<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2853" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Thanks for the reply, the first thing I checked was
the call forward on all lines and trunks, nada. I made test calls into
every port, it rang thru, so not sure. My next step is to get a tshark of
everything in and out of the network. This is a voip only dsl so it should
be easy to do.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>As an interim, we have instituted a pin number for
overseas calls with a disable on 4 errors. .</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks again.</FONT></DIV>
<DIV><FONT face=Arial size=2>Darcy</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>199.187156 xx.xxx.xxx.41 -> xx.xxx.xxx.247
Syslog LOCAL2.DEBUG: M0: SDP RTPMAP 100 --> 255\n<BR>199.188847 xx.xxx.xxx.41
-> xx.xxx.xxx.247 Syslog LOCAL2.DEBUG: M0: SDP RTPMAP 101 -->
136\n<BR>199.190438 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[BCC]CallRoute:L1,2,3,401137744616847\n<BR>199.191655 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[BCC]CallRoute:L1,2,3,401137744616847\n<BR>199.199951 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: pri-->INVITE-->pub\n<BR>199.200916
xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
pri-->INVITE-->pub\n<BR>199.202721 xx.xxx.xxx.41 -> xx.xxx.xxx.247
Syslog LOCAL2.DEBUG: M0: Calling:01137744616847@my.company.ca:0\n<BR>199.215750
xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]->xx.xxx.xxx.14:5060(985)\n<BR>199.217288 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]->xx.xxx.xxx.14:5060(985)\n<BR>199.228906 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog INVITE sip:01137744616847@my.company.ca SIP/2.0\r\nVia:
SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609\r\nFrom: "ivory dental"
<sip:6132161111@my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo:
<sip:01137744616847@my.company.ca>\r\nRemote-Party-ID: "ivory dental"
<sip:6132161111@my.company.ca>;screen=yes;party=calling\r\nCall-ID: <A
href="mailto:95840519-118b3537@xx.xxx.xxx.41\r\nCSeq">95840519-118b3537@xx.xxx.xxx.41\r\nCSeq</A>:
101 INVITE\r\nMax-Forwards: 70\r\nContact: "ivory dental"
<sip:6132161111@xx.xxx.xxx.41:16598>\r\nExpires: 240\r\nUser-Agent:
Linksys/SPA8000-6.1.12\r\nAllow-Events: talk, hold,
conference\r\nContent-Length: 265\r\nAllow: ACK, BYE, CANCEL, INFO, INVITE,
NOTIFY, OPTIONS, REFER\r\nSupported: x-sipura, replaces\r\nContent-Type:
application/sdp\r\n\r\nv=0\r\no=- 81044819 81045805 IN IP4
10.10.1.63\r\ns=eyeBeam\r\nc=IN IP4 10.10.1.63\r\nt=0 0\r\nm=audio 8382 RTP/AVP
100 6 0 8 3 18 5 101\r\na=alt:1 1 : FC106A37 000000A7 10.10.1.63
8382\r\na=fmtp:101 0-15\r\na=rtpmap:100 speex/16000\r\na=rtpmap:101
telephone-event/8000\r\na=sendrecv\r\n<BR>199.229774 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n<BR>199.230739 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n<BR>199.236422 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]<<xx.xxx.xxx.14:5060(410)\n<BR>199.238117 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]<<xx.xxx.xxx.14:5060(410)\n<BR>199.243087 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP
xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609;rport=16598\r\nFrom: "ivory dental"
<sip:6132161111@my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo:
<sip:01137744616847@my.company.ca>\r\nCall-ID: <A
href="mailto:95840519-118b3537@xx.xxx.xxx.41\r\nCSeq">95840519-118b3537@xx.xxx.xxx.41\r\nCSeq</A>:
101 INVITE\r\nUser-Agent:
FreeSWITCH-mod_sofia/1.2.0-rc2+git~20120620T194320Z~a0a9efcf02+unclean~20130121T043106Z\r\nContent-Length:
0\r\n\r\n<BR>199.244280 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO:
M0: \n<BR>199.245238 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
\n<BR>199.246773 xx.xxx.xxx.41 -> xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]<<xx.xxx.xxx.14:5060(903)\n<BR>199.248491 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]<<xx.xxx.xxx.14:5060(903)\n<BR>199.259707 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog SIP/2.0 407 Proxy Authentication Required\r\nVia:
SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609;rport=16598\r\nFrom:
"ivory dental"
<sip:6132161111@my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo:
<sip:01137744616847@my.company.ca>;tag=2BXmFrcQ9v74Q\r\nCall-ID: <A
href="mailto:95840519-118b3537@xx.xxx.xxx.41\r\nCSeq">95840519-118b3537@xx.xxx.xxx.41\r\nCSeq</A>:
101 INVITE\r\nUser-Agent:
FreeSWITCH-mod_sofia/1.2.0-rc2+git~20120620T194320Z~a0a9efcf02+unclean~20130121T043106Z\r\nAccept:
application/sdp\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, UPDATE,
INFO, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer,
precondition, path, replaces\r\nAllow-Events: talk, hold, presence, dialog,
line-seize, call-info, sla, include-session-description, presence.winfo,
message-summary, refer\r\nProxy-Authenticate: Digest realm="my.company.ca",
nonce="63bcc7dc-298c-11e3-807c-17c4d7454b29", algorithm=MD5,
qop="auth"\r\nContent-Length: 0\r\n\r\n<BR>199.260840 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n<BR>199.261745 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0: \n<BR>199.269739 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]->xx.xxx.xxx.14:5060(497)\n<BR>199.271381 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog LOCAL0.INFO: M0:
[2]->xx.xxx.xxx.14:5060(497)\n<BR>199.277953 xx.xxx.xxx.41 ->
xx.xxx.xxx.247 Syslog ACK sip:01137744616847@my.company.ca SIP/2.0\r\nVia:
SIP/2.0/UDP xx.xxx.xxx.41:16598;branch=z9hG4bK-809a3609\r\nFrom: "ivory dental"
<sip:6132161111@my.company.ca>;tag=87c993b11835377fo2;ref=200\r\nTo:
<sip:01137744616847@my.company.ca>;tag=2BXmFrcQ9v74Q\r\nCall-ID: <A
href="mailto:95840519-118b3537@xx.xxx.xxx.41\r\nCSeq">95840519-118b3537@xx.xxx.xxx.41\r\nCSeq</A>:
101 ACK\r\nMax-Forwards: 70\r\nContact: "ivory dental"
<sip:6132161111@xx.xxx.xxx.41:16598>\r\nUser-Agent:
Linksys/SPA8000-6.1.12\r\nAllow-Events: talk, hold,
conference\r\nContent-Length: 0\r\n\r\n<BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=gshepard@star2star.com href="mailto:gshepard@star2star.com">Gabe
Shepard</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=freeswitch-users@lists.freeswitch.org
href="mailto:freeswitch-users@lists.freeswitch.org">FreeSWITCH Users Help</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, September 30, 2013 9:52
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Freeswitch-users] spa8000
hack</DIV>
<DIV><BR></DIV>
<DIV dir=ltr>I don't see the full syslog here, but check to see if there's a
call forward number set in the SPA8000? We recently saw an instance
where someone set a call forward on an SPA3102, dialed into the 3102 via a
different number, and then it was forwarded back out.
<DIV><BR></DIV>
<DIV>-Gabe</DIV></DIV>
<DIV class=gmail_extra><BR><BR>
<DIV class=gmail_quote>On Mon, Sep 30, 2013 at 1:18 AM, fs <SPAN
dir=ltr><<A href="mailto:fs@voice2net.ca"
target=_blank>fs@voice2net.ca</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I
do not know if anyone has seen this. I use spa8000 ata's to provide
sip<BR>trunking to a freeswitch an onwards. Over the past three days I
have had<BR>someone hacking into the spa8000 and relaying international
calls back out.<BR>I have no ideal how they do it and cannot find any info
in the traces that<BR>indicates where the call came from. I have seen
a note on cisco's web site<BR>about someone else complaining about this but
no resolution.<BR><BR>My syslog from the spa8000 starts like
so.<BR><BR>Syslog LOCAL2.DEBUG: M0: <A
href="http://Calling:01137744616847@sample.switch.ca:0"
target=_blank>Calling:01137744616847@sample.switch.ca:0</A>\n<BR>Syslog <A
href="http://LOCAL0.INFO" target=_blank>LOCAL0.INFO</A>: M0:
[2]->xx.xxx.xx.xx:5060(985)\n<BR>Syslog <A href="http://LOCAL0.INFO"
target=_blank>LOCAL0.INFO</A>: M0:
[2]->xx.xxx.xxx.xx:5060(985)\n<BR>Syslog INVITE <A
href="mailto:sip%3A01137744616847@sample.switch.ca">sip:01137744616847@sample.switch.ca</A>
SIP/2.0 {etc}<BR><BR>Any thoughts or ideas would be REALLY
appreciated.<BR><BR>Darcy
Primrose<BR><BR><BR>_________________________________________________________________________<BR>Professional
FreeSWITCH Consulting Services:<BR><A
href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</A><BR><A
href="http://www.freeswitchsolutions.com"
target=_blank>http://www.freeswitchsolutions.com</A><BR><BR>FreeSWITCH-powered
IP PBX: The CudaTel Communication Server<BR><A href="http://www.cudatel.com"
target=_blank>http://www.cudatel.com</A><BR><BR>Official FreeSWITCH
Sites<BR><A href="http://www.freeswitch.org"
target=_blank>http://www.freeswitch.org</A><BR><A
href="http://wiki.freeswitch.org"
target=_blank>http://wiki.freeswitch.org</A><BR><A
href="http://www.cluecon.com"
target=_blank>http://www.cluecon.com</A><BR><BR>FreeSWITCH-users mailing
list<BR><A
href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</A><BR><A
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target=_blank>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</A><BR>UNSUBSCRIBE:<A
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target=_blank>http://lists.freeswitch.org/mailman/options/freeswitch-users</A><BR><A
href="http://www.freeswitch.org"
target=_blank>http://www.freeswitch.org</A><BR></BLOCKQUOTE></DIV><BR></DIV>
<P>
<HR>
<P></P>_________________________________________________________________________<BR>Professional
FreeSWITCH Consulting
Services:<BR>consulting@freeswitch.org<BR>http://www.freeswitchsolutions.com<BR><BR>FreeSWITCH-powered
IP PBX: The CudaTel Communication
Server<BR>http://www.cudatel.com<BR><BR>Official FreeSWITCH
Sites<BR>http://www.freeswitch.org<BR>http://wiki.freeswitch.org<BR>http://www.cluecon.com<BR><BR>FreeSWITCH-users
mailing
list<BR>FreeSWITCH-users@lists.freeswitch.org<BR>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<BR>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<BR>http://www.freeswitch.org<BR>
<P>
<HR>
<P></P><A></A>
<P class="" align=left color="#000000" avgcert??>No virus found in this
message.<BR>Checked by AVG - <A
href="http://www.avg.com">www.avg.com</A><BR>Version: 2014.0.4142 / Virus
Database: 3604/1 - Release Date: 09/24/13</P></BLOCKQUOTE></BODY></HTML>