I’ve been hacked! Macro [thanku-outcall]; thankuohoh

Checking the dialplan and came across the following context below:

[thanku-outcall]; thankuohoh
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); thankuohoh
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); thankuohoh
exten => _.,n,Set(_NODEST=); thankuohoh
exten => _.,n,Macro(dialout-trunk,2,${EXTEN},on); thankuohoh
exten => _.,n,Macro(outisbusy,); thankuohoh

in which file is this?

In extensions_custom.conf

In cdr reports:

2016-01-21 00:08:47 1453342127.4 Dial 000201100022435 FAILED 00:30
2016-01-21 00:08:42 1453342122.1 XXXXXXXX Dial 00201100022435 ANSWERED 00:02


Could you please give more information on your installation?

  • Which version of FreePBX do you have?
  • Is this the distro, if so which version?

Googling for “thankuohoh” gives results mentionning an a2billing vulnerability in Elastix(http://bugs.elastix.org/view.php?id=2169) and a unpatched “asterisk recordings interface” (A security problem: false calls from within the system).

Good luck and have a nice day!


FreePBX without A2Billing, doors open to the Internet 22 and 80.

asterisk -vvvvvvvvvvr
Asterisk 11.21.0, Copyright © 1999 - 2013 Digium, Inc. and others.

We would have to see the version you are running of FreePBX ARI Framework and if it’s installed under /recordings


How old is that installation?

Could it possibly have had that in extensions_custom.conf for quite a while?

(ie before the vulnerability was patched?)

Good luck and have a nice day!


Here’s the thing though. For FreePBX ARI Framework “disabled” does nothing. It would have to be uninstalled. Which is what you should do if you aren’t using it.


A year and extensions_custom was modified on 19 January.

Please wait while module actions are performed

Uninstalling fw_ari
fw_ari uninstalled successfully

You probably want to do more then uninstall it as I don’t think that will actually remove the code in the web directory. I haven’t looked at the old ARI in a very long time, but I believe the next steps you’ll want to do are:

  • either use module_admin from the command line with the delete option (do a help to see the options), or go into the /var/www/html/admin/modules directory and delete the subdirectory
  • remove the /var/www/html/recordings directory where it used to be stored.

Go to a backup before doing any of this to make sure you can recover if you delete something wrong.

As of version 12.0.4 yes we allow uninstalling and it removes the directories.

The directory / var / www / html / admin / modules / fw_ari persists after uninstall GUI, I can remove it with rm or is there a way to remove the amportal?

fwconsole ma remove fw_ari

There is no fwconsole in version 12!

Easy. Replace the word “fwconsole” with “amportal a”

amportal a ma remove fw_ari

amportal a ma delete fw_ari

Fetching FreePBX settings with gen_amp_conf.php…

Module fw_ari successfully deleted

You might want to look at if you want to keep these ports open to the internet at all. Do you have them source restricted to only the IP addresses you are accessing your PBX from?
Close these ports on your firewall and run a VPN server that allows you to connect to your network in a much more secure fashion.

1 Like

This is a good article on keeping your FREEPBX secure:


Quoting the author:
“Our rule of thumb on Internet web accessibility to any Asterisk PBX goes like this. Don’t! And, for FreePBX web access from the Internet. Never! If the bad guys ever get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords and install a fresh system. You can’t fix every possible hole that has been opened on a FreePBX-compromised system!”

Now this might apply or not 100% apply to your case, but it’s definitely a worthwhile read.