AsteriskNOW Hacked no sign of hacker

Hi Folks,
I am baffled. The server was behind a firewall. I was alerted by our peer that they were seeing several calls to international destinations and they blocked the trunk. By the time I read the email and took action all looked ok. Now this baffles me there are no:

ssh access records.
Call records.
Call recordings.
Evidence of files being tampered.

Now I should mention I was working on a project to move our VoIP to AWS platform, but I had AWS firewall rules in place. Has anyone seen this type of clever hack before and have any info on how they can make calls with no record of such on the server?

Thanks,
Chris.

can you provide the output of

fwconsole ma list

Are you sure they hacked your PBX and not your SIP provider. Meaning are you sure the calls came from your PBX

1 Like

Hi James,
Looks like command missing.
[root@ip-172-16-1-18 ~]# fwconsole ma list
-bash: fwconsole: command not found

ip-172-16-1-18CLI> fwconsole ma list
No such command ‘fwconsole ma list’ (type ‘core show help fwconsole ma’ for other possible commands)
ip-172-16-1-18
CLI>

The src IP was the IP address of the Asterisk box. Once I rolled back to a physical box no breaches since.