Unauthorized calls

Hi

Please help me to discover how some unauthorized calls are being made though the PBX.

The PBX running FreePBX Firmware: 5.211.65-20 installed with the distro and updated.

All of the trunks to the outside world are T1 PRI’s. There are internal IAX trunks but they have no connectivity to the outside world.

The intrusion detection is set to max retrys 1 and it has not stopped any unauthorized traffic, and as all of my trunking to and from the outside is PRI based i believe that they are getting in through the voice mail or the queue. …

As i am not familiar with interrupting the call logs i have posted it below in the hopes that someone can tell me how this call got into the system.

Time Event CNAM CNUM ANI DID AMA exten context App channel UserDefType EventExtra CEL Table
2014-06-05 23:10:44 CHAN_START 6265695978 DEFAULT 1400 from-digital DAHDI/i9/6265695978-16e1
2014-06-05 23:10:44 CHAN_START DEFAULT s from-digital DAHDI/i3/1400-24e8
2014-06-05 23:10:44 ANSWER tdial DEFAULT tdial from-digital AppDial DAHDI/i3/1400-24e8
2014-06-05 23:10:44 ANSWER 6265695978 6265695978 6265695978 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/6265695978-16e1
2014-06-05 23:10:44 BRIDGE_START 6265695978 6265695978 6265695978 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/6265695978-16e1
2014-06-05 23:10:58 BLINDTRANSFER 6265695978 6265695978 6265695978 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/6265695978-16e1
2014-06-05 23:10:58 CHAN_START DEFAULT s from-digital AsyncGoto/DAHDI/i3/1400-24e8
2014-06-05 23:10:58 BRIDGE_END 6265695978 6265695978 6265695978 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/6265695978-16e1
2014-06-05 23:10:58 CHAN_START DEFAULT s from-digital DAHDI/i5/0112913000443-1ee1
2014-06-05 23:10:58 HANGUP DEFAULT ext-trunk AppDial AsyncGoto/DAHDI/i3/1400-24e8
2014-06-05 23:10:58 CHAN_END DEFAULT ext-trunk AppDial AsyncGoto/DAHDI/i3/1400-24e8
2014-06-05 23:10:58 HANGUP 6265695978 6265695978 6265695978 1400 DEFAULT tdial ext-trunk DAHDI/i9/6265695978-16e1
2014-06-05 23:10:58 CHAN_END 6265695978 6265695978 6265695978 1400 DEFAULT tdial ext-trunk DAHDI/i9/6265695978-16e1
2014-06-05 23:11:31 HANGUP 6265695978 0112913000443 DEFAULT 0112913000443 from-digital AppDial DAHDI/i5/0112913000443-1ee1
2014-06-05 23:11:31 CHAN_END 6265695978 0112913000443 DEFAULT 0112913000443 from-digital AppDial DAHDI/i5/0112913000443-1ee1
2014-06-05 23:11:55 HANGUP DEFAULT 0112913000443 outbound-allroutes DAHDI/i3/1400-24e8
2014-06-05 23:11:55 CHAN_END DEFAULT 0112913000443 outbound-allroutes DAHDI/i3/1400-24e8
2014-06-05 23:11:55 LINKEDID_END DEFAULT 0112913000443 outbound-allroutes DAHDI/i3/1400-24e8

Any help in uncovering how this has happened and in correcting it is greatly appreciated.

Thank you in advance for any help.

Chris

I would suggest you turn pri debugging on for when the calls are happening it looks like a facility initiated call forward between your chaqnnle 9 3 and 5 (are you using qsig ? ), so presumably a pass through system, so investigate any abnormal conditioning on the device attached . Why is your clock off by 6 months?

Apparently extension 1400 did a blind transfer between a number in Alhambra and one in Eritrea.

Thank you for responding

Sorry i posted an older example below is a more recent one.

In this instance 1400 comes in from a PRI and should sent to a Queue. I just called it and it does reach the queue.

this seems to be happening after hours. After hours the Queue is sent to Voice Mail.

Could the Voice Mail be hacked to do this?

Chris

Time Event CNAM CNUM ANI DID AMA exten context App channel UserDefType EventExtra CEL Table
2014-11-30 06:33:38 CHAN_START 7472009515 DEFAULT 1400 from-digital DAHDI/i9/7472009515-112b
2014-11-30 06:33:38 CHAN_START DEFAULT s from-digital DAHDI/i3/1400-7b0
2014-11-30 06:33:38 ANSWER tdial DEFAULT tdial from-digital AppDial DAHDI/i3/1400-7b0
2014-11-30 06:33:38 ANSWER 7472009515 7472009515 7472009515 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/7472009515-112b
2014-11-30 06:33:38 BRIDGE_START 7472009515 7472009515 7472009515 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/7472009515-112b
2014-11-30 06:33:54 BLINDTRANSFER 7472009515 7472009515 7472009515 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/7472009515-112b
2014-11-30 06:33:54 CHAN_START DEFAULT s from-digital AsyncGoto/DAHDI/i3/1400-7b0
2014-11-30 06:33:54 BRIDGE_END 7472009515 7472009515 7472009515 1400 DEFAULT tdial ext-trunk Dial DAHDI/i9/7472009515-112b
2014-11-30 06:33:54 HANGUP DEFAULT ext-trunk AppDial AsyncGoto/DAHDI/i3/1400-7b0
2014-11-30 06:33:54 CHAN_END DEFAULT ext-trunk AppDial AsyncGoto/DAHDI/i3/1400-7b0
2014-11-30 06:33:54 HANGUP 7472009515 7472009515 7472009515 1400 DEFAULT tdial ext-trunk DAHDI/i9/7472009515-112b
2014-11-30 06:33:54 CHAN_END 7472009515 7472009515 7472009515 1400 DEFAULT tdial ext-trunk DAHDI/i9/7472009515-112b
2014-11-30 06:33:54 CHAN_START DEFAULT s from-digital DAHDI/i9/0112206502733-112d
2014-11-30 06:33:56 ANSWER 7472009515 0112206502733 DEFAULT 0112206502733 from-digital AppDial DAHDI/i9/0112206502733-112d
2014-11-30 06:33:56 BRIDGE_START 8186735722 DEFAULT s macro-dialout-trunk Dial DAHDI/i3/1400-7b0
2014-11-30 06:38:33 BRIDGE_END 8186735722 DEFAULT s macro-dialout-trunk Dial DAHDI/i3/1400-7b0
2014-11-30 06:38:33 HANGUP 7472009515 0112206502733 DEFAULT macro-dialout-trunk AppDial DAHDI/i9/0112206502733-112d
2014-11-30 06:38:33 CHAN_END 7472009515 0112206502733 DEFAULT macro-dialout-trunk AppDial DAHDI/i9/0112206502733-112d
2014-11-30 06:38:33 HANGUP 8186735722 DEFAULT 0112206502733 from-internal-xfer DAHDI/i3/1400-7b0
2014-11-30 06:38:33 CHAN_END 8186735722 DEFAULT 0112206502733 from-internal-xfer DAHDI/i3/1400-7b0
2014-11-30 06:38:33 LINKEDID_END 8186735722 DEFAULT 0112206502733 from-internal-xfer DAHDI/i3/1400-7b0

Disable in-call transfers in your box’s feature codes.

Thank you again

Just to be sure i am disabling the correct feature codes, are they In-Call Asterisk Attended Transfer and the In-Call Asterisk Blind Transfer?

Just being safe by asking.

Chris

The names seem quite self-explanatory to me :slight_smile:

thank you and agreed

You where very kind to lend assistance.

Chris

You might also check that neither t no T are allowed in your “asterisk dial options” for “belt and braces”

Thank you again.

Please pardon my ignorance as i am unfamiliar with these settings as the need has not arisen until now to look at them.

At this time the setting as at what i believe to be the default values, Asterisk Dial Options “Ttr” and Asterisk Outbound Trunk Dial Options “Tt”

Will removing the “T” and the “t” from these have any other impact on my system?

The WIKI indicates using extreme caution when changing the advanced settings thus i am asking to be sure i understand the ramifications before making the changes.

Thank you again for your assistance.

Chris

https://wiki.asterisk.org/wiki/display/AST/Asterisk+11+Application_Dial

Thank you again and sorry for the slow response.

The link was helpful and all is good now.

Chris