This morning, I noticed the following on a pfsense firewall. udp I 192.168.1.241:5080 64.120.22.242:5060 2:2 1212 50 80 13505 udp O 192.168.1.241:5080 64.120.22.242:5060 2:2 1212 50 80 13505
This resolves to the city of Ujjain in India and we don't have anyone in India that should be using the system. I did a quick tcpdump to see more and got the following; [root@sx ~]# tcpdump dst 64.120.22.242 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:04:33.405982 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:04:53.406059 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:05:13.477918 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:05:33.409619 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:05:53.413251 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:06:03.398949 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 564 12:06:03.444194 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 730 12:06:13.414199 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:06:33.416681 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 12:06:53.417878 IP 192.168.1.241.5080 > 64.120.22.242.ubiquityservers.com.sip: SIP, length: 4 Seems to be sitting idle for the most part, connecting out to that network. I thought I'd ask on the list in case this is a sipx function but I highly doubt it. I don't see any strange outgoing calls or anything out of the ordinary either which makes this even weirder. Does this look like a hack or something else? _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
