I received an email from Iristel earlier this morning advising that one of our systems was making suspicious calls to Sierra Leone. After checking a few things, I confirmed that they were right. I searched high and low to try and determine the cause.
So far, I’ve found the following
Calls were initiated 2 separate ways
1 - Via extension 1000 which isn’t even registered. It’s a Cisco ATA for faxing however it’s offline. There is an inbound route that goes directly to this fax but it won’t work right now due to it not being registered.
2 - Via a number that is setup as an inbound route with a destination that goes to an announcement which then goes to a voicemail blast.
I was going to try to call the 2 DID’s however Iristel has blocked them and their Support department is MIA to re-enable them at the moment. My plan was to try *2 and ## to see if it allows me to forward calls elsewhere.
Under Advanced Options, I have the following default settings
Asterisk Dial Options : Ttr
Asterisk Outbound Trunk Dial Options: T
I am trying to determine how the hacker/person managed to redirect a call internationally by calling into this fax number.
Here is a screen shot of one of the call details via extension 1000
Any help would be appreciated.
Thanks!