vicidial.org

I got hacked earlier today. I had different ips from china scanning my machine. I used iptables to block those.
this is what I also did
I used mysql to set active to N for all phones
I changes passwords for all phones

However I am still seeing the numbers being dialed when I go to > asterisk -r

I see this the output blow. How do I stop this crazy dialing..please help

-- Executing AGI("SIP/5060-0a04ec60", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:02 WARNING[23138]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 916059255207, 2)
== Spawn extension (default, 916059255207, 2) exited non-zero on 'SIP/5060-0a04ec60'
-- Executing DeadAGI("SIP/5060-0a04ec60", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
== Parsing '/etc/asterisk/manager.conf': Found
== Manager 'listencron' logged on from 127.0.0.1
== Parsing '/etc/asterisk/manager.conf': Found
== Manager 'updatecron' logged on from 127.0.0.1
-- Executing AGI("SIP/5060-0a054cc0", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:05 WARNING[23183]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 914194533327, 2)
== Spawn extension (default, 914194533327, 2) exited non-zero on 'SIP/5060-0a054cc0'
-- Executing DeadAGI("SIP/5060-0a054cc0", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
== Parsing '/etc/asterisk/manager.conf': Found
== Manager 'sendcron' logged on from 127.0.0.1
== Manager 'sendcron' logged off from 127.0.0.1
-- Executing AGI("SIP/5060-0a05aa80", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:06 WARNING[23197]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 915598464077, 2)
== Spawn extension (default, 915598464077, 2) exited non-zero on 'SIP/5060-0a05aa80'
-- Executing DeadAGI("SIP/5060-0a05aa80", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
Aug 7 14:35:08 NOTICE[23107]: chan_sip.c:11518 handle_request: Unknown SIP command 'PUBLISH' from '192.168.1.7'
-- Executing AGI("SIP/5060-0a05ffc0", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:10 WARNING[23203]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 915077438289, 2)
== Spawn extension (default, 915077438289, 2) exited non-zero on 'SIP/5060-0a05ffc0'
-- Executing DeadAGI("SIP/5060-0a05ffc0", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
-- Executing AGI("SIP/5060-0a065b40", "agi://127.0.0.1:4577/call_log") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log completed, returning 0
Aug 7 14:35:11 WARNING[23211]: pbx.c:1720 pbx_extension_helper: No application 'Dial' for extension (default, 916066629154, 2)
== Spawn extension (default, 916066629154, 2) exited non-zero on 'SIP/5060-0a065b40'
-- Executing DeadAGI("SIP/5060-0a065b40", "agi://127.0.0.1:4577/call_log--HVcauses--PRI-----NODEBUG-----0---------------") in new stack
-- AGI Script agi://127.0.0.1:4577/call_log--HVcauses ... ---------- completed, returning 0
== Manager 'sendcron' logged off from 127.0.0.1

It looks like SIP phone 5060 is compromised to me. Do you use IP ACLs? Do you use strong passwords?