Mystery 'freepbx' user created in newly hacked system?

I’m familiar with the Zizo and injector users that previous hacks have utilized as admin but I have a recent system, installed 2-3 months ago, so well after the August 2016 hack and I’ve found a mystery admin user - freepbx. The user created an outbound route and input 011 in both the prepend and prefix. Then proceeded to make international calls on a single day and then stopped Odd. They also created extensions. Has anyone else seen this new user?

Your first steps:

  1. Change root password just in case -
  2. Block all untrusted access to the Admin gui port and ssh port
  3. run fwconsole validate --clean from bash
  4. carefully look through your extensions and trunks for any altered info. You need to assume your SIP secrets have been exposed.
1 Like

Ok. We have taken care of steps 1 and 2. We’ll work on 3 and 4.

Is there any way to trace when this ‘freepbx’ user was created? It would have been over a month ago so not sure if any logfiles exist.