It looks like one of the test FreePBX servers that we are using has somehow been compromised.
The server is hosted by a cloud server provider and we have received a message from them that, they have received a message from Tepucom Abuse Dept. that our FreePBX server is sending our spam invites. This is a piece of what they wrote:
Tepucom Abuse Dept:
IP-OF-OUR-SERVER/32 (root IP: IP-OF-OUR-SERVER) (PTR: IP-OF-OUR-SERVER.our-vps-provider.com.) was added to the blackholes.tepucom.nl RBLDNS for the following reason:
“Caught scanning for web/mail exploits / compromised hosts”
A T T E N T I O N ! T H I S I S A C O M P R O M I S E D H O S T !
Then they attached a piece of what they have been receiving from our server:
IP-OF-OUR-SERVER tpc-035.mach3builders.nl 20200906/22:46:30 22:44:07.952660 rule 0/0(match): block in on vmx0: IP-OF-OUR-SERVER.5121 > 18.104.22.168.5060: SIP: INVITE sip:email@example.com SIP/2.0
IP-OF-OUR-SERVER tpc-035.mach3builders.nl 20200906/22:46:30 22:44:07.953053 rule 0/0(match): block in on vmx0: IP-OF-OUR-SERVER.5121 > 22.214.171.124.5060: SIP: INVITE sip:firstname.lastname@example.org SIP/2.0
IP-OF-OUR-SERVER tpc-035.mach3builders.nl 20200906/22:46:33 22:44:07.953314 rule 0/0(match): block in on vmx0: IP-OF-OUR-SERVER.5121 > 126.96.36.199.5060: SIP: INVITE sip:email@example.com SIP/2.0
It looks like the invites are somehow being sent from our server to scan different IPs for open SIP ports, is that right? From what I understand usually this process is in reverse, directed to our FreePBX server. Why is it being originated from our server?
It also looks like there is extension 100 involved. We do not have that extension, nor do we have guest/unanimous calls enabled.
Can someone help us figure out what is going on here?