Compromised

configuration
Tags: #<Tag:0x00007fafc5fdc9c0>

(FAK) #1

Hi Guys,

I have been compromised.
I have a distro PBX 14 setup. I have twilio account setup for outbound calling.
Auto refill is enabled on the account.
I have noticed successful calls on switzerland High-Risk Toll Fraud destination.
when I want to check the CDRs and Log files in FreePBX, I can’t find any of the record for those dates like on 26th and 27th I have no record of any
of the log files: CDRS, FreepbxLogs, security logs, fail2ban or any of the logs for those dates.

Now I want to trace those call logs and check how system was breached and we were compromised.

Are there any suggestions to start from.

One Major concern is twilio has those high-risk Toll Fraud destinations by default blocked, then how calls passed to these destinations.

some of the numbers :

  1. 41740888875
  2. 41740888016
  3. 41740888015
  4. 41740888875

(TheJames) #2

If it is not in the CDR there is a chance the account is compromised. Change your credentials and use strong passwords


(FAK) #3

The files were removed. I can not see any log files of those dates.


#4

The CDR is in a database, not log files.


(FAK) #5

yes but when the cdrs of those dates are not appearing in the CDR reports so it means they are also deleted as per the logs


(Tom Ray) #6

Nope. CDRs are stored in a MySQL (MariaDB) database. There is no automated method of pruning or trimming those records down unless you implemented a method that would clean up the database records.

If they aren’t in the CDR report, then a CDR either wasn’t generated or it was deleted from the database by someone. Again, there is no automated cleanup of the database records.


#7

If there are no CDRs from the dates, then probably your account on the provider was compromised.


(system) closed #8

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.