We had someone call in over the weekend and somehow gain access to the phone system, was able to forward all our extensions to 301-4XX-4XXX using what appears to be zulu and feature codes.
I think I figured it out and semi-patched the hole. In my findings, a hacker could simply press * in an IVR and access the *2 and ## feature codes and transfer around, or forward lines, so I disabled those codes. We also we had trunk mode T in advanced options. I took that out. Lastly, I was able to go into the asterisk CLI and remove the forwarding of the extensions via “database del CF (EXT#)”.
I have a feeling that back door is still open. Suggestions going forward? Appreciate any feedback.