System Compromised Need Help

FreePBX Security
1

Hello everyone,

FreePBX 15.0.17.67. It has been compromised. Few days ago we had a warning that Freepbx Framework is tampered. We reinstalled the framework and refreshed the signatures thinking it was to do with module update. Last night we had a raft of calls made from our pbx from the wait application. We have the ssh port bound to only a single static IP and no guest or anonymous access enabled. Last SSH login attempts only show our IP addresses.

Blockquote
calldate,clid,src,dst,dcontext,channel,dstchannel,lastapp,lastdata,duration,billsec,disposition,amaflags,accountcode,uniqueid,userfield,did,cnum,cnam,outbound_cnum,outbound_cnam,dst_cnam,recordingfile,linkedid,peeraccount,sequence
“2022-01-23 02:58:42”,“”“”" <00261326783406>“,00261326783406,00261326783406,asterisk-outcalls,Local/00261326783406@asterisk-outcalls-00004c05;1,Wait,1900,29,27,ANSWERED,3,1642906722.226079,1642906722.226079,272457
“2022-01-23 02:58:39”,”“”“” <00261326783407>“,00261326783407,00261326783407,asterisk-outcalls,Local/00261326783407@asterisk-outcalls-00004c04;1,Wait,1900,29,27,ANSWERED,3,1642906719.226074,1642906719.226074,272450
“2022-01-23 02:58:05”,”“”“” <00261326783408>“,00261326783408,00261326783408,asterisk-outcalls,Local/00261326783408@asterisk-outcalls-00004bf9;1,Wait,1900,30,27,ANSWERED,3,1642906685.226001,1642906685.226001,272328
…
“2022-01-23 02:56:47”,”“”“” <00261326783400>“,00261326783400,00261326783400,asterisk-outcalls,Local/00261326783400@asterisk-outcalls-00004bdf;1,Wait,1900,37,27,ANSWERED,3,1642906607.225837,1642906607.225837,272060
“2022-01-23 02:55:42”,”“”“” <0025772337768>“,0025772337768,0025772337768,asterisk-outcalls,Local/0025772337768@asterisk-outcalls-00004bde;1,Wait,10,19,10,ANSWERED,3,1642906542.225832,1642906542.225832,272053
“2022-01-23 02:55:07”,”“”“” <994501632632>“,994501632632,994501632632,asterisk-outcalls,Local/994501632632@asterisk-outcalls-00004bdb;1,Wait,5,15,5,ANSWERED,3,1642906507.225813,1642906507.225813,272023
“2022-01-23 02:55:02”,”“”“” <9609155043>“,9609155043,9609155043,asterisk-outcalls,Local/9609155043@asterisk-outcalls-00004bd7;1,Wait,5,11,5,ANSWERED,3,1642906502.225787,1642906502.225787,271977
“2022-01-23 02:54:40”,”“”“” <79549979046>“,79549979046,79549979046,asterisk-outcalls,Local/79549979046@asterisk-outcalls-00004bc1;1,Wait,5,7,5,ANSWERED,3,1642906480.225633,1642906480.225633,271714
“2022-01-23 02:53:56”,”“”“” <41799792580>“,41799792580,41799792580,asterisk-outcalls,Local/41799792580@asterisk-outcalls-00004b98;1,Wait,5,13,5,ANSWERED,3,1642906436.225358,1642906436.225358,271246
“2022-01-23 02:53:43”,”“”“” <375334799479>“,375334799479,375334799479,asterisk-outcalls,Local/375334799479@asterisk-outcalls-00004b8b;1,Wait,5,12,5,ANSWERED,3,1642906423.225274,1642906423.225274,271110
“2022-01-23 02:53:35”,”“”“” <375255573274>“,375255573274,375255573274,asterisk-outcalls,Local/375255573274@asterisk-outcalls-00004b83;1,Wait,5,7,5,ANSWERED,3,1642906415.225227,1642906415.225227,271036
“2022-01-23 02:53:21”,”“”“” <37069753956>“,37069753956,37069753956,asterisk-outcalls,Local/37069753956@asterisk-outcalls-00004b76;1,Wait,5,12,5,ANSWERED,3,1642906401.225150,1642906401.225150,270915
“2022-01-23 02:53:09”,”“”“” <37066541080>",37066541080,37066541080,asterisk-outcalls,Local/37066541080@asterisk-outcalls-00004b6b;1,Wait,5,12,5,ANSWERED,3,1642906389.225078,1642906389.225078,270791
…

Blockquote

Access log is empty

Looking at the asterisk full log we notice that the attach starts with a remote unix connection and then global variables are set followed by call attempts which are in the next post.

2

Blockquote
02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [00201112888686@asterisk-outcalls:1] Macro(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:37] VERBOSE[32330] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:1] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “TOUCH_MONITOR=1642906057.223703”) in new stack
[2022-01-23 02:47:37] VERBOSE[32331] dial.c: Called 011201112888686@asterisk-outcalls
[2022-01-23 02:47:37] VERBOSE[32333] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:37] VERBOSE[32335] dial.c: Called 201112888686@asterisk-outcalls
[2022-01-23 02:47:37] VERBOSE[32337] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:37] VERBOSE[32338][C-00020175] pbx.c: Executing [201112888686@asterisk-outcalls:1] Macro(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:37] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:1] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “TOUCH_MONITOR=1642906057.223707”) in new stack
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:37] VERBOSE[32334][C-00020174] pbx.c: Executing [011201112888686@asterisk-outcalls:1] Macro(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:37] VERBOSE[32339] dial.c: Called 810201112888686@asterisk-outcalls
[2022-01-23 02:47:37] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:4] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “CHANEXTENCONTEXT=011201112888686@asterisk-outcalls-00004a9e;2”) in new stack
[2022-01-23 02:47:37] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:5] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “CHANEXTEN=011201112888686”) in new stack
[2022-01-23 02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:2] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CHANCONTEXT=asterisk-outcalls-00004a9d;2”) in new stack
[2022-01-23 02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:3] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CHANCONTEXT=asterisk”) in new stack
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [810201112888686@asterisk-outcalls:1] Macro(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:1] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “TOUCH_MONITOR=1642906057.223709”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:2] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CHANCONTEXT=asterisk-outcalls-00004aa0;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:3] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CHANCONTEXT=asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:4] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CHANEXTENCONTEXT=810201112888686@asterisk-outcalls-00004aa0;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:5] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CHANEXTEN=810201112888686”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:6] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:6] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:7] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:8] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “HOTDESCKCHAN=201112888686@asterisk-outcalls-00004a9f;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:9] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “HOTDESKEXTEN=201112888686@asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:10] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:6] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:7] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:8] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “HOTDESCKCHAN=00201112888686@asterisk-outcalls-00004a9d;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:9] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “HOTDESKEXTEN=00201112888686@asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:10] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:7] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:8] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “HOTDESCKCHAN=011201112888686@asterisk-outcalls-00004a9e;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:9] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “HOTDESKEXTEN=011201112888686@asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:10] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:11] ExecIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:11] ExecIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:11] ExecIf(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:6] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:12] ExecIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:12] ExecIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:12] ExecIf(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:7] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:8] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “HOTDESCKCHAN=810201112888686@asterisk-outcalls-00004aa0;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:9] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “HOTDESKEXTEN=810201112888686@asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:10] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:11] ExecIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:12] ExecIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:13] GotoIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “0?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:14] ExecIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “1?Set(REALCALLERIDNUM=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:15] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:16] GotoIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “0?limit”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:17] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “AMPUSERCIDNAME=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:18] ExecIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:13] GotoIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “0?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:14] ExecIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “1?Set(REALCALLERIDNUM=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:17] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “AMPUSERCIDNAME=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:18] ExecIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:19] GotoIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:28] NoOp(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:29] GotoIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:30] GotoIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:19] GotoIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:28] NoOp(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:29] GotoIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:30] GotoIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:49] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:50] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:51] GotoIf(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:49] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:19] GotoIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:28] NoOp(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:29] GotoIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32345] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [s@macro-user-callerid:53] Set(“Local/011201112888686@asterisk-outcalls-00004a9e;2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:30] GotoIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:19] GotoIf(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32343] dial.c: Called 000201112888686@asterisk-outcalls
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:50] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:49] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:28] NoOp(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:50] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:51] GotoIf(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:53] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:29] GotoIf(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:30] GotoIf(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:49] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:51] GotoIf(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:50] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [s@macro-user-callerid:53] Set(“Local/810201112888686@asterisk-outcalls-00004aa0;2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:51] GotoIf(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [000201112888686@asterisk-outcalls:1] Macro(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:1] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “TOUCH_MONITOR=1642906057.223711”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:2] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CHANCONTEXT=asterisk-outcalls-00004aa1;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:3] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CHANCONTEXT=asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:4] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CHANEXTENCONTEXT=000201112888686@asterisk-outcalls-00004aa1;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:5] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CHANEXTEN=000201112888686”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:6] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:7] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:8] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “HOTDESCKCHAN=000201112888686@asterisk-outcalls-00004aa1;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:9] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “HOTDESKEXTEN=000201112888686@asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:10] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:11] ExecIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:12] ExecIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:13] GotoIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “0?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:14] ExecIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “1?Set(REALCALLERIDNUM=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:15] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:16] GotoIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “0?limit”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:17] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “AMPUSERCIDNAME=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:18] ExecIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:19] GotoIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:28] NoOp(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:29] GotoIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:30] GotoIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:49] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:50] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:51] GotoIf(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [s@macro-user-callerid:53] Set(“Local/000201112888686@asterisk-outcalls-00004aa1;2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32349] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:38] VERBOSE[32346] dial.c: Called 0011201112888686@asterisk-outcalls
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [s@macro-user-callerid:53] Set(“Local/201112888686@asterisk-outcalls-00004a9f;2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [s@macro-user-callerid:54] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “CHANNEL(language)=en”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [00201112888686@asterisk-outcalls:2] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “MOHCLASS=default”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [00201112888686@asterisk-outcalls:3] Set(“Local/00201112888686@asterisk-outcalls-00004a9d;2”, “LANGUAGE()=en”) in new stack
[2022-01-23 02:47:38] ERROR[32329][C-00020173] pbx_functions.c: Function LANGUAGE not registered

3

possibly a variation of

Do you have port tcp/5038 open to the world?

4

Given the timing of your issue it seems likely to be related to K.php - a RestApps malicious script

Look for evidence listed in that thread. In other compromised systems discussed on the forum, the attackers did not modify dialplan, but yours may have gotten some extra special treatment by the attackers.

5

tcp/5038 is closed

Thanks @billsimon although had RestApps disabled for almost a year ago I have spotted the same line in the thread you posted in my system.

6

Sorry to hear it. To get your system working again you may be able to remove all the files listed in that thread, use fwconsole ma refreshsignatures to fix any tampered modules, fwconsole validate to check for other tampered files that don’t get fixed with the sig update, and remove any junk dialplan from /etc/asterisk/extensions_custom.conf. Don’t forget also to use fwconsole ma upgradeall to get your modules current.

Close off your system to the public internet if possible and block the IP network listed in that thread.

Then catch your breath and go through a rebuild as soon as possible.

1 Like
7

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.