OBiTALK Community

Firmware, Software Updates => Firmware / Advisories / Notifications for OBi Products => Topic started by: CityOracle on September 14, 2018, 07:45:12 PM

Title: Calls from *9399
Post by: CityOracle on September 14, 2018, 07:45:12 PM
I am getting calls from *9399 (as displayed on my phone) every two minutes.  When I pick up, there is no sound.    Anyone ran in this issue before?   Am I being hacked?

The calls keep coming.  Very annoying.  I have to disconnect my device.

I'd appreciate any help!

-David
Title: Re: Calls from *9399
Post by: SteveInWA on September 14, 2018, 08:00:19 PM
Duplicate of:  http://www.obitalk.com/forum/index.php?topic=14957.msg94478#msg94478 (http://www.obitalk.com/forum/index.php?topic=14957.msg94478#msg94478)
Title: Re: Calls from *9399
Post by: CityOracle on September 15, 2018, 01:47:39 PM
Thanks for the tips, Steve.

This is the second time that things like this happened.

When it happened a year ago, I researched and read the page in your reply.
I just double checked X_AcceptSipFromRegistrarOnly on SP1 to SP4 are all already enabled.

But the *9399 calls still got in.

Anything else to do to block them?

What are these calls?  Who are the callers?
What is the purpose?   Are they hackers or just some technical glitch?

Thanks a bunch!

Title: Re: Calls from *9399
Post by: azrobert on September 15, 2018, 02:55:45 PM
See:
http://www.obitalk.com/forum/index.php?topic=14964.msg94506#new
Title: Re: Calls from *9399
Post by: SteveInWA on September 15, 2018, 03:37:11 PM
Robert's solution ought to work.  To confirm, have you looked at your call history on the OBi to see where these calls are coming from (which SP is being rung)?  You'd need to go to the OBi's local web page (not the OBiTALK portal) and look at the call history section.  If they're ringing the OBiTALK service, then the fix will kill those calls.
Title: Re: Calls from *9399
Post by: CityOracle on September 16, 2018, 05:08:13 AM
Robert/Steve,

Thanks for the help.

I apologize.  I don't know much about telephony and don't quite follow your advice.

I am not able to locate "Voice Services -> OBiTalk Service -> InboundCallRoute: {}".

How do I check the call history on the OBi?
Where can I find the OBi's local web page?

Thanks!
-David
Title: Re: Calls from *9399
Post by: azrobert on September 16, 2018, 06:06:52 AM
Signin here:
https://www.obitalk.com/obinet/
To enter OBi Expert from the Dashboard click on the gear ICON to the right of your OBixxx then select OBi Expert Config, confirm and select Enter OBi Expert.

Click on Voice Services then OBiTalk Service.

Uncheck both boxes to the right of the InboundCallRoute then change the Value to: {}
Click Submit at the bottom of the page

To access Call History:
Log directly into the OBi using the local interface.
Key the IP address of the OBi into a Web Browser and hit Enter
If you don't know the IP address, dial ***1 from the phone attached to the OBi

The UserID and default Password are both "admin".
Click Status on the left column then click Call History.
Title: Re: Calls from *9399
Post by: CityOracle on September 16, 2018, 05:37:05 PM
I was able to login at https://www.obitalk.com/obinet/

Then I clicked on the gear icon on the right for "OBi202     500 233 842"
But I can't find "Voice Services then OBiTalk Service"

I tried to attach is a file with screenshots to this post.
But the website report error.
If you give me an email address, I can email it.



On Call History, I still don't quit follow you.

Log directly into the OBi using the local interface.-- Is this the same as login to ObiTalk?
Or do you mean hook up a laptop directly to the device?

Thanks!

Title: Re: Calls from *9399
Post by: CityOracle on September 16, 2018, 05:38:35 PM
When I tried to attach a file, the website reports error as:

2: error_log(/var/log/forum/errors.log): failed to open stream: No such file or directory
File: /var/www/forum/Sources/Post.php
Line: 1530
Title: Re: Calls from *9399
Post by: SteveInWA on September 16, 2018, 06:30:17 PM
Quote from: CityOracle on September 16, 2018, 05:37:05 PM
I was able to login at https://www.obitalk.com/obinet/

Then I clicked on the gear icon on the right for "OBi202     500 233 842"
But I can't find "Voice Services then OBiTalk Service"

I tried to attach is a file with screenshots to this post.
But the website report error.
If you give me an email address, I can email it.



On Call History, I still don't quit follow you.

Log directly into the OBi using the local interface.-- Is this the same as login to ObiTalk?
Or do you mean hook up a laptop directly to the device?

Thanks!



1)  the forum screenshot function is broken; the error message you got is the symptom of that.  You aren't doing anything wrong.

2) here is a screenshot of the OBiTALK setting page:  https://drive.google.com/file/d/1hzTKOZqgkE66L2MvlI9VWqpwI2uHSvkX/view?usp=sharing (https://drive.google.com/file/d/1hzTKOZqgkE66L2MvlI9VWqpwI2uHSvkX/view?usp=sharing)

3) call history is stored in the device.  To see it, you need to sign into the device's own web page, via its IP address.  To hear the IP address, pick up the attached phone and key in ***1.  The default username and password are "admin".
Title: Re: Calls from *9399
Post by: Taoman on September 16, 2018, 07:33:07 PM
Quote from: CityOracle on September 16, 2018, 05:37:05 PM

Then I clicked on the gear icon on the right for "OBi202     500 233 842"
But I can't find "Voice Services then OBiTalk Service"

After clicking on the gear icon, scroll to bottom and select OBi Expert Configuration as azrobert posted.

Note: From the main OBi dashboard, select Edit Profile in the left-hand column. Scroll to bottom and check the box in front of "Enable OBi Expert Entry from Dashboard" under Advanced Options. You will then be able to go directly into OBi Expert Configuration from main dashboard.
Also uncheck box in front of "View Softphone on Dashboard."
Title: Re: Calls from *9399
Post by: SteveInWA on September 16, 2018, 08:04:56 PM
Quote from: Taoman on September 16, 2018, 07:33:07 PM
Quote from: CityOracle on September 16, 2018, 05:37:05 PM

Then I clicked on the gear icon on the right for "OBi202     500 233 842"
But I can't find "Voice Services then OBiTalk Service"

After clicking on the gear icon, scroll to bottom and select OBi Expert Configuration as azrobert posted.

Note: From the main OBi dashboard, select Edit Profile in the left-hand column. Scroll to bottom and check the box in front of "Enable OBi Expert Entry from Dashboard" under Advanced Options. You will then be able to go directly into OBi Expert Configuration from main dashboard.
Also uncheck box in front of "View Softphone on Dashboard."

Thanks for adding those details!
Title: Re: Calls from *9399
Post by: CityOracle on September 16, 2018, 09:13:48 PM
I was able to locate InboundCallRoute and changed it to {}

Thanks!!

On the local call history, I still don't quite follow.

Which one is the local interface?  Where can I find it?

Thanks!
Title: Re: Calls from *9399
Post by: Taoman on September 16, 2018, 10:36:13 PM
Quote from: CityOracle on September 16, 2018, 09:13:48 PM

On the local call history, I still don't quite follow.

Which one is the local interface?  Where can I find it?


Both azrobert and SteveInWA have given you precise instructions. I can't make it any clearer than they already have.

Quote from: azrobertTo access Call History:
Log directly into the OBi using the local interface.
Key the IP address of the OBi into a Web Browser and hit Enter
If you don't know the IP address, dial ***1 from the phone attached to the OBi

The UserID and default Password are both "admin".
Click Status on the left column then click Call History.
Title: Re: Calls from *9399
Post by: CityOracle on September 16, 2018, 10:41:41 PM
which one is the local interface?
Is it the same as the ObiTalk?

Title: Re: Calls from *9399
Post by: Taoman on September 16, 2018, 10:48:41 PM
The local interface is the built in web gui in your OBi device. It is accessible from a web browser using the local network ip address of your OBi device.

Just follow the directions. That's all you have to do.
Title: Re: Calls from *9399
Post by: CityOracle on September 17, 2018, 10:47:16 AM
Thanks for the help!

Finally figured out, it is simply typing in the IP in a browser.  I thought there was another local interface.

Anyway, located the suspicious call.
Can't send a screen shot here.  But the history shows:

Call 30   09/14/2018    21:24:17   
21:24:17   From PP1(ob73*'*'9399)   Fork to:  PH1 PH2
21:24:17      Ringing (PH1)
21:24:17      Ringing (PH2)
21:24:29      Call Connected (PH1)
21:24:47      Call Ended

Anything else I need to do to block these *9399 calls?

Many thanks!!
-David
Title: Re: Calls from *9399
Post by: drgeoff on September 17, 2018, 11:39:30 AM
Quote from: CityOracle on September 17, 2018, 10:47:16 AM
Thanks for the help!

Finally figured out, it is simply typing in the IP in a browser.  I thought there was another local interface.

Anyway, located the suspicious call.
Can't send a screen shot here.  But the history shows:

Call 30   09/14/2018    21:24:17   
21:24:17   From PP1(ob73*'*'9399)   Fork to:  PH1 PH2
21:24:17      Ringing (PH1)
21:24:17      Ringing (PH2)
21:24:29      Call Connected (PH1)
21:24:47      Call Ended

Anything else I need to do to block these *9399 calls?

Many thanks!!
-David
Anything else in addition to what?  If you have used the portal to change the Obitalk InboundCallRoute to {} that should be sufficient.
Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 17, 2018, 01:30:29 PM
The question you need to ask yourself is how these external SIP calls are managing to connect to your OBi device?

The Obi is not a SIP PBX and does not need it's ports exposed to the internet.

All you have done is applied a band-aid.

You potentially have all your network at great risk of being compromised due to a router misconfiguration or lack of a router/firewall, etc.
Title: Re: Calls from *9399
Post by: CityOracle on September 17, 2018, 02:29:52 PM
Hi Steve,

Thank you for the response.
Now I am more concerned.

Internet comes in the house through a cable modem.

A router is connected directly to the modem.

The Obi202 device is connected directly to the router.

I assume the router has a firewall which protects the Boi202 device.

Should I make any changes to this configuration?

I'd appreciate your advice very much.
-David
Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 18, 2018, 06:56:17 AM
It sounds to me that the router is not configured correctly and is letting traffic in and out.

First thing I would do is run a simple penetration test.  Gibson Research has a good one on their site at:

https://www.grc.com (https://www.grc.com)

I can't link directly to the page needed as it's generated dynamically.  

Click on the "Services" menu and then "Shields UP" and then click on "Common ports" BELOW the big Orange button.

If that passes OK then enter:  5060-5061 in the Custom port box and press "enter"


Title: Re: Calls from *9399
Post by: CityOracle on September 18, 2018, 10:17:06 AM
Steve,

Very much appreciate the tips.
Not knowing much on this topic, this is an education for me.

The test failed on the router for "Solicited TCP Packets:"  on port 22 (SSH) and 80 (HTTP)

Any suggestion how I can secure them?

The test on 5060-5061 showed "Closed" status (I guess they are good).

So the security breach seems to be my router on port 22 and 80.
Please help me fix them.

Many thanks!
-David
Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 18, 2018, 10:26:54 AM
What do you get when you select the "All service ports" test?
Title: Re: Calls from *9399
Post by: CityOracle on September 18, 2018, 10:36:23 AM
Running "All service ports" got:

Red (Open): 22 (SSH). 53 (Domain), and 80(HTTP)
Green (Stealth):  0, 23, 25, 135-139
The rest are all blue (Closed).

Thanks.
Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 18, 2018, 11:05:32 AM
That doesn't explain why you were getting the SIP calls then.

Are you hosting a web server on the internet?  

Are you using a VPN?

All cable providers have a way to access their modem but typically don't do it via an insecure web server.

To get to the bottom of this without detailed information on your setup and needs is going to be almost impossible though.
Title: Re: Calls from *9399
Post by: Taoman on September 18, 2018, 11:17:45 AM
Quote from: Sheffield_Steve on September 18, 2018, 11:05:32 AM
That doesn't explain why you were getting the SIP calls then.


OP was not getting "SIP calls." He was getting calls via the OBiTALK network. This is why it was recommended to change the InboundCallRoute for the OBiTALK service to null.

If these were SIP scanners, checking the box for X_AcceptSipFromRegistrarOnly would have worked.

Here's drgeoff briefly mentioning the difference between the two:
http://www.obitalk.com/forum/index.php?topic=11407.msg75134#msg75134 (http://www.obitalk.com/forum/index.php?topic=11407.msg75134#msg75134)
Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 18, 2018, 11:26:50 AM
Oops, I missed that....
Title: Re: Calls from *9399
Post by: CityOracle on September 18, 2018, 03:10:34 PM
Steve, Taoman,

Thank you both for charming in.

No VPN, no website.
I just have a simple Cable modem-->router-->Obi202  set up for making phone calls.

I double check.  X_AcceptSipFromRegistrarOnly is checked (not using ObiTalk or Device settings)

Please advise if there is anything I should do to prevent malicious scanners.

This Obi202 device is great and loaded, but requires a lot of in-depth tech knowledge to manage.

Appreciate both of your for the help!
-David
Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 19, 2018, 06:48:16 AM
As I said it's going to be difficult to get to the bottom of your security issues on here.

I good start would be to check all the cabling and then reset the router to default. But I would hate to tell you to do that as it may break something that I don't know about.  Your best bet would be to find the forum for your router.

But the end game of the security scan is to get a response of Stealth from all ports scanned. Here's mine:

(http://www.sheffieldsystems.com/obiforum/grc.jpg)
Title: Re: Calls from *9399
Post by: dboling on September 19, 2018, 08:32:06 AM
Quote from: CityOracle on September 18, 2018, 10:36:23 AM
Running "All service ports" got:

Red (Open): 22 (SSH). 53 (Domain), and 80(HTTP)
Green (Stealth):  0, 23, 25, 135-139
The rest are all blue (Closed).

Thanks.

I just ran the test on my server and it failed as I expected since it does serve web,email,dns,ect...

After analyzing the mine sweeper graph of my test the colors mean:
RED: port exposed to the world.
Green: firewall blocking port from the world.
Blue: firewall not blocking the port, but no services on router needing to be blocked.

Bottom line, you need to block the world from port 22 and port 80 which are your router administration ports.
Port 53 is not an issue as it's used for DNS lookups.

On the surface the Internet is a cool place with sites like Amazon and EBay, but in reality there are MASS amounts of evil on the internet with people and even entire countries scanning internet IP addresses for open ports to exploit.

As Sheffield_Steve suggested locate a forum that deals with your model of router, if a manual was included, read it.

If you haven't already done so, change the default password of the router and make sure the firmware is up to date.

Title: Re: Calls from *9399
Post by: Sheffield_Steve on September 19, 2018, 01:20:40 PM
The colors for the ports are as follows:

Red   - Open for input. (Bad - unless you have opened it for some reason)
Blue   - Closed but the scanner can tell there is a port there. (Good)
Green - Closed and the scanner does not detect the presence of a port. (Best)