SIP hijack issue

We’re running asterisk 1.4.23 on CentOS 5.2. We recently had a sip device poorly configured where it had a simple secret and was not restricted by IP (permit was Of course it was hijacked to use for outbound calls which was our fault.

We then removed the device from asterisk and reloaded the config. The device was still being used. We then restarted asterisk (restart now) and the device still was used after the restart which made no sense to me.

How can a device removed from the configuration be used at a later point in time? I did a grep on all files in /etc/asterisk for the device ID just to make sure I didn’t miss anything and there were no configuration files containing the device ID that was clearly making calls (channels active, reported in CDR database).

Anyone know how we can avoid this in the future? We eventually stopped it by blocking the IP address via iptables but that doesn’t seem like a long-term viable solution since the IP’s can easily change.

Needless to say it surprised me when the device was used AFTER the configuration was removed and asterisk was restarted (the OS was not restarted).