I recently had someone exploit our freepbx to make international calls, lots of them, and also tons of LD calls… they all originated from our (2) conference room phones, which are yealink CP960’s . I don’t think anything is wrong with the units themselves, but how would this hacking have occured? I have the passwords and secrets auto generated, yet somehow both of these extensions were exploited.
You need to determine what IP was registered to the extension credentials at the time of the calls. Registrations will be logged in /var/log/asterisk/full* and will be a different string depending if they are chan_sip or pjsip extensions.
Autogenerated. No upper case letters. No special characters. The same length for every password. Need to lock down your firewall a bit. Lots of posts here about security.
Future versions of freepbx ideally should include special characters and uppercase.