I have a test system with a single extension. I just started having some problems with it being unable to send/receive calls from the single desktop phone. The SIP trunk shows as being up and the extension showed as online. Doing a bit more digging I found that the IP for the extension was unknown to me. Here is a clip from the logs:
Endpoint: 301/301 Not in use 0 of inf
InAuth: 301-auth/301
Aor: 301 3
Contact: 301/sip:3[email protected]:44016;rinstance 9fda1ff373 Avail 69.901
Contact: 301/sip:3[email protected]:57844;rinstance a151b0dadd Unavail nan
I did an IP lookup and that IP address is for a Digital Ocean VM which appears to be running a basic linux installation. It responds to SSH and HTTP requests.
When I first noticed the issue I completely removed the extension and associated user, changed the provisioning username/password and then recreated a new extension/user with new credentials. Again, my desktop phone was unable to connect. I checked the logs and the new extension showed as being online and the logs showed the same unknown SIP registration IP as before with the new extension number.
I should mention that I am running the Clearly Anywhere softphone module and thought that somehow this unknown IP might be related to that service. The softphone app has been working fine and shows up in the logs as properly registering from my IP address.
So is this an instance of a compromise or am I just being fooled? I have since shut the server down and since this is basically a test machine for me, I will be nuking it and starting from scratch but I would appreciate any thoughts/comments that might help me understand what might have happened.