Sangoma Appliance Hacked?


A friend of mine had a Sangoma freepbx appliance installed that whilst it is working fine has seen some strange attempted calling behaviour in/around 1am GMT every morning - as though a script is running. The responsive firewall is all setup and for all intents and purposes it is fine apart from this issue.
Fortunately as a second line of defence the maximum per minute call rate has been set with the provider at US$ 4 cents - so every day (for a few days now) you will see a string of “over max rate” logs of all the attempted calls.
I had read somewhere that Sangoma was compromised ? - note this appliance is registered on their portal - so could it be a case that it has been hacked via a back door and thus bypassing the firewall ? And, if so is it simply a question of applying some patch or finding / deleting this script ?
I’m not overly Linux friendly but I’m happy enough to SSH into the box and follow an instruction or two.

Suggestions kindly welcome.

We have no known security issues (none recent even). As long as your system is up to date there should be nothing known.

You may send relevant logs for the times listed to [email protected]

Thanks for that. Will log into it and take a screenshot of the strange activity and send on.


Check for weak passwords? Run Reports, Check for Weak Passwords.

Was your default root account password changed from the factory install?


No weak passwords were detected, and yes, the default password was changed.

Thanks for the suggestions

Settings >> SIP Settings

Allow Anonymous Inbound SIP Calls, should be set to No.