PBX hacked with plenty of foreign numbers outbound calls


I am trying to understand, how someone could dial out to foreign numbers from our FreePBX.

The logfile has entries of kind of:

pbx.c: Executing [[email protected]:1] Macro("Local/[email protected];2", "user-callerid,LIMIT,EXTERNAL,") in new stack

Dialing out from legit extensions normally would state the extension number in kind of
pbx.c: Executing [[email protected]:1] Macro("PJSIP/2098-00000000", "user-callerid,LIMIT,EXTERNAL,") in new stack

How may I find out, from where the attack came? Our PBX is externally reachable via UDP 5060 and nothing else.

Edit: The PBX is as well externally reachable on port 80 http because of letsencrypt.

You need to look back i the logs to find out what created the Local channel. It could be:

  • a Dial() issued by the real culprit channel;
  • a Queue() issued by the real culprit channel;
  • a (blind) transfer initiated by the real culprit;
  • an AGI script run from the real culprit channel;
  • AMI, through compromised port 5038 access;
  • a call file, from a completely compromised server.

In some of these cases the local channel will optimise out when the call is answered, leaving the culprit channel exposed.

Also, note that the current advice is to never expose port 5060, or any other commonly used SIP port, but rather change that to one you have chosen randomly, unless your ITSP doesn’t allow this, in which case you first change the ITSP.

1 Like

Thanks for your quick response. For which patterns do I have to look in the logs? Is it the “Spawn extension” part?

Anything referring to a Local channel, and what precedes it.

Found something like this:

[C-00000026] pbx.c: Executing [[email protected]:24] AGI("Local/[email protected];2", "agi://") in new stack

[C-00000026] res_agi.c: <Local/[email protected];2>AGI Script agi:// completed, returning 0

Seems like I have to work through documentation whether our PBX need those AGI functions or not. Is it possible to block that external requests via firewall rules?

Please post the output of:

grep C-00000026 /var/log/asterisk/full* | pastebin

Source: Providing Great Debug - Support Services - Documentation

I have updated our PBX this morning. The restapps version was I think there is no further research necessary. I have secured outbound calls to foreign numbers with a PIN as well and will reconsider if it is actually necessary that our PBX is publicly reachable.

Thanks a lot for the quick help and responses!

I personally think that you should destroy that PBX and restore from the last good backup.

Your entire server may be compromised


Ok, seems like the best idea then. Thanks for your advice.

+1 for this.

After a compromise, the ONLY proper solution is to nuke-and-pave.


Had exactly the same issue. Luckily our provider blocked the calls so no costs incurred :sweat_smile:

Nuke & restore from latest Backup was also our course of action. Then we upgraded all Modules to the latest version before allowing Access from the Internet again. Also enabled the Responsive Firewall to only allow HTTP Access after SIP is connected :crossed_fingers:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.