How To Tell When You Have Been Hacked and What To Do About It

I have an asterisk server running FreePBX that has a really weird problem. I am trying to decide if I have been hacked or wether there is some other thing that could be causing the issue.

I have two outbound routes and a few weeks ago the main route that I used would just automatically keep deleting itself. I would add it again but a few minutes to hours later it would be gone. I had been giving it the same name every time, so I finally tried giving it a different name, then it stayed. Now a few weeks later the route has changed itself again. This time it has added dial patterns for international calls, calls prepended with 9, and 12. calls.

I know that this obviously looks like a hack, however, I can never find any other thing that appears to be changed. How do hackers usually behave when they get into the machine? Is there some exploit that they could only change the outbound routes but not access everything? Are there any logs that I should be checking for suspicious activity? The call logs do not show any thing unusual.

My next question is, in the advent that I have been hacked, what should I do about it? Change passwords? Reinstall? If I reinstall how do I migrate the settings?

Thanks for your help and insight.

Our advice never changes -

1 - Reinstall if hacked
2 - Don’t expose the machine to the Internet in the first place.

With VPN technology there is no reason to expose a machine to the Internet.

You should quickly change the SIP credentials at your trunk provider(s). If someone has been in your FreePBX interface all they need to do is look at your provider information then they can bypass your box and go directly through your account on the trunk provider, if there’s no IP access list in place that would otherwise prevent it. You’ve probably already had your account(s) used heavily or drained if you’re pre-paid.

Then rebuild your PBX.

I agree.

  1. Immedately disconnect that machine from the internet.

  2. Immediately change all passwords on all your VOIP Trunks.

  3. Before you reconnect that machine to the internet, reformat the hard drive and start a new installation.

Never put a VOIP PBX directly on the internet. Put it behind a hardware based router and DO NOT FORWARD ANY PORTS. If you need remote access, use a hardware based VPN, such as the Cisco RV042 series of routers.