FreePBX hacked via dialplan

Hello,

One of my installations has been hacked via dialplan and did unauthorized calls. Just to clarify there was no hack via HTTP or SSH since the FreePBX is not open to public internet.

Set original setup of the inbound route that has been used was:

InboundRoute -> Misc Destination -> Call to a number

So, this DID was used to “forward” the call to another number. This was the original setup.

What the hacker did was after he called the DID he, then, executed call tranfer (##) to transfer calls to another number. Also, he was able to setup speeddials via *75 as you can see:

asterisk -rx 'database show ampuser' | grep speeddials
/AMPUSER//speeddials/                             :
/AMPUSER//speeddials/**                           :
/AMPUSER//speeddials/0000                         : 900442085350050
/AMPUSER//speeddials/1                            : 900442085350050
/AMPUSER//speeddials/105                          : 900442070871900

The setting “Disallow transfer features for inbound callers” was set to Yes and the dial options were:
Asterisk Dial Options: trWw
Asterisk Outbound Trunk Dial Options: TWw

How can this happen? What does it need to be done so it wont happen again?

Running FreePBX 14.0.13.4 (SNG Distro 12.7.6-1904-1.sng7)

Regards,
esarant

Disallow transfer features for inbound callers should have been set to yes, so the transfers are disallowed.

1 Like

Im sorry, I wrote it wrong (and I edited now). It was set to Yes.

.Watching/bump

You can also watch this thread: https://community.freepbx.org/t/proposal-to-disable-in-call-transfer-features-by-default. There is also an ongoing ticket.

Core module versions v14.0.28.19 and v15.0.9.46 resolve this issue. Both are in edge at the moment, if you wish to upgrade, you can do so in FreePBX with:

fwconsole ma upgrade core  --edge
1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.