International calls being placed from PBX

I received an email from Iristel earlier this morning advising that one of our systems was making suspicious calls to Sierra Leone. After checking a few things, I confirmed that they were right. I searched high and low to try and determine the cause.

So far, I’ve found the following

Calls were initiated 2 separate ways
1 - Via extension 1000 which isn’t even registered. It’s a Cisco ATA for faxing however it’s offline. There is an inbound route that goes directly to this fax but it won’t work right now due to it not being registered.
2 - Via a number that is setup as an inbound route with a destination that goes to an announcement which then goes to a voicemail blast.

I was going to try to call the 2 DID’s however Iristel has blocked them and their Support department is MIA to re-enable them at the moment. My plan was to try *2 and ## to see if it allows me to forward calls elsewhere.

Under Advanced Options, I have the following default settings
Asterisk Dial Options : Ttr
Asterisk Outbound Trunk Dial Options: T

I am trying to determine how the hacker/person managed to redirect a call internationally by calling into this fax number.

Here is a screen shot of one of the call details via extension 1000

Any help would be appreciated.


looks to me like they connected to your server with an extension 1000 and guessed its password change the password for extension 1000 and if you dont have remote phones lock down your internet port forwarding to only allow calls from your sip providers.

5060 has been secured just to SIP providers already (earlier today) as it was previously opened by a tech (tsk tsk tsk)

I don’t see a registration for ext 1000 nor do I think they would have guessed the password as it’s a 32 character randomly generated password with numbers and letters. Fail2ban is also enabled

Iristel just got back to me and re-enabled the DIDs

I just tried pressing *2 and ## when calling in to those numbers and it didn’t let me fwd calls elsewhere…

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.