rev.ponytelecom.eu sending out SIP requests from my IPPBX

kscallen · 04-02-2020, 10:27 AM

Hi,

I'm an IP PBX admin new to this forum. I usually don't have to administer the Linux side of things, but because of the COVID-19 crisis, we have to improvise a bit.

Our PBX is Running on FreeBSD version 11.3 release -p3

I was checking traffic with wireshark when I realised I had an unwanted visitor. I tried blocking traffic from firewall but realised something had installed itself on my server and running connection attemps from the inside to the outside.

I went through multiple forums. Tried blocking different IP addresses in my firewall but nothing works.

I need to find and Kill this process ...
How do I locate the process that's running these requests ?
And, how do I kill it for good ?

here are a couple of samples :
PCAP FROM ROUTER:
11:17:29.714762 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:41.719531 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:33.716341 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:37.717958 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found

FROM PBX

11:17:38.845157 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:42.846765 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:46.848540 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:50.850131 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:54.851831 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:58.853464 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found

Thanks so much for any help you guys can provide.

redd9 · 04-03-2020, 11:37 PM

Hmmm... to start this thread off, could you check if something is listening on a port that shouldn't be with

Code:

sockstat -4 -l

and run

Code:

top

just to see what's running to see if something pops out?

ondoho · 04-04-2020, 02:23 AM

poneytelecom... that rings a bell... maybe this helps:
https://www.linuxquestions.org/quest...-s-4175617328/