rev.ponytelecom.eu sending out SIP requests from my IPPBX
by kscallen from LinuxQuestions.org on (#51M8Y)
Hi,
I'm an IP PBX admin new to this forum. I usually don't have to administer the Linux side of things, but because of the COVID-19 crisis, we have to improvise a bit.
Our PBX is Running on FreeBSD version 11.3 release -p3
I was checking traffic with wireshark when I realised I had an unwanted visitor. I tried blocking traffic from firewall but realised something had installed itself on my server and running connection attemps from the inside to the outside.
I went through multiple forums. Tried blocking different IP addresses in my firewall but nothing works.
I need to find and Kill this process ...
How do I locate the process that's running these requests ?
And, how do I kill it for good ?
here are a couple of samples :
PCAP FROM ROUTER:
11:17:29.714762 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:41.719531 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:33.716341 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:37.717958 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
FROM PBX
11:17:38.845157 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:42.846765 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:46.848540 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:50.850131 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:54.851831 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:58.853464 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
Thanks so much for any help you guys can provide.
I'm an IP PBX admin new to this forum. I usually don't have to administer the Linux side of things, but because of the COVID-19 crisis, we have to improvise a bit.
Our PBX is Running on FreeBSD version 11.3 release -p3
I was checking traffic with wireshark when I realised I had an unwanted visitor. I tried blocking traffic from firewall but realised something had installed itself on my server and running connection attemps from the inside to the outside.
I went through multiple forums. Tried blocking different IP addresses in my firewall but nothing works.
I need to find and Kill this process ...
How do I locate the process that's running these requests ?
And, how do I kill it for good ?
here are a couple of samples :
PCAP FROM ROUTER:
11:17:29.714762 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:41.719531 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:33.716341 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
11:17:37.717958 IP "MYIPADDRESS"-ent-hood-staticipeast.wireless.telus.com.5060 > 163-172-230-4.rev.poneytelecom.eu.555
02: SIP: SIP/2.0 404 Not Found
FROM PBX
11:17:38.845157 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:42.846765 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:46.848540 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:50.850131 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:54.851831 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
11:17:58.853464 IP tactical80102.usar.local.sip > 163-172-230-4.rev.poneytelecom.eu.55502: SIP: SIP/2.0 404 Not Found
Thanks so much for any help you guys can provide.