News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Getting constant calls from 2001 and 9001, HELP!

Started by jjtricket, May 17, 2018, 07:20:00 AM

Previous topic - Next topic

jjtricket

Using obi202 with GV, no router, directly connected to modem using Comcast/Xfinity

Just started this morning, has happened before but cannot find previous threads.

update - constant calls from 5000, 4000, 3000


Any help would be appreciated

Mango

#1
Since we don't know what VoIP equipment you're using, nor what router, nor what service provider, nor what configuration you have it all in, we can only offer some general advice.  Wild guess: your OBi2 got updated to use Google Voice with SIP and now your ATA is accepting scanning traffic.

Preferred solutions, in order of most secure to least secure.

1) Disable port forwarding and DMZ on your router, if you have set it up.

2) Set "strict UDP session control" on your router, if you have this option.

3) Disable SIP ALG or SIP Helper, if your router has this.

4) Go buy a better/more secure router, such as any router compatible with Tomato firmware, if your problem hasn't been solved by this point.

5) Use OBi Expert Configuration to enable the setting X_AcceptSipFromRegistrarOnly.

6) Use OBi Expert Configuration to change the X_UserAgentPort to a high/random number between 20000 and 65535, for example, 39119.

Good luck.  Let us know how things go.

jjtricket

#2
Thanks Mango, I updated what I have in original post, no router.


Where is setting X_AcceptSipFromRegistrarOnly at ?

Mango


jjtricket

#4
Thank you very much Mango your advice works!

The calls were coming in every 2 mins, it was crazy

What are they trying to accomplish, any idea?

SHarp


Quote from: Mango on May 17, 2018, 08:08:29 AM


4) Go buy a better/more secure router, such as any router compatible with Tomato firmware, if your problem hasn't been solved by this point.


Something to keep in mind, two of the Tomato developers dropped off the map a number of months ago. Development has continued with two other developers, but the number of compatible routers has went down.

Look for the FreshTomato-MIPS and the FreshTomato-Arm threads on LinksysInfo.org


remrem

#6
UPDATE: I apologize, but about 15 minutes after I posted the long message below, it now  seems my  problem has resolved inexplicably, though I am sure the fix wasn't due to anything I did! (but then again, neither was the problem to begin with)..

Hello,

I am not new to the world of OBI, but today I joined the forum and this is my first post, so please be gentle.
I apologize for the length of this post, but I get the feeling reading the above, that providing you guys with specific details is important for you to help me (and hopefully other users too).  So...

This morning at 8:37 a.m, Line 1 of my 2 line cordless phone system (line 1 is set-up on SP1) rang and the phone display said "9001".  I answered and there was no one there.  I hung up.  1 minute later the same thing happened.  It continued every minute for about 5 minutes, and then it started again but this time my phone "ID" display said "4001", and then it too repeated the cycle just as it had with the "9001" calls.  This pattern then continued with "7000", "6000", "5000", and "4000".   NOTE: When I just let it ring and don't answer it, it rings about 7 times and then stops, before the next call comes in about a minute later.

I am located in Florida.  I have an OBI 202, which has always worked just fine, but this morning I too have been experiencing the exact same phenomenon as the original poster. Oddly, this is only happening on LINE 1 of a 2-line cordless phone system, whose line 1 is plugged into the OBI's "PHONE 1" port, and whose line 2 is plugged into the OBI's "PHONE 2" port.  FYI - I use 2 different GV numbers under 2 different GV accounts - one on SP1 (phone 1 port) and the other on SP2 (phone 2 port).  I use SP3 for Anveo 911 service only, and SP4 is unused.  My OBI 202 is hard wired via Ethernet cable directly to my gateway/modem/router.  
The OBI 202 is the ONLY VOIP equipment I own and I have no other phone providers or services.  The OBI 202's current software version is 3.2.2 (Build: 5859EX).

I am a "residential" user.  My ISP provider is AT&T with Fiber Optic Plan 100 (mbps), with plenty of speed and bandwidth.  My router/modem/gateway provided by AT&T/U-VERSE is a PACE 5268AC.  I have done NOTHING NEW.  The OBI is several years old. The AT&T gateway is at least 3 years old. The cordless phone system is at least 6 years old.  NO NEW EQUIPMENT.  NO CHANGES MADE.  I HAVE SUCCESSFULLY CONNECTED TO GOOGLE VOICE FOR A LONG TIME WITHOUT INCIDENT.

This morning while this was going on,  I logged into my Google Voice accounts thinking I naively thought I would "block" these numbers.  However, I discovered these calls were not coming via GV! There was NO record of any calls or messages.  NEVERTHELESS, JUST TO BE SURE, FROM MY OBI DASHBOARD, I DELETED THE GV ACCOUNT ON SP1.  THE CALLS CONTINUED!  Clearly, this is NOT a GV related issue.

THEN I PHYSICALLY DISCONNECTED LINE 1 OF THE CORDLESS PHONE SYSTEM FROM MY OBI 202's "PHONE 1" port, while leaving line 2 plugged into the OBI "PHONE 2" port.  Thankfully, that stopped my having to listen to these calls ringing line 1 every minute, and I could continue to use Line 2 as normal.  

Although I have gone into the OBI EXPERT section before, just to look around for fun and to learn, I never change the settings and leave them just as they have been automatically configured.  So, this morning, after having deleted and disconnected as described above, with no success, I then  went into the OBI EXPERT section to see if anything looked unusual, but instead of being able to view pages I've visited there in the past, many (not all) of them just displayed  this error message: 404 Not Found / openresty/ 1.9.7.4. , instead of displaying the pages I has viewed in the past.

I have tried repowering/cycling my OBI several times, but the problem continues.  For over 3 hours I left my phone system base disconnected from the OBI LINE 1 port.  Now, here it is at 2:15 p.m, and  I just reconnected to see if the problem was solved, but frustratingly, within a minute of plugging my cordless phone base Line 1 back into the Obi "PHONE 1" port the calls just continued, and in case it has any significance,  on this most recent call the "ID" in the phone  display reads "20001".  I have disconnected my phone system from OBI PHONE 1 input again, just to keep me from going crazy!  
  
I hope the above helps shed some specific light on the problem and helps to diagnose the issue.  It's too much of a coincidence that the original poster and I experienced the same problem on the same day, and the only thing (I believe) we have in common is our OBI devices.  Therefore, I suspect that there are likely many other OBI users out there experiencing the same problem, who have not yet posted here.

All feedback would be greatly appreciated!  Thanks in advance.

Mango

Quote from: jjtricket on May 17, 2018, 09:25:38 AMWhat are they trying to accomplish, any idea?

They were trying to break into your device for the purpose of routing calls to expensive destinations, that you have to pay for.

Quote from: remrem on May 17, 2018, 11:23:47 AM
It's too much of a coincidence that the original poster and I experienced the same problem on the same day,

You have the same problem. Even though the attack has subsided, it will be back. You can follow the same steps I listed in the second post of this thread.

remrem

Thanks very much for your quick reply and explanation.  I will follow your suggestions, as you outlined above.  However, does your suggestion #4
apply to me, or is my present router up to the task?

Mango

The problem is happening either because your router is inherently insecure, or it's configured insecurely.

Step 5 will cause an OBi2 to reject the hackers.  Steps 1-4 will cause the firewall in your router to drop the traffic before it even reaches your OBi.

Step 5 is probably suffice if you use a provider like Google Voice.  Even if your equipment were compromised, Google Voice is free, so it won't cost you anything.

remrem

Excellent!  Thanks for the elaboration.
I will follow your suggestions and eliminate the vulnerability. Again, much appreciated!



tuberhead1000

May 17, about 9am, MST I started receiving continual phone calls from 9001. I am using Google Voice, I have CenturyLink fiber link and a Zyxel C1100Z router. I attempted to set router per the listed settings provided. Also, I have limited choices in routers to have the Centurylink service. It's either Centurylink or Comcast, both suck, and while they don't require proprietary routers, they do not  provide setup or support if one uses a different router.
The obi200 was enabled outside the firewall, now changed.  SO far so good. Thanks to all!

MarkNY

"5) Use OBi Expert Configuration to enable the setting X_AcceptSipFromRegistrarOnly.

6) Use OBi Expert Configuration to change the X_UserAgentPort to a high/random number between 20000 and 65535, for example, 39119.
"
Where in Expect Config can I find those settings?

Taoman

Quote from: MarkNY on May 19, 2018, 10:30:03 AM
"5) Use OBi Expert Configuration to enable the setting X_AcceptSipFromRegistrarOnly.

6) Use OBi Expert Configuration to change the X_UserAgentPort to a high/random number between 20000 and 65535, for example, 39119.
"
Where in Expect Config can I find those settings?

Voice Services-->SPx Service-->X_AcceptSipFromRegistrarOnly
Voice Services-->SPx Service-->X_UserAgentPort

You need to uncheck both boxes to the right of the fields before you can edit them.

remrem

#14
ONCE AGAIN, MY APOLOGIES!  Just after leaving the post below, I decided to sign into ANVEO and re-cycle the connection, and now e-911 is working again!  So, please ignore my post below.  Hopefully, that's the end of it and all is well, but I will double-check next week to see if all has remained 5 by 5 (as they used to say once upon a time).  Thanks again, and sorry to bother!

Hello again Mango and everyone else,

Well, as I had posted last week, after having followed Mango's excellent advice (I was able to successfully do 3 of the things he suggested), not only did the problem stop, but I felt more secure and less vulnerable to attack.

However, something occurred to me today regarding my e-911 service.  As I had explained in my original post, I use GV on SP1 & SP2, but since GV doesn't have 911 service, I use the Anveo e-911 service on SP3, which had been working fine when I checked it a few weeks ago.

Today, I thought I should test the 911 service again to make sure it hadn't been affected by any of the setting changes I had made, and was dismayed to find that it no longer works.  When I look at my SP3 status it now says:  E911 ANVEO  Register Failed: No Response From Server .  

Which of the various settings I changed could be responsible for this and what can I do to recover my 911 service, without making myself vulnerable again to the "attack of the evil proxies"???

I look forward to your replies (especially Mango's, since he  seems to be the resident guru in this department).  Thanks again.

Ron


MarkNY

Quote from: Taoman on May 19, 2018, 10:36:16 AM
Quote from: MarkNY on May 19, 2018, 10:30:03 AM
"5) Use OBi Expert Configuration to enable the setting X_AcceptSipFromRegistrarOnly.

6) Use OBi Expert Configuration to change the X_UserAgentPort to a high/random number between 20000 and 65535, for example, 39119.
"
Where in Expect Config can I find those settings?

Voice Services-->SPx Service-->X_AcceptSipFromRegistrarOnly
Voice Services-->SPx Service-->X_UserAgentPort

You need to uncheck both boxes to the right of the fields before you can edit them.
Hi,
I turned off DMZ for my OBi200 and followed the above two instructions. Since then, no more calls. I'm not sure which of my changes actually resolved this issue, but I'm back to normal. Big thanks for your help!