Hacker has gained access, forwarded all ext to a ph# - How to close hole?

Answerphone · February 13, 2020, 12:54am

We had someone call in over the weekend and somehow gain access to the phone system, was able to forward all our extensions to 301-4XX-4XXX using what appears to be zulu and feature codes.

I think I figured it out and semi-patched the hole. In my findings, a hacker could simply press * in an IVR and access the *2 and ## feature codes and transfer around, or forward lines, so I disabled those codes. We also we had trunk mode T in advanced options. I took that out. Lastly, I was able to go into the asterisk CLI and remove the forwarding of the extensions via “database del CF (EXT#)”.

I have a feeling that back door is still open. Suggestions going forward? Appreciate any feedback.

arielgrin · February 13, 2020, 1:05am

If you are not sure what other damage might have been inflicted onto your PBX, just download an ISO and start from scratch.

claloano · February 13, 2020, 7:53am

if yours is an office switchboard, you can close everything with iptables and allow traffic only to the operator offering the trunks

system · March 15, 2020, 7:53am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.