Phone redials on it's own

It’s one single yealink t46u in an office of a couple dozen. I went looking through the settings and the “auto redial” setting is off, though that is only supposed to redial when the other end is busy. There’s This seems to happen sporadically when he talks to someone and hangs up. Then it calls out again on its own a few minutes later and in the CDR the call only lasts 3 seconds.

It’s not always a few minutes later, today there was one that was 80 minutes later, but it does look like a redial since it was the same number as the previous outbound call.

Another thought was that it might be the new cordless Yealink headset but today’s example happened on speakerphone when the user was out to lunch. Tried resetting it to factory a few weeks back but that didnt fix it. There arent any other unexplained outbound calls, so I dont think the phone has been compromised. The local log file in the phone (on my test phone here, an older model) doesnt indicate that the redial button was pushed.

Any suggestions on where else to look?

I confirmed that it only calls out to numbers that were dialed outbound earlier, not any of the of inbound callers in between the legitimate outbound call and the later illigitimate outbound call, which is why I’m looking at the redial feature.

Can you change firmware? Is it too late to RMA? Might need to swap the phone to resolve or confirm if the issue is the hardware or the extension.

Going to swap the phone and see what happens.

No luck swapping phones, but in the meantime I found out that this is not actually isolated to one phone, he’s just the only one that’s pointed it out. I dont see anything in the asterisk log and I dont have a good way to run a packet capture on their network for any length of time so I logged into a phone and foudn some odd entries in the Dialed List. Not sure what this means, if anything but there are occasional lines where the phone claims to have dialed a single digit

image

image

Looking at the example from today in the local log on the phone I see it’s having problems getting the time from the DHCP server, and there’s this line at the same time it supposedly dialed the number 5

Not sure if it’s related but just in case I’m updating the time server on all the templates.

I would suggest 192.168.16.156 might be compromised

Running a packet capture for a few minutes and saw this about edge.txryan .comm. I assume this is no good. Or maybe that’s a legitimate time server.

20:39:36.104305 arp who-has 192.168.16.33 tell 192.168.16.154
20:39:36.104324 arp who-has 192.168.16.61 tell 192.168.16.154
20:39:36.172426 arp who-has 192.168.16.154 tell 192.168.16.61
20:39:36.173384 192.168.16.154.56595 > edge.txryan.com.123: udp 48
20:39:36.241754 edge.txryan.com.123 > 192.168.16.154.56595: udp 48
20:39:37.104187 arp who-has 192.168.16.33 tell 192.168.16.154

192.168.16.33 is the DHCP server, .61 I believe is their windows server, and .156 is the router.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.