SONA Attack/hack

Recently all 10 of my FreePBX’s have been hacked by what I’m calling sona. What they are doing is using config.php to send mysql commands and wipe out all of the administrator username/passwords and then they put their own in. This potentially can lock you out of the box, but SSH is still possible since they don’t change the root password. The usernames that I have seen them make are: sona, f4ris_qw24, and Matrix (douche thinks he’s neo or something)… Not sure if this qualifies for a bug/feature report but if you can alter the config.php file you can prevent them from doing this to your boxes.

Thank you! I was looking all over for something like this.