Phantom calls from extension 1001?

Discussion in '3CX Phone System - General' started by ddavis829, Jan 29, 2015.

Thread Status:
Not open for further replies.
  1. ddavis829

    Joined:
    Jan 9, 2015
    Messages:
    5
    Likes Received:
    0
    Hello,

    We have a remote office that hooks up to 3CX. They are using Yealink phones. For some reason, all the phones at this office(about 5 phones) ring simultaneously and show "1001" on the caller id. It happens every hour. There is silence when someone picks up. I can find no indication in the 3CX logs that the rings are originating from the PBX software.

    Any idea what I'm dealing with here? Is there something malicious going on? It started out of nowhere after an installation that has been there for well over a year now.

    Thanks,

    Dan
     
  2. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,061
    Likes Received:
    56
    These are likely direct SIP calls and not going thru 3CX at all.

    There are many, many folks out there always trying to find vulnerabilities to exploit. They do so in the hopes that they might be lucky enough to find a PBX or extension that they can use to make phone calls. It depends on the security you have implemented and the safeguards to minimize (eliminate??????) the possibility.

    SIPVicious is one such program that is used to scan for open ports and with a SIP message that, once the open port is found, will then generate various commands to control the phone (ring it, CTI, make call, etc.). I am sure there are many others.

    There are various steps you can take, and you may need to experiment somewhat given how the phones are used -

    1. Disable the ability to make direct SIP calls by going into the phone's web interface
    2. Visit the Yealink website as they have some instructions on how to prevent rogue calls.
    3. If there is a setting similar to allow only trusted sources or servers or the like, try setting it.
    4. You could try and move ports, or set up a VPN or other more secure path. However, the bad guys will often scan many ports, so this may not be a cure.
     
  3. ddavis829

    Joined:
    Jan 9, 2015
    Messages:
    5
    Likes Received:
    0
    Thank you for the quick response. My first plan was to move the ports. I really wish there was a setting on the phone to white list the server and not accept anything else.

    I will try out your suggestions.

    Thanks!

    Dan
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,356
    Likes Received:
    224
    Since it's a remote office, with more than one set, do you have the sets behind the 3CX SBC, or simply behind a router? If just a router, then you would have to use that, or a firewall programme, to block/filter SIP messages. Unfortunately, many of the basic/lower cost routers do not provide this function.
    If the sets are just behind a router, each with a unique port number, you could try changing the ports from the traditional 506X range, to something less (SIP) obvious. Although, this probably won't eliminate the problem, (depending on what the hackers are using), it might help.

    I'm not certain as to why all of the phones are ringing at once. Direct SIP calls will generally target one extension number at a time, (I'm assuming that each set is a different extension number).
     
  5. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    Hi,

    The easiest way to solve this issue is to do what lneblett replied at point 2.
    See: http://forum.yealink.com/forum/showthread.php?tid=3177
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ddavis829

    Joined:
    Jan 9, 2015
    Messages:
    5
    Likes Received:
    0
    Thanks everyone. I changed the SIP port numbers on all the phones and that appeared to stop the problem(until they find those ports).

    As far as them all ringing at once, it wouldn't surprise me if the attacker blasted a range of nearby ports, triggering them nearly simultaneously.

    Thanks again for your advice.

    Dan
     
Thread Status:
Not open for further replies.