One of my installations has been hacked via dialplan and did unauthorized calls. Just to clarify there was no hack via HTTP or SSH since the FreePBX is not open to public internet.
Set original setup of the inbound route that has been used was:
InboundRoute -> Misc Destination -> Call to a number
So, this DID was used to “forward” the call to another number. This was the original setup.
What the hacker did was after he called the DID he, then, executed call tranfer (##) to transfer calls to another number. Also, he was able to setup speeddials via *75 as you can see:
asterisk -rx 'database show ampuser' | grep speeddials /AMPUSER//speeddials/ : /AMPUSER//speeddials/** : /AMPUSER//speeddials/0000 : 900442085350050 /AMPUSER//speeddials/1 : 900442085350050 /AMPUSER//speeddials/105 : 900442070871900
The setting “Disallow transfer features for inbound callers” was set to Yes and the dial options were:
Asterisk Dial Options: trWw
Asterisk Outbound Trunk Dial Options: TWw
How can this happen? What does it need to be done so it wont happen again?
Running FreePBX 184.108.40.206 (SNG Distro 12.7.6-1904-1.sng7)