Suspicious of System Compromise

I’m not certain yet. But I’m getting suspicious of a compromise. Yesterday morning our phone system rebooted itself out of the blue. It had never done that before. When it came back up, the reboot reeked all sorts of havoc on the queues and which menebers it thought were actually online.

Now this morning. Local outbound calls work but long distance calls don’t and inbound calls only work from outside the company. We think that this is our PRI provider and not a system problem but I’m suspicious.

Is there a write up anywhere of all of the places I should be looking in the systems for sign of a compromise? What things I might find if I have been compromised?

The primary reason a PBX is attacked is for toll fraud. Your first question is, are calls being made (or attempted) to expensive international destinations. If so, your suspicion is confirmed.

Some quick checks:

  1. Check your PBX CDRs and your provider’s records for outbound calls to international destinations.
  2. Check the contents of files in /etc/asterisk/, any filename ending in custom.conf or custom_post.conf should be empty unless you put something there yourself (or the person who set the system up did)
  3. If you are running FreePBX 12+, look for dashboard errors about unsigned modules or modified modules.