I think I have a hacker but not sure how to go about it.
I was watching the log and it has this instance in it every minute or so:
>
> == Using SIP RTP TOS bits 184
> == Using SIP RTP CoS mark 5
> -- Executing [009441519471676@from-sip-external:1] NoOp("SIP/110.12.65.33-00000021", "Received incoming SIP connection from unknown peer to 009441519471676") in new stack
> -- Executing [009441519471676@from-sip-external:2] Set("SIP/110.12.65.33-00000021", "DID=009441519471676") in new stack
> -- Executing [009441519471676@from-sip-external:3] Goto("SIP/110.12.65.33-00000021", "s,1") in new stack
> -- Goto (from-sip-external,s,1)
> -- Executing [s@from-sip-external:1] GotoIf("SIP/110.12.65.33-00000021", "0?checklang:noanonymous") in new stack
> -- Goto (from-sip-external,s,5)
> -- Executing [s@from-sip-external:5] Set("SIP/110.12.65.33-00000021", "TIMEOUT(absolute)=15") in new stack
> Channel will hangup at 2022-04-28 09:41:30.703 PDT.
> -- Executing [s@from-sip-external:6] Answer("SIP/110.12.65.33-00000021", "") in new stack
> -- Executing [s@from-sip-external:7] Wait("SIP/110.12.65.33-00000021", "2") in new stack
> -- Executing [s@from-sip-external:8] Playback("SIP/110.12.65.33-00000021", "ss-noservice") in new stack
> -- <SIP/110.12.65.33-00000021> Playing 'ss-noservice.ulaw' (language 'en')
> > doing dnsmgr_lookup for 'norland.sip.telifon.com'
> -- Executing [s@from-sip-external:9] PlayTones("SIP/110.12.65.33-00000021", "congestion") in new stack
> -- Executing [s@from-sip-external:10] Congestion("SIP/110.12.65.33-00000021", "5") in new stack
> == Spawn extension (from-sip-external, s, 10) exited non-zero on 'SIP/110.12.65.33-00000021'
> -- Executing [h@from-sip-external:1] Hangup("SIP/110.12.65.33-00000021", "") in new stack
> == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/110.12.65.33-00000021'
> [2022-04-28 09:41:47] WARNING[3098]: chan_sip.c:3641 retrans_pkt: Retransmission timeout reached on transmission 1450415242-1051076709-666283442 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
I jumped on chanspy and I hear:
"SIP 70" (my parking lot extension). The number you have dialed is not in service. Please check the number and try again," then the beeping
I am 99.9% sure that one of our extensions is doing this. I only have 4 local sip phones, 2 remote sip phones, and 2 copper line phones. All but the remote phones are in reach. The 2 remote phones are at home and my wife says no activity as far as she can tell.
The sip extension "SIP/110.12.65.33-00000021 seems to climb 1 number every time it tries.
IE: 27,28,29,2a,2b,2c,2d,2e,2f
PLEASE NOTE: I changed the IP address (110.12.65.33) and user to my sip trunk (norland) for my security