Phantom phone calls

edlentz · October 4, 2022, 8:03pm

System is a version 14 Asterisk version 13. It has several hundred phones on it. The system is a server grade system and been installed for several years.
We have an extension that will go off hook and dial a specific extension within the system, be answered by the distant voicemail (since it doesn’t get answered) and hangs up. The user most times is across the room from the phone and hears it go off hook and the whole call over speakerphone. The call does show up in the CDR report. Sometimes the phantom calls are after hours as well. There doesn’t appear to be any nefarious calls outside the system.

The traffic on the system is so much that we haven’t been able to catch it in a tcpdump yet.
Things we have done:

Defaulted the phone
Replaced the phone with one of the same make / model
Deleted the extension in the system and changed the secret.
Stopped FOP2
Made sure that the phone didn’t have a stuck button (BLF) for the distant extension.
Phone is stand alone ie: no BLF/DSS sidecar

If it possible to send a command to a phone and have it dial all by itself?

The following settings are at default:

Accept SIP TRust Server Only is set to false
Enable Peer to Perr is set to allow
My thinking is to try a different phone manufacturer in case there is an exploit that is being taken advantage of. The phones are no longer under warranty and or the company will not provide updated firmware.

edlentz · October 4, 2022, 8:50pm

Thanks david55

As soon as I can get to that phone I will make those changes. I do not know if they are using the page function on the phone, but that is possible since it is in a school. I’ll check that out. Also, I think I can get a full CDR export of one of those calls

sorvani · October 4, 2022, 10:44pm

What model of phone?
Are you using PJSIP?

edlentz · October 4, 2022, 11:11pm

Atcom

Chan sip

dicko · October 4, 2022, 11:14pm

Accept SIP TRust Server Only is set to false

might not be a good idea

edlentz · October 5, 2022, 2:37pm

Thanks Dicko,

I was able to log into the phone directly and this is what I found

Accept SIP TRust Server Only is set to true
Phone call log shows some of the calls at times there wouldn’t be anyone there
There is a BLF key programmed for the ext that is phantom called ( Deleted it)
Auto Answer is disabled

There are no page zones programmed in the system. They have a sip based paging system. There are entries in the multicast paging portion.

dicko · October 5, 2022, 3:03pm

For troubleshooting occasional problems like this I use

edlentz · October 5, 2022, 3:17pm

That looks like a game changer there! Thanks for the tip Dicko!

edlentz · October 6, 2022, 1:27pm

I updated all the modules and now getting this error:

exit: 1
Unable to continue. died in splice ext-intercom . in /var/www/html/admin/libraries/extensions.class.php on line 197
#0 /var/www/html/admin/modules/clearlydevices/Clearlydevices.class.php(527): extensions->splice(‘ext-intercom’, '.', ‘check’, Object(ext_noop), ‘clearlydevices’, -3)
#1 /var/www/html/admin/libraries/BMO/DialplanHooks.class.php(107): FreePBX\modules\Clearlydevices->doDialplanHook(Object(extensions), ‘asterisk’, 900)
#2 /var/lib/asterisk/bin/retrieve_conf(861): FreePBX\DialplanHooks->processHooks(‘asterisk’, Array)
#3 {main}

I found this but no relief: Probelm after Module updates

edlentz · October 6, 2022, 7:55pm

I have it working so that it gets ALL sip sessions. In the instructions there is a -n switch to only capture specific extensions. I tried using -n 101 to capture a call for extension 101 It didn’t weed out those calls. What is the systax for that? Or does it work. Second question how can I start that and close the ssh session?
Thanks alot!

edlentz · October 6, 2022, 8:23pm

Here is a file name for a session from extension 205

20221006-151522-205-205-b62c4462-03c8-4927-892d-9cf229b9f642.pcap

It must be pulling that info from the To and From message headers

dicko · October 6, 2022, 8:29pm

Indeed, source and destination are derived by analysis of the complete session,

pcapsipdump -h

-d Set directory (or filename template), where captured files will be stored.
ex.: -d /var/spool/pcapsipdump/%Y%m%d/%H/%Y%m%d-%H%M%S-%f-%t-%i.pcap
.
.

Following %-codes are expanded in -d and -t: %f (from/caller), %t (to/callee),
%i (call-id), and call date/time (see ‘man 3 strftime’ for details)
Trailing argument is pcap filter expression syntax, see ‘man 7 pcap-filter’

here your %f (from/caller) and your %t (to/callee) are both 205.

calls them selves can be filtered on INVITE only, but REGISTER might clue the presence of a rogue device on the LAN

-m ^INVITE$
or
-m ^INVITE|REGISTER$

there should be a “service” /etc/init.d/pcapsipdump to start and stop the daemon and how to set the defaults called.

edlentz · October 6, 2022, 8:52pm

Thanks dicko I’m starting to get it. It looks like your last comment was cut off

sippy · October 9, 2022, 6:07pm

Hi Ed, thought you were missing in action?

edlentz · October 9, 2022, 7:19pm

Nope. Still kicking

system · November 9, 2022, 7:20pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.