Is someone trying to connect to my PBX?

Discussion in '3CX Phone System - General' started by hainesk967, May 31, 2011.

Thread Status:
Not open for further replies.
  1. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    I saw this in my Server Activity Log and am confused by it. I am not using Asterisk PBX, and the ip address traces back to a onestop.net cloud server. What does this mean? Any help will be appreciated!


    11:09:49.295 [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    INVITE sip:9011442070661000@71.236.202.97 SIP/2.0
    Via: SIP/2.0/UDP 74.208.238.66:36967;branch=z123RE8gBkor3;rport=36967
    Max-Forwards: 70
    Contact: <sip:asterisk@74.208.238.66>
    To: <sip:9011442070661000@71.236.202.97>
    From: "asterisk"<sip:asterisk@74.208.238.66>;tag=z321RE8gBkor3
    Call-ID: abc124836edfb@74.208.238.66
    CSeq: 102 INVITE
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
    Supported: replaces
    User-Agent: Asterisk PBX
    Content-Length: 0
     
  2. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    I suppose someone might just be calling me from an Asterisk PBX? Is this what it would look like? Do I need to adjust my incoming call rules to accept these?
     
  3. Cjay

    Cjay New Member

    Joined:
    Feb 24, 2007
    Messages:
    189
    Likes Received:
    0
    More likely someone is trying to take advantage of your PBX hospitality. The number they are attempting to call is interesting since it is made up of the US IDD code (011) and then a UK number which is for the Financial services Authority. Unless you know that this is a legitimate remote extensions then this is probably a probe to see if your PBX can be used to make free calls. Are you running a firewall?
     
  4. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    Yes I am using a firewall and the only port that is forwarded to my server is 5060. I think that to dial the UK from the US you have to use 011+44. I didn't notice the number involved. It looks like it didn't go through anyway. Is there anyway to stop this from happening or will I just notice this from time to time?
     
  5. Cjay

    Cjay New Member

    Joined:
    Feb 24, 2007
    Messages:
    189
    Likes Received:
    0
    On my firewall I block everything targeting port 5060 except packets coming from the known IP's of my VOIP providers. As I only have 2 providers this is easily done.
     
  6. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    Ok, thanks a lot for the help!
     
  7. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,371
    Likes Received:
    230
    I had one of those last night, same phone number (without the leading 9), which I looked up this morning. Will have to have a look and see if it came from the same IP as yours. (the attempt on mine came from 173.237.189.70 which translates to ..ajax.vivawebhost.com ) Someone is up to no good, i suspect....
     
  8. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    Hey,
    How do I go back further in my server activity log to check for any other instances of this happening?
     
  9. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,371
    Likes Received:
    230
    http://www.3cx.com/forums/server-activity-log-historic-log-files-where-are-they-19768.html
     
  10. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    Since I'm using server 2008, that doesn't help....
     
  11. hainesk967

    Joined:
    May 23, 2011
    Messages:
    38
    Likes Received:
    0
    FYI: I was able to find it under c:\programdata\3cx\data\logs\3cxphonesystem.log

    All dates are apparently combined into that one file.
     
  12. voipbaennjer

    Joined:
    Jul 10, 2009
    Messages:
    44
    Likes Received:
    0
    @ Cjay
    I get those attempts also once in a while. 3CX so fare had blocked all of them. What firewall do you use where you can block all traffic except the one coming from your VOIP provider??
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,371
    Likes Received:
    230
    I'm seeing that every once in a while too. Obviously from the same source as the phone number they are trying to "test" to is only slightly different. It's coming from various IP's in "bursts" of 5 or 6 "probes
     
Thread Status:
Not open for further replies.