Hacker has gained access, forwarded all ext to a ph# - How to close hole?


(Answerphone, Inc ) #1

We had someone call in over the weekend and somehow gain access to the phone system, was able to forward all our extensions to 301-4XX-4XXX using what appears to be zulu and feature codes.

I think I figured it out and semi-patched the hole. In my findings, a hacker could simply press * in an IVR and access the *2 and ## feature codes and transfer around, or forward lines, so I disabled those codes. We also we had trunk mode T in advanced options. I took that out. Lastly, I was able to go into the asterisk CLI and remove the forwarding of the extensions via “database del CF (EXT#)”.

I have a feeling that back door is still open. Suggestions going forward? Appreciate any feedback.


#2

If you are not sure what other damage might have been inflicted onto your PBX, just download an ISO and start from scratch.


(Claudio Pelosi) #3

if yours is an office switchboard, you can close everything with iptables and allow traffic only to the operator offering the trunks


(system) closed #4

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.