Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

[CM500002] error on incoming call i think.

Discussion in '3CX Phone System - General' started by 3cxnub, Nov 1, 2014.

Thread Status:
Not open for further replies.
  1. 3cxnub

    Joined:
    Nov 1, 2014
    Messages:
    38
    Likes Received:
    4
    I have used 3cx for about 2 months with not many problems, but today I started to get this error, see below:


    -------
    31-Oct-2014 16:33:08.654 [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    Invite-UNK Recv Req INVITE from 192.168.2.1:5060 tid=-7fbcdc239c39e370a61a52ee44867c14 Call-ID=7fbcdc239c39e370a61a52ee44867c14:
    INVITE sip:9011441382000269@192.168.2.2:5060 SIP/2.0
    Via: SIP/2.0/UDP 192.168.2.1:5060;branch=z9hG4bK-7fbcdc239c39e370a61a52ee44867c14;rport=5060
    Max-Forwards: 70
    Record-Route: <sip:9011441382000269@192.168.2.1;lr>
    Contact: <sip:7001@192.168.2.1:5060>
    To: "9011441382000269"<sip:9011441382000269@192.168.2.1:5060>
    From: "7001"<sip:7001@192.168.2.1:5060>;tag=0217ce5c
    Call-ID: 7fbcdc239c39e370a61a52ee44867c14
    CSeq: 1 INVITE
    Allow: INVITE, ACK, CANCEL, BYE
    Content-Type: application/sdp
    User-Agent: sipcli/v1.8
    Content-Length: 278

    v=0
    o=sipcli-Session 764863912 221672684 IN IP4 192.168.2.1
    s=sipcli
    c=IN IP4 192.168.2.1
    t=0 0
    m=audio 16488 RTP/AVP 18 0 8 101
    a=fmtp:101 0-15
    a=rtpmap:18 G729/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:101 telephone-event/8000
    a=ptime:20
    a=sendrecv
    -------

    I would not even have seen the above error if it had not repeated itself 25 times and blacklisted my providers trunk.

    the ip address "192.168.2.1" listed is my voip providers ip address all calls come from this ip.

    the "INVITE sip:9011441382000269" looks like some kind of international number.

    I dont have an extension 7001 listed "From: "7001"<sip:7001@192.168.2.1:5060>;tag=0217ce5c"



    I find this in the server event log:
    event id 12290 The IP 192.168.2.1 has been blacklisted for 86400 sec. Reason: Too many failed authentications!
    event id 4100 Trunk L:10001(megapath) has changed status to unregistered. This means that no more calls will pass via this trunk. Please check your network connection and the voip provider or
    event id 12293 Registration at megapath has failed. Destination (sip:*removed*@192.168.2.1:5060) is not reachable, DNS error resolving FQDN, or service is not available.

    I remove the ip "192.168.2.1" from the ip blacklist and reregister my provider and everything is working fine.

    I would appreciate any help, my first thought was someone is trying to access 3cx from the outside to make calls, so I checked my firewall and I do not have any open ports accessible from the public ip address.


    Thanks!

    3cxnub.
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,117
    Likes Received:
    329
    Other than that fact that all that IPs are private (I'm not sure if you are hiding that actual IP or your provider has you behind some sort of router) I would say that someone is trying to push through a direct SIP call. They send a 9, then an international number, in various forms, to see if they can get one to go through. In the cases I've seen, the calls will come from various public IPs.

    The security feature in 3CX will soon blacklist this , as you've discovered.
     
  3. 3cxnub

    Joined:
    Nov 1, 2014
    Messages:
    38
    Likes Received:
    4
    Hi, leejor.

    Yes 192.168.2.1 is a private ip address, all my connections are made to it. 192.168.2.2 is the machine that 3cx is running on.

    I have logged into my provider to see what incomming calls I received and none match the international number in question, only failed domestic/local calls in the time that the 192.168.2.1 was blacklisted.

    I have port scanned the public side of the 192.168.2.1 router and no ports are open.


    To my knowledge there is no way to contact my 3cx system from the outside internet, I am overlooking something basic.




    Thanks for the reply.
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,117
    Likes Received:
    329
    Every indication is that someone is trying to hack into your system by sending Direct SIP calls and hoping to be able to dial back out.

    I'm just a bit confused as to why all of the IPs shown are private IPs. 192.168.xxx.xxx.

    In most attempted hacks, the public IP of the originator shows and can be blocked (blacklisted).

    If your provider does not assign your router a public IP, then that may be the reason. I've seen some do that to save handing out public IPs.
     
  5. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,086
    Likes Received:
    65
    I had the same thing a couple of weeks ago, but in my case, port 5060 was not being used as the client is using Patton gateways into AT&T. Also, in this case, they were successful in making outbound calls to a variety of countries. AT&T fraud called the client about it. I looked in the call reporter software and sure enough the calls were there and using the owner's extension. At first I thought it must be the nightly cleaning crew, but I just happened to be dialed into the client's system and actually caught a call in progress during work hours. They were using a "make Call" like that from the MyPhone or 3CXPhone client software. I have no idea what the originating IP is or how it penetrated the firewall, but in the end I got them to upgrade to V12 from V10 and used the added security features (country calling and notify if unauthorized country code is dialed). We also blocked at AT&T and changed the passwords.
     
Thread Status:
Not open for further replies.