It would be a client. So this thread was started a week ago and it was determined that you had the same SIP password for all your extensions, they were short passwords, you were using TFTP for provisioning and you were compromised. You stated you were going to be changing passwords and it was suggested you move to HTTPS for provisioning.
Now roughly 24 hours ago you stated the same thing when you opened this thread. More calls being made that shouldn’t be. So now the questions are:
- Did you move from TFTP to HTTPS for your provisioning?
- Did you change all the passwords?
- Did you make them longer and more complex?
- What steps have you actually taken to secure this box?
Because if you taken a bunch of steps and this still happened a week later, then they are in your box another way and you really need to find it. Otherwise, if you’ve done nothing we’ve spent the last 24 hours troubleshooting an issue that was left unresolved from earlier in the week.