I saw the first ‘externsion scan’ of my Asterisk box this week. That is, an external server tried to register as an extension, starting at extension 100 all the way up to extension 999. I’m assuming if they had found a valid extension number then this would have been been followed by a brute force password (secret) scan.
This is an interesting article explaining the problem a little more – http://michigantelephone.wordpress.com/2008/11/28/why-didnt-freepbx-developers-implement-important-security-patch/
If you’re running Asterisk (and FreePBX) then the least you need to do is make sure that you’ve got pretty strong passwords for your extensions.