Hacker has gained access, forwarded all ext to a ph# - How to close hole?

We had someone call in over the weekend and somehow gain access to the phone system, was able to forward all our extensions to 301-4XX-4XXX using what appears to be zulu and feature codes.

I think I figured it out and semi-patched the hole. In my findings, a hacker could simply press * in an IVR and access the *2 and ## feature codes and transfer around, or forward lines, so I disabled those codes. We also we had trunk mode T in advanced options. I took that out. Lastly, I was able to go into the asterisk CLI and remove the forwarding of the extensions via “database del CF (EXT#)”.

I have a feeling that back door is still open. Suggestions going forward? Appreciate any feedback.

If you are not sure what other damage might have been inflicted onto your PBX, just download an ISO and start from scratch.

1 Like

if yours is an office switchboard, you can close everything with iptables and allow traffic only to the operator offering the trunks

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.