Re: SX20 calling itself

happyhammer · ‎10-10-2012

We have reports about an sx20 constantly ringing during the night, supposedly its calling itself. The call history on the touchpanel showed three missed calls from 101@xx.xx.xx.xx where xx.xx.xx.xx is the ip adress of the SX20 itself. The last one was at 01:44.

The sx20 is using h323 only.

I'm looking at the logs for any info and saw this in the application.log ( i changed the sx20 ip address with xx).

Firstly, since i'm new to this, what the timestamp 1166140.00 mean in relation to the real time?

i can see what i think are the three missed calls and you can see it seems to from within.

one number is called twice

sip:000972598147472@xx.xx.xx.xx from sip:101@xx.xx.xx.xx

Any ides whats causing this????

-------------------application log extract--------------------------

1166140.00 SipStack I: SipUa(ind=-1) SIPUA_handleRecvRequest 3

1166140.01 SipCall I: sip_call_handler::handleSIPMCallInd(na/0/0): Incoming callrate=1920000 to sip:00972592207696@xx.xx.xx.xx from sip:101@xx.xx.xx.xx

1166140.01 SipCall I: sip_call::outgoingAlertIndication(): Sending alert indication

1166140.02 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementReq HDMI 1

1166140.02 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementReq HDMI 2

1166140.02 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=912/300/4096/115

1166140.02 CAMERA I: CamVisca::Ready_doCAMActionReq cameraId=1 actionId=19

1166140.07 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementCnf power save 'off' for HDMI 1

1166140.08 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementCnf power save 'off' for HDMI 2

1166140.08 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementCnf done, no error

1166140.09 VIDEOROUTER-0 W: VideoRouter_Ready_doVIDDelayInd: No gateid 4 from FSPROXY_FSM 9

1166140.26 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166140.88 VIDEOLC-0 I: VLC_readySignalDisplayEvent port:HDMI 1, present:True

1166141.03 VIDEOLC-0 I: VLC_readyGateQueryOutput_Cnf: edid event received from HDMI 1

1166141.03 VIDEOLC-0 I: Edid segment 0 for display HDMI 1:

1166141.03 VIDEOLC-0 I: 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,

1166141.03 VIDEOLC-0 I: 0x4c, 0x2d, 0x41, 0x08, 0x01, 0x00, 0x00, 0x00,

1166141.03 VIDEOLC-0 I: 0x08, 0x15, 0x01, 0x03, 0x80, 0x66, 0x39, 0x78,

1166141.03 VIDEOLC-0 I: 0x0a, 0xee, 0x9d, 0xa3, 0x54, 0x47, 0x99, 0x26,

1166141.03 VIDEOLC-0 I: 0x0f, 0x47, 0x4a, 0xbd, 0xef, 0x80, 0x71, 0x4f,

1166141.03 VIDEOLC-0 I: 0x81, 0x00, 0x81, 0x40, 0x81, 0x80, 0x95, 0x00,

1166141.03 VIDEOLC-0 I: 0x95, 0x0f, 0xb3, 0x00, 0xa9, 0x40, 0x02, 0x3a,

1166141.03 VIDEOLC-0 I: 0x80, 0x18, 0x71, 0x38, 0x2d, 0x40, 0x58, 0x2c,

1166141.03 VIDEOLC-0 I: 0x45, 0x00, 0x75, 0xf2, 0x31, 0x00, 0x00, 0x1e,

1166141.03 VIDEOLC-0 I: 0x66, 0x21, 0x50, 0xb0, 0x51, 0x00, 0x1b, 0x30,

1166141.03 VIDEOLC-0 I: 0x40, 0x70, 0x36, 0x00, 0x75, 0xf2, 0x31, 0x00,

1166141.03 VIDEOLC-0 I: 0x00, 0x1e, 0x00, 0x00, 0x00, 0xfd, 0x00, 0x18,

1166141.03 VIDEOLC-0 I: 0x4b, 0x1a, 0x51, 0x17, 0x00, 0x0a, 0x20, 0x20,

1166141.03 VIDEOLC-0 I: 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00, 0xfc,

1166141.03 VIDEOLC-0 I: 0x00, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x73,

1166141.03 VIDEOLC-0 I: 0x74, 0x65, 0x72, 0x0a, 0x20, 0x20, 0x01, 0x31,

1166141.03 VIDEOLC-0 I: 0x02, 0x03, 0x22, 0xf1, 0x4a, 0x90, 0x1f, 0x05,

1166141.03 VIDEOLC-0 I: 0x14, 0x22, 0x20, 0x04, 0x13, 0x03, 0x12, 0x23,

1166141.03 VIDEOLC-0 I: 0x09, 0x07, 0x07, 0x83, 0x01, 0x00, 0x00, 0xe2,

1166141.03 VIDEOLC-0 I: 0x00, 0x0f, 0x67, 0x03, 0x0c, 0x00, 0x10, 0x00,

1166141.03 VIDEOLC-0 I: 0x80, 0x2d, 0x01, 0x1d, 0x00, 0x72, 0x51, 0xd0,

1166141.03 VIDEOLC-0 I: 0x1e, 0x20, 0x6e, 0x28, 0x55, 0x00, 0x75, 0xf2,

1166141.03 VIDEOLC-0 I: 0x31, 0x00, 0x00, 0x1e, 0x01, 0x1d, 0x80, 0x18,

1166141.03 VIDEOLC-0 I: 0x71, 0x1c, 0x16, 0x20, 0x58, 0x2c, 0x25, 0x00,

1166141.03 VIDEOLC-0 I: 0x75, 0xf2, 0x31, 0x00, 0x00, 0x9e, 0x8c, 0x0a,

1166141.03 VIDEOLC-0 I: 0xd0, 0x8a, 0x20, 0xe0, 0x2d, 0x10, 0x10, 0x3e,

1166141.03 VIDEOLC-0 I: 0x96, 0x00, 0x75, 0xf2, 0x31, 0x00, 0x00, 0x18,

1166141.03 VIDEOLC-0 I: 0x02, 0x3a, 0x80, 0xd0, 0x72, 0x38, 0x2d, 0x40,

1166141.03 VIDEOLC-0 I: 0x10, 0x2c, 0x45, 0x80, 0x75, 0xf2, 0x31, 0x00,

1166141.03 VIDEOLC-0 I: 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

1166141.03 VIDEOLC-0 I: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

1166141.03 VIDEOLC-0 I: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83,

1166141.03 VIDEOLC-0 I: VLC_readyGateQueryOutput_Cnf: new timing list made for HDMI 1

1166141.03 VIDEOLC-0 I: VLC_readyGateQueryOutput_Cnf: PnP, new suited format, configure HDMI 1 to 1920x1080@60Hz HDMI

1166141.27 VIDEOLC-0 I: VLC_readyConfigureOutput_Cnf: HDMI 1

1166141.27 MediaStreamController I: doMSLocalVideoOutChangeInd() hwCookie 1

1166141.27 MediaStreamController I: MV::getVCSetting getOutputPortStatus initialized 1

1166141.27 MediaStreamController I: MV::getVCSetting localHwCookieHint_ 1 w 1920 h 1080

1166141.54 MC !ER TransactionActionStorage::removeAction no match for Modify Mixer id(5)

1166142.24 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=912/300/4096/115

1166144.54 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=912/300/4096/115

1166145.05 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=912/300/4096/126

1166145.56 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=912/300/4096/115

1166150.05 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=912/300/4096/117

1166161.59 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166182.91 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166204.23 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166215.09 SipStack I: SipUa(ind=-1) SIPUA_handleRecvRequest 3

1166215.10 SipCall I: sip_call_handler::handleSIPMCallInd(na/1/0): Incoming callrate=1920000 to sip:810972592207696@xx.xx.xx.xx from sip:101@xx.xx.xx.xx

1166215.10 SipCall I: sip_call::outgoingAlertIndication(): Sending alert indication

1166218.25 SipStack I: SipUa(ind=-1) SIPUA_handleRecvRequest 3

1166218.25 SipCall I: sip_call_handler::handleSIPMCallInd(na/2/0): Incoming callrate=1920000 to sip:000972598147472@xx.xx.xx.xx from sip:101@xx.xx.xx.xx

1166218.26 SipCall I: sip_call::outgoingAlertIndication(): Sending alert indication

1166225.56 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166246.88 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166268.20 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166289.52 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166310.84 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166329.98 SipCall I: sip_call_handler::handleSIPMDiscInd(-1/0/0): Incoming disconnect (reason: Request Timeout, sipCause.dc=2, sipCause.status=408)

1166329.98 MC I: CapabilityControllerImpl::setCapset() reduced = 1, waitForDuoGate = 0, hasLegacyVideo = 0

1166330.00 SipCall I: ==== affirmIncomingDisconnect appId=-1, stackId=0, eventCookie=-1

1166330.03 MC W: Mcfsm::handleOtherMessages() unknown msg SIP_DialogFreed_Ind from SipStack

1166330.11 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166332.20 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166353.57 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166374.89 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166396.21 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166405.07 SipCall I: sip_call_handler::handleSIPMDiscInd(-1/1/0): Incoming disconnect (reason: Request Timeout, sipCause.dc=2, sipCause.status=408)

1166405.08 MC I: CapabilityControllerImpl::setCapset() reduced = 0, waitForDuoGate = 0, hasLegacyVideo = 0

1166405.10 SipCall I: ==== affirmIncomingDisconnect appId=-1, stackId=1, eventCookie=-1

1166405.13 MC W: Mcfsm::handleOtherMessages() unknown msg SIP_DialogFreed_Ind from SipStack

1166405.20 MediaStreamController I: SC::PlayReq(og=10) path='/sounds/marbles.mp4', tone=0

1166408.22 SipCall I: sip_call_handler::handleSIPMDiscInd(-1/2/0): Incoming disconnect (reason: Request Timeout, sipCause.dc=2, sipCause.status=408)

1166408.25 SipCall I: ==== affirmIncomingDisconnect appId=-1, stackId=2, eventCookie=-1

1166408.30 CAMERA I: CamVisca::Ready_doCAMActionReq cameraId=1 actionId=20

1166408.30 MediaStreamController I: MV::getVCSetting getOutputPortStatus initialized 1

1166408.30 MediaStreamController I: MV::getVCSetting localHwCookieHint_ 1 w 1920 h 1080

1166408.30 MediaStreamController I: MV::getVCSetting getOutputPortStatus initialized 1

1166408.30 MediaStreamController I: MV::getVCSetting localHwCookieHint_ 0 w 1280 h 720

1166408.31 MC W: Mcfsm::handleOtherMessages() unknown msg SIP_DialogFreed_Ind from SipStack

1166408.38 VIDEOCTRL-0 I: VIDEOCTRL_doReadyMixerConfigureReq: redundant signal for mixer (rawvideo,1) from (MSCtrl,0)

1166408.38 VIDEOCTRL-0 I: VIDEOCTRL_doReadyMixerConfigureReq: redundant signal for mixer (rawvideo,2) from (MSCtrl,0)

1166408.38 MC I: MediaServerAction(): InputGate(ig=526) creation took 102 miliseconds

1167008.23 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementReq HDMI 1

1167008.23 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementReq HDMI 2

1167008.25 CAMERA I: CamVisca::sendCAMPositionInd cameraId=1 pos=64/64/4096/117

1167008.26 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementCnf power save 'on' for HDMI 1

1167008.26 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementCnf power save 'on' for HDMI 2

1167008.26 VIDEOLC-0 I: VIDEOLC_doReadyPowerManagementCnf done, no error

1167008.36 VIDEOLC-0 I: VLC_readySignalDisplayEvent port:HDMI 1, present:False

1167008.36 VIDEOLC-0 I: VLC_readySignalDisplayEvent: new timing list made for HDMI 1

1167008.36 VIDEOLC-0 I: VLC_readySignalDisplayEvent: no display detected, configure HDMI 1 to PnP format 1280x720@60Hz DVI-D

1167008.57 VIDEOLC-0 I: VLC_readyConfigureOutput_Cnf: HDMI 1

1167008.57 MediaStreamController I: doMSLocalVideoOutChangeInd() hwCookie 1

1167008.57 MediaStreamController I: MV::getVCSetting getOutputPortStatus initialized 1

1167008.57 MediaStreamController I: MV::getVCSetting localHwCookieHint_ 1 w 1280 h 720

1167008.60 MC !ER TransactionActionStorage::removeAction no match for Modify Mixer id(5)

1177924.26 SipStack W: SipTrnsp() E CSeq- and and Request-method does not match

1177924.27 SipStack W: SipTrnsp() E CSeq- and and Request-method does not match

1177924.31 SipStack W: SipTrnsp() E CSeq- and and Request-method does not match

1177935.31 SipStack W: SipTrnsp() E CSeq- and and Request-method does not match

Paul Woelfel · ‎10-10-2012

Yes, someone trying to use your System for toll fraud

If you have got your system on the internet, there are often tries to use the system for toll fraud. That's what VCSX and Call policy Lists / Servers are for.

Sent from Cisco Technical Support iPad App

Regards, Paul

Alok Jaiswal · ‎10-10-2012

Hi,

As paul mentioned normally this kinds of attempts are some one trying to make malicious calls. But you said you are using only H323 on sx20? and the call here is as SIP call?

turn-off the SIP if you are not using it.

Rgds,

Alok

happyhammer · ‎10-10-2012

Yes, thats what we were suspecting , as the numbers are an Israeli mobile.

We are not using SIP for calls. However, i found that "SIP mode" was enabled in the Network services menu. I have turned that off.

Does that completely disable SIP protocol on the box?

gubadman · ‎10-10-2012

yes, that turn SIP off on the endpoint.

I'd also make sure the admin account has a password set on it, so that they can't log in and turn it back on, if it is on the internet (or someone internal is doing it)

happyhammer · ‎10-11-2012

Yes, the admin account is pasword protected.

Can someone explain how this attempt is made? what does the hacker done to try to make a call from our system?

How can i prevent it happening again?

Martin Koch · ‎12-06-2012

The system is not calling itself. The scanner just knows your ip, so he sets the from and the to field

in the sip message as From: 101@ and To: @

He is not dialing out from your SX20 as this should not be possbile, but he most likely would like to if you

were an ISDN GW. So if you use for example the ISDN-Link device i would be extreme careful putting that

on a public IP.

These are scans for voip services, like said most likely with the aim to find phone gw. But also sip-proxys and

I would not exclude that the search for known vulnerabilities (most systems also report their type/software versions in sip messages).

How to prevent it? Unplug the network :-)

As soon as you connect a system to a public IP you will see various kinds of scans hitting it.

You might even see scans in internal network caused by compromised computers, ...

The first start is to set secure passwords and disable services which you do not need.

Also consult the documentation or external consultants.

Use a firewall upfront and only allow the required ports.

Also follow up security announcements and upgrade your system to the latest or known

as not problematical software version.

A sx20 endpoint does not need to be exposed on the public internet, they work

fine behind NAT if a VCS-Expressway is used.

Please rate the postings and set the thread to answered if it is!

Please remember to rate helpful responses and identify