I have an asterisk server running FreePBX that has a really weird problem. I am trying to decide if I have been hacked or wether there is some other thing that could be causing the issue.
I have two outbound routes and a few weeks ago the main route that I used would just automatically keep deleting itself. I would add it again but a few minutes to hours later it would be gone. I had been giving it the same name every time, so I finally tried giving it a different name, then it stayed. Now a few weeks later the route has changed itself again. This time it has added dial patterns for international calls, calls prepended with 9, and 12. calls.
I know that this obviously looks like a hack, however, I can never find any other thing that appears to be changed. How do hackers usually behave when they get into the machine? Is there some exploit that they could only change the outbound routes but not access everything? Are there any logs that I should be checking for suspicious activity? The call logs do not show any thing unusual.
My next question is, in the advent that I have been hacked, what should I do about it? Change passwords? Reinstall? If I reinstall how do I migrate the settings?
Thanks for your help and insight.