We just fell victim to this hack. Our systems are: Ast:11.14.2 Fpbx: 2.11.0.43. Is there a good way to disable access to the web? We use IPTables locking down access to our whitelist only. Port 80 is definitely in the lock down list. When we checked httpd logs, the IP address that hacked us was not in our list… How in the heck are they able to get through IPTables and how can we stop them?
your iptables config is not as good as you think it is…
The exploit they are using is very old. My recommendation would be to do a clean install with something newer. We did patch the exploit back to I think 2.9 so updating the asterisk recording interface would be job 1 if nothing else. Note they likely left them selves a backdoor in the form of an exec command in a common file so patching may no longer be enough.