System is a version 14 Asterisk version 13. It has several hundred phones on it. The system is a server grade system and been installed for several years.
We have an extension that will go off hook and dial a specific extension within the system, be answered by the distant voicemail (since it doesn’t get answered) and hangs up. The user most times is across the room from the phone and hears it go off hook and the whole call over speakerphone. The call does show up in the CDR report. Sometimes the phantom calls are after hours as well. There doesn’t appear to be any nefarious calls outside the system.
The traffic on the system is so much that we haven’t been able to catch it in a tcpdump yet.
Things we have done:
Defaulted the phone
Replaced the phone with one of the same make / model
Deleted the extension in the system and changed the secret.
Stopped FOP2
Made sure that the phone didn’t have a stuck button (BLF) for the distant extension.
Phone is stand alone ie: no BLF/DSS sidecar
If it possible to send a command to a phone and have it dial all by itself?
The following settings are at default:
Accept SIP TRust Server Only is set to false
Enable Peer to Perr is set to allow
My thinking is to try a different phone manufacturer in case there is an exploit that is being taken advantage of. The phones are no longer under warranty and or the company will not provide updated firmware.
I don’t see how your last item would make a difference;
you need to provide details from the CDR (although better from a verbose full log) for anyone to make intelligent guesses. However, I would set (1) to true and (2) to false.
The ability to force them off hook in speaker mode is the security downside of allowing paging. IP phones generally have this disabled by default, for this reason, so, if you don’t page them,
If they are being attacked, I’d suggest the attacker is contacting them directly and using auto-answer to get them into a state when they can then use REFER, on the assumption that a direct attack on the PABX would not allow chargeable calls, but a call from the phone would.
I’m not sure why it is going to extensions; maybe the start of the premium number they are trying to dial looks like a local extension.
As soon as I can get to that phone I will make those changes. I do not know if they are using the page function on the phone, but that is possible since it is in a school. I’ll check that out. Also, I think I can get a full CDR export of one of those calls
I have it working so that it gets ALL sip sessions. In the instructions there is a -n switch to only capture specific extensions. I tried using -n 101 to capture a call for extension 101 It didn’t weed out those calls. What is the systax for that? Or does it work. Second question how can I start that and close the ssh session?
Thanks alot!
A typical FreePBX extension will be accessed by its IP address, for calls to it, not the FreePBX extension number, although it could vary with the device, as what appears will actually be what the device provided in its REGISTER Contact header.