone.

I use exclusively extension 420 for outgoing calls, and I noticed there had been a large number of ongoing calls from extension 100 (which I use for an IVR workaround and nothing else)

I tried a number of solutions to prevent this (it’s remarkable how unintuitive the process is to prevent an extension from making outbound calls!) and eventually just decided the easiest solution was to change the extension number to 99.

This was great for a few days, maybe even a week, but now I’ve noticed my SIP account has been drained yet again and my reports are now showing calls originating from extensions that don’t even exist!

I’ve included the tail end of my reports at the bottom of this post (I’ve replaced my own server’s IP address with <IP_ADDRESS_OF_MY_PBX>), I’m hoping someone can help shed light on this situation.

I have no extension 200, no 501, no 601, and I can’t fathom my a 1-866 number would be able to use MY pbx to call out, but as you can see by the report all of that bad stuff is happening.

So,

How is it that someone is able to make calls through my PBX using extensions that don’t even exist?
More importantly, how can I prevent this from happening any more?

Any help would of course be appreciated in spades!

Thanks

- - REPORT OUTPUT - - -

20:44:07,SIP/<IP_ADDRESS_OF_MY_PBX>-00000589,601,""“601"“
20:44:08,SIP/<IP_ADDRESS_OF_MY_PBX>-0000058a,601,””“601"“
21:41:17,SIP/<IP_ADDRESS_OF_MY_PBX>-0000058b,11,””“11"“
21:41:18,SIP/<IP_ADDRESS_OF_MY_PBX>-0000058c,11,””“11"“
21:41:19,SIP/<IP_ADDRESS_OF_MY_PBX>-0000058d,11,””“11"“
22:37:33,SIP/<IP_ADDRESS_OF_MY_PBX>-0000058e,201,””“201"“
22:37:34,SIP/<IP_ADDRESS_OF_MY_PBX>-0000058f,201,””“201"“
22:37:35,SIP/<IP_ADDRESS_OF_MY_PBX>-00000590,201,””“201"“
23:34:07,SIP/<IP_ADDRESS_OF_MY_PBX>-00000591,501,””“501"“
23:34:08,SIP/<IP_ADDRESS_OF_MY_PBX>-00000592,501,””“501"“
23:34:09,SIP/<IP_ADDRESS_OF_MY_PBX>-00000593,501,””“501"“
00:30:09,SIP/<IP_ADDRESS_OF_MY_PBX>-00000594,111,””“111"“
00:30:10,SIP/<IP_ADDRESS_OF_MY_PBX>-00000595,111,””“111"“
00:30:11,SIP/<IP_ADDRESS_OF_MY_PBX>-00000596,111,””“111"“
01:26:10,SIP/<IP_ADDRESS_OF_MY_PBX>-00000597,1000,””“1000"“
01:26:11,SIP/<IP_ADDRESS_OF_MY_PBX>-00000598,1000,””“1000"“
01:26:12,SIP/<IP_ADDRESS_OF_MY_PBX>-00000599,1000,””“1000"“
02:22:24,SIP/<IP_ADDRESS_OF_MY_PBX>-0000059a,1001,””“1001"“
02:22:25,SIP/<IP_ADDRESS_OF_MY_PBX>-0000059b,1001,””“1001"“
02:22:25,SIP/<IP_ADDRESS_OF_MY_PBX>-0000059c,1001,””“1001"“
11:30:00,SIP/callcentric.com-0000059d,anonymous,””“Anonymous”“
12:15:11,SIP/<IP_ADDRESS_OF_MY_PBX>-0000059e,222,”"“222"“
12:15:13,SIP/<IP_ADDRESS_OF_MY_PBX>-0000059f,222,””“222"“
12:15:16,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a0,222,””“222"“
12:15:19,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a1,222,””“222"“
12:55:49,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a2,101,””“101"“
12:55:53,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a3,101,””“101"“
12:55:57,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a4,101,””“101"“
12:56:02,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a5,101,””“101"“
12:56:06,SIP/<IP_ADDRESS_OF_MY_PBX>-000005a6,101,””“101"“
13:04:34,SIP/66.193.176.35:5060-000005a7,18663878749,””“18663878749"“
14:46:57,SIP/66.193.176.35:5060-000005a8,12504122512,””“12504122512"“
15:31:57,SIP/99-000005a9,99,99,448703923990,NO
15:32:08,SIP/99-000005ab,99,99,011448703923990,NO
16:10:14,SIP/<IP_ADDRESS_OF_MY_PBX>-000005ad,601,””“601"“
16:10:18,SIP/<IP_ADDRESS_OF_MY_PBX>-000005ae,601,””“601"“
16:10:21,SIP/<IP_ADDRESS_OF_MY_PBX>-000005af,601,””“601"“
16:10:25,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b0,601,””“601"“
16:10:29,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b1,601,””“601"“
16:36:48,SIP/CallCentric-Personal-000005b2,18663878749,””“18663878749"“
19:34:04,SIP/66.193.176.35:5060-000005b3,18663878749,””“18663878749"“
20:24:53,SIP/66.193.176.35:5060-000005b4,18663878749,””“18663878749"“
00:52:36,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b5,200,””“200"“
00:52:39,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b6,200,””“200"“
00:52:41,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b7,200,””“200"“
00:52:46,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b8,200,””“200"“
01:59:21,SIP/<IP_ADDRESS_OF_MY_PBX>-000005b9,501,””“501"“
01:59:23,SIP/<IP_ADDRESS_OF_MY_PBX>-000005ba,501,””“501"“
01:59:27,SIP/<IP_ADDRESS_OF_MY_PBX>-000005bb,501,””“501"“
01:59:30,SIP/<IP_ADDRESS_OF_MY_PBX>-000005bc,501,””“501"“
01:59:32,SIP/<IP_ADDRESS_OF_MY_PBX>-000005bd,501,””“501"“
05:38:23,SIP/24.43.123.80-000005be,3030,3030,s,ANSWERED,1
Page 2
Sheet1
2013-05-14
2013-05-14
2013-05-14
2013-05-14
2013-05-14
2013-05-14
2013-05-14
2013-05-14
05:38:27,SIP/24.43.123.80-000005bf,3030,3030,s,ANSWERED,12
05:38:54,SIP/99-000005c0,99,99,12645838242,NO
05:39:17,SIP/99-000005c2,99,99,00442033478081,FAILED,35
07:54:54,SIP/66.193.176.35:5060-000005c4,18663878749,””“18663878749"“
08:01:51,SIP/callcentric.com-000005c5,anonymous,””“Anonymous”“
08:34:43,SIP/callcentric.com-000005c6,anonymous,”"“Anonymous”“
11:19:56,SIP/420-000005c7,420,420,2503852635,NO
11:25:33,SIP/66.193.176.35:5060-000005c9,18663878749,”"“18663878749"”

miken32 · May 14, 2013, 10:53pm

Read up on SIP security and the benefits of not opening your server to the internet without taking the appropriate precautions!

dicko · May 15, 2013, 12:05am

And of course you here leak more information about your server running PIAF on port 9080, as I say , these KD’s are not stupid, I am sure they even come here for breadcrumbs strive to be less so yourself.