LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   rev.ponytelecom.eu sending out SIP requests from my IPPBX (https://www.linuxquestions.org/questions/linux-newbie-8/rev-ponytelecom-eu-sending-out-sip-requests-from-my-ippbx-4175672419/)

kscallen 04-02-2020 10:27 AM
rev.ponytelecom.eu sending out SIP requests from my IPPBX
 
Hi,

I'm an IP PBX admin new to this forum. I usually don't have to administer the Linux side of things, but because of the COVID-19 crisis, we have to improvise a bit.

Our PBX is Running on FreeBSD version 11.3 release -p3

I was checking traffic with wireshark when I realised I had an unwanted visitor. I tried blocking traffic from firewall but realised something had installed itself on my server and running connection attemps from the inside to the outside.

I went through multiple forums. Tried blocking different IP addresses in my firewall but nothing works.

I need to find and Kill this process ...
How do I locate the process that's running these requests ?
And, how do I kill it for good ?

here are a couple of samples :
PCAP FROM ROUTER:
11:17:29.714762 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:41.719531 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:33.716341 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:37.717958 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found

FROM PBX

11:17:38.845157 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:42.846765 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:46.848540 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:50.850131 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:54.851831 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:58.853464 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found


Thanks so much for any help you guys can provide.

redd9 04-03-2020 11:37 PM
Hmmm... to start this thread off, could you check if something is listening on a port that shouldn't be with
Code:
sockstat -4 -l
and run
Code:
top
just to see what's running to see if something pops out?

ondoho 04-04-2020 02:23 AM
poneytelecom... that rings a bell... maybe this helps:
https://www.linuxquestions.org/quest...-s-4175617328/


All times are GMT -5. The time now is 02:54 PM.