Phantom phone calls

System is a version 14 Asterisk version 13. It has several hundred phones on it. The system is a server grade system and been installed for several years.
We have an extension that will go off hook and dial a specific extension within the system, be answered by the distant voicemail (since it doesn’t get answered) and hangs up. The user most times is across the room from the phone and hears it go off hook and the whole call over speakerphone. The call does show up in the CDR report. Sometimes the phantom calls are after hours as well. There doesn’t appear to be any nefarious calls outside the system.

The traffic on the system is so much that we haven’t been able to catch it in a tcpdump yet.
Things we have done:

  1. Defaulted the phone
  2. Replaced the phone with one of the same make / model
  3. Deleted the extension in the system and changed the secret.
  4. Stopped FOP2
  5. Made sure that the phone didn’t have a stuck button (BLF) for the distant extension.
  6. Phone is stand alone ie: no BLF/DSS sidecar

If it possible to send a command to a phone and have it dial all by itself?

The following settings are at default:

  1. Accept SIP TRust Server Only is set to false
  2. Enable Peer to Perr is set to allow
    My thinking is to try a different phone manufacturer in case there is an exploit that is being taken advantage of. The phones are no longer under warranty and or the company will not provide updated firmware.

If the call show up on the CDR report:

  1. I don’t see how your last item would make a difference;

  2. you need to provide details from the CDR (although better from a verbose full log) for anyone to make intelligent guesses. However, I would set (1) to true and (2) to false.

The ability to force them off hook in speaker mode is the security downside of allowing paging. IP phones generally have this disabled by default, for this reason, so, if you don’t page them,

If they are being attacked, I’d suggest the attacker is contacting them directly and using auto-answer to get them into a state when they can then use REFER, on the assumption that a direct attack on the PABX would not allow chargeable calls, but a call from the phone would.

I’m not sure why it is going to extensions; maybe the start of the premium number they are trying to dial looks like a local extension.

Thanks david55

As soon as I can get to that phone I will make those changes. I do not know if they are using the page function on the phone, but that is possible since it is in a school. I’ll check that out. Also, I think I can get a full CDR export of one of those calls

What model of phone?
Are you using PJSIP?


Chan sip

  1. Accept SIP TRust Server Only is set to false

might not be a good idea :wink:

Thanks Dicko,

I was able to log into the phone directly and this is what I found

  1. Accept SIP TRust Server Only is set to true
  2. Phone call log shows some of the calls at times there wouldn’t be anyone there
  3. There is a BLF key programmed for the ext that is phantom called ( Deleted it)
  4. Auto Answer is disabled

There are no page zones programmed in the system. They have a sip based paging system. There are entries in the multicast paging portion.

For troubleshooting occasional problems like this I use

That looks like a game changer there! Thanks for the tip Dicko!

I updated all the modules and now getting this error:

exit: 1
Unable to continue. died in splice ext-intercom . in /var/www/html/admin/libraries/extensions.class.php on line 197
#0 /var/www/html/admin/modules/clearlydevices/Clearlydevices.class.php(527): extensions->splice(‘ext-intercom’, '
.', ‘check’, Object(ext_noop), ‘clearlydevices’, -3)
#1 /var/www/html/admin/libraries/BMO/DialplanHooks.class.php(107): FreePBX\modules\Clearlydevices->doDialplanHook(Object(extensions), ‘asterisk’, 900)
#2 /var/lib/asterisk/bin/retrieve_conf(861): FreePBX\DialplanHooks->processHooks(‘asterisk’, Array)
#3 {main}

I found this but no relief: Probelm after Module updates

I have it working so that it gets ALL sip sessions. In the instructions there is a -n switch to only capture specific extensions. I tried using -n 101 to capture a call for extension 101 It didn’t weed out those calls. What is the systax for that? Or does it work. Second question how can I start that and close the ssh session?
Thanks alot!

A typical FreePBX extension will be accessed by its IP address, for calls to it, not the FreePBX extension number, although it could vary with the device, as what appears will actually be what the device provided in its REGISTER Contact header.

Here is a file name for a session from extension 205


It must be pulling that info from the To and From message headers

Indeed, source and destination are derived by analysis of the complete session,

pcapsipdump -h

-d Set directory (or filename template), where captured files will be stored.
ex.: -d /var/spool/pcapsipdump/%Y%m%d/%H/%Y%m%d-%H%M%S-%f-%t-%i.pcap

  • Following %-codes are expanded in -d and -t: %f (from/caller), %t (to/callee),
    %i (call-id), and call date/time (see ‘man 3 strftime’ for details)
  • Trailing argument is pcap filter expression syntax, see ‘man 7 pcap-filter’

here your %f (from/caller) and your %t (to/callee) are both 205.

calls them selves can be filtered on INVITE only, but REGISTER might clue the presence of a rogue device on the LAN


there should be a “service” /etc/init.d/pcapsipdump to start and stop the daemon and how to set the defaults called.

Thanks dicko I’m starting to get it. It looks like your last comment was cut off

Hi Ed, thought you were missing in action?

Nope. Still kicking

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.