Our 3CX server (version 14) was hacked last weekend; we were notified by our SIP trunk provider that someone had managed to externally register on one of the extensions and make outgoing calls to the Seychelles. Luckily, this was flagged by our provider and outgoing traffic blocked, so we're only a few bucks down. We upgraded to 15.5, and are back up and running again. The new mangement interface is extremely sexy. However, we're still seeing some things that don't quite smell right: calls to and from unused extensions (most often extension 1), and "test". I couldn't find any info on the "test" extension. Are there known instances of something like this happening? Currently, we're in the process of setting up secure SIP, have enabled logging of SIP packets on our firewall, and have enabled CDR logging on the 3CX server. Any other tips to get to the bottom of the issue are much appreciated.