We have a self-hosted FreePBX server (Currently on version 22.214.171.124)
Today our FreePBX system apparently made a few hundred outgoing calls to the Dominican Republic, there are no logs of anyone SSHing into our server, and our web portal is behind a firewall only allowing specific traffic to access it.
We utilize SIP trunks, hooked up with Twilio for our inbound and outbound calls.
Immediately after this happened, the server crashed, and upon reboot I ran the fpbx updates. This appears to have stopped for the time being, but I’m worried that the issues came from an exploit or hack that has permanently opened our FreePBX server in a way I’m not familiar with.
Are there areas I should check in the FreePBX server for why this would have happened? Is there anything other than updating the OS and modules that I should be doing past this point? How likely was this just an exploit on a vulnerability that was patched with my updates? (I believe the last time I updated the modules on the server was 3-4 months prior).