System Compromised Need Help

Hello everyone,

FreePBX 15.0.17.67. It has been compromised. Few days ago we had a warning that Freepbx Framework is tampered. We reinstalled the framework and refreshed the signatures thinking it was to do with module update. Last night we had a raft of calls made from our pbx from the wait application. We have the ssh port bound to only a single static IP and no guest or anonymous access enabled. Last SSH login attempts only show our IP addresses.

Blockquote
calldate,clid,src,dst,dcontext,channel,dstchannel,lastapp,lastdata,duration,billsec,disposition,amaflags,accountcode,uniqueid,userfield,did,cnum,cnam,outbound_cnum,outbound_cnam,dst_cnam,recordingfile,linkedid,peeraccount,sequence
“2022-01-23 02:58:42”,""""" <00261326783406>",00261326783406,00261326783406,asterisk-outcalls,Local/[email protected];1,Wait,1900,29,27,ANSWERED,3,1642906722.226079,1642906722.226079,272457
“2022-01-23 02:58:39”,""""" <00261326783407>",00261326783407,00261326783407,asterisk-outcalls,Local/[email protected];1,Wait,1900,29,27,ANSWERED,3,1642906719.226074,1642906719.226074,272450
“2022-01-23 02:58:05”,""""" <00261326783408>",00261326783408,00261326783408,asterisk-outcalls,Local/[email protected];1,Wait,1900,30,27,ANSWERED,3,1642906685.226001,1642906685.226001,272328

“2022-01-23 02:56:47”,""""" <00261326783400>",00261326783400,00261326783400,asterisk-outcalls,Local/[email protected];1,Wait,1900,37,27,ANSWERED,3,1642906607.225837,1642906607.225837,272060
“2022-01-23 02:55:42”,""""" <0025772337768>",0025772337768,0025772337768,asterisk-outcalls,Local/[email protected];1,Wait,10,19,10,ANSWERED,3,1642906542.225832,1642906542.225832,272053
“2022-01-23 02:55:07”,""""" <994501632632>",994501632632,994501632632,asterisk-outcalls,Local/[email protected];1,Wait,5,15,5,ANSWERED,3,1642906507.225813,1642906507.225813,272023
“2022-01-23 02:55:02”,""""" <9609155043>",9609155043,9609155043,asterisk-outcalls,Local/[email protected];1,Wait,5,11,5,ANSWERED,3,1642906502.225787,1642906502.225787,271977
“2022-01-23 02:54:40”,""""" <79549979046>",79549979046,79549979046,asterisk-outcalls,Local/[email protected];1,Wait,5,7,5,ANSWERED,3,1642906480.225633,1642906480.225633,271714
“2022-01-23 02:53:56”,""""" <41799792580>",41799792580,41799792580,asterisk-outcalls,Local/[email protected];1,Wait,5,13,5,ANSWERED,3,1642906436.225358,1642906436.225358,271246
“2022-01-23 02:53:43”,""""" <375334799479>",375334799479,375334799479,asterisk-outcalls,Local/[email protected];1,Wait,5,12,5,ANSWERED,3,1642906423.225274,1642906423.225274,271110
“2022-01-23 02:53:35”,""""" <375255573274>",375255573274,375255573274,asterisk-outcalls,Local/[email protected];1,Wait,5,7,5,ANSWERED,3,1642906415.225227,1642906415.225227,271036
“2022-01-23 02:53:21”,""""" <37069753956>",37069753956,37069753956,asterisk-outcalls,Local/[email protected];1,Wait,5,12,5,ANSWERED,3,1642906401.225150,1642906401.225150,270915
“2022-01-23 02:53:09”,""""" <37066541080>",37066541080,37066541080,asterisk-outcalls,Local/[email protected];1,Wait,5,12,5,ANSWERED,3,1642906389.225078,1642906389.225078,270791

Blockquote

Access log is empty

Looking at the asterisk full log we notice that the attach starts with a remote unix connection and then global variables are set followed by call attempts which are in the next post.

Blockquote
02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:1] Macro(“Local/[email protected];2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:37] VERBOSE[32330] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:1] Set(“Local/[email protected];2”, “TOUCH_MONITOR=1642906057.223703”) in new stack
[2022-01-23 02:47:37] VERBOSE[32331] dial.c: Called [email protected]
[2022-01-23 02:47:37] VERBOSE[32333] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:37] VERBOSE[32335] dial.c: Called [email protected]
[2022-01-23 02:47:37] VERBOSE[32337] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:37] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:1] Macro(“Local/[email protected];2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:37] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:1] Set(“Local/[email protected];2”, “TOUCH_MONITOR=1642906057.223707”) in new stack
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:37] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:1] Macro(“Local/[email protected];2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:37] VERBOSE[32339] dial.c: Called [email protected]
[2022-01-23 02:47:37] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:4] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:37] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:5] Set(“Local/[email protected];2”, “CHANEXTEN=011201112888686”) in new stack
[2022-01-23 02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:2] Set(“Local/[email protected];2”, “CHANCONTEXT=asterisk-outcalls-00004a9d;2”) in new stack
[2022-01-23 02:47:37] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:3] Set(“Local/[email protected];2”, “CHANCONTEXT=asterisk”) in new stack
[2022-01-23 02:47:37] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:1] Macro(“Local/[email protected];2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:1] Set(“Local/[email protected];2”, “TOUCH_MONITOR=1642906057.223709”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:2] Set(“Local/[email protected];2”, “CHANCONTEXT=asterisk-outcalls-00004aa0;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:3] Set(“Local/[email protected];2”, “CHANCONTEXT=asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:4] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:5] Set(“Local/[email protected];2”, “CHANEXTEN=810201112888686”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:6] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:6] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:7] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:8] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:9] Set(“Local/[email protected];2”, “[email protected]”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:10] Set(“Local/[email protected];2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:6] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:7] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:8] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:9] Set(“Local/[email protected];2”, “[email protected]”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]llerid:10] Set(“Local/[email protected];2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:7] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:8] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:9] Set(“Local/[email protected];2”, “[email protected]”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:10] Set(“Local/[email protected];2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:11] ExecIf(“Local/[email protected];2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:11] ExecIf(“Local/[email protected];2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:11] ExecIf(“Local/[email protected];2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:6] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:12] ExecIf(“Local/[email protected];2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:12] ExecIf(“Local/[email protected];2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:12] ExecIf(“Local/[email protected];2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:7] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:8] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:9] Set(“Local/[email protected];2”, “[email protected]”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:10] Set(“Local/[email protected];2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:11] ExecIf(“Local/[email protected];2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:12] ExecIf(“Local/[email protected];2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:13] GotoIf(“Local/[email protected];2”, “0?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:14] ExecIf(“Local/[email protected];2”, “1?Set(REALCALLERIDNUM=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:15] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:16] GotoIf(“Local/[email protected];2”, “0?limit”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:17] Set(“Local/[email protected];2”, “AMPUSERCIDNAME=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:18] ExecIf(“Local/[email protected];2”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:13] GotoIf(“Local/[email protected];2”, “0?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:14] ExecIf(“Local/[email protected];2”, “1?Set(REALCALLERIDNUM=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:17] Set(“Local/[email protected];2”, “AMPUSERCIDNAME=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:18] ExecIf(“Local/[email protected];2”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:19] GotoIf(“Local/[email protected];2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:28] NoOp(“Local/[email protected];2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:29] GotoIf(“Local/[email protected];2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:30] GotoIf(“Local/[email protected];2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:19] GotoIf(“Local/[email protected];2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:28] NoOp(“Local/[email protected];2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:29] GotoIf(“Local/[email protected];2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:30] GotoIf(“Local/[email protected];2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:49] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:50] Set(“Local/[email protected];2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:51] GotoIf(“Local/[email protected];2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:49] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:19] GotoIf(“Local/[email protected];2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:28] NoOp(“Local/[email protected];2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:29] GotoIf(“Local/[email protected];2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32345] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32334][C-00020174] pbx.c: Executing [[email protected]:53] Set(“Local/[email protected];2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:30] GotoIf(“Local/[email protected];2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:19] GotoIf(“Local/[email protected];2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32343] dial.c: Called [email protected]
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:50] Set(“Local/[email protected];2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:49] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:28] NoOp(“Local/[email protected];2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[2959] asterisk.c: Remote UNIX connection
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:50] Set(“Local/[email protected];2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:51] GotoIf(“Local/[email protected];2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:53] Set(“Local/[email protected];2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:29] GotoIf(“Local/[email protected];2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:30] GotoIf(“Local/[email protected];2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:49] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:51] GotoIf(“Local/[email protected];2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:50] Set(“Local/[email protected];2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32342][C-00020176] pbx.c: Executing [[email protected]:53] Set(“Local/[email protected];2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:51] GotoIf(“Local/[email protected];2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:1] Macro(“Local/[email protected];2”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:1] Set(“Local/[email protected];2”, “TOUCH_MONITOR=1642906057.223711”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:2] Set(“Local/[email protected];2”, “CHANCONTEXT=asterisk-outcalls-00004aa1;2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:3] Set(“Local/[email protected];2”, “CHANCONTEXT=asterisk”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:4] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:5] Set(“Local/[email protected];2”, “CHANEXTEN=000201112888686”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:6] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:7] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:8] Set(“Local/[email protected];2”, “[email protected];2”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:9] Set(“Local/[email protected];2”, “[email protected]”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:10] Set(“Local/[email protected];2”, “HOTDESKCALL=0”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:11] ExecIf(“Local/[email protected];2”, “0?Set(HOTDESKCALL=1)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:12] ExecIf(“Local/[email protected];2”, “0?Set(CALLERID(name)=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:13] GotoIf(“Local/[email protected];2”, “0?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:14] ExecIf(“Local/000201[email protected];2”, “1?Set(REALCALLERIDNUM=)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:15] Set(“Local/[email protected];2”, “AMPUSER=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:16] GotoIf(“Local/[email protected];2”, “0?limit”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:17] Set(“Local/[email protected];2”, “AMPUSERCIDNAME=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:18] ExecIf(“Local/[email protected];2”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:19] GotoIf(“Local/[email protected];2”, “1?report”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,28)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:28] NoOp(“Local/[email protected];2”, “Macro Depth is 1”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:29] GotoIf(“Local/[email protected];2”, “1?report2:macroerror”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,30)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:30] GotoIf(“Local/[email protected];2”, “1?continue”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,49)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:49] Set(“Local/[email protected];2”, “CALLERID(number)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:50] Set(“Local/[email protected];2”, “CALLERID(name)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:51] GotoIf(“Local/[email protected];2”, “1?cnum”) in new stack
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32348][C-00020177] pbx.c: Executing [[email protected]:53] Set(“Local/[email protected];2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32349] asterisk.c: Remote UNIX connection disconnected
[2022-01-23 02:47:38] VERBOSE[32346] dial.c: Called [email protected]
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx_builtins.c: Goto (macro-user-callerid,s,53)
[2022-01-23 02:47:38] VERBOSE[32338][C-00020175] pbx.c: Executing [[email protected]:53] Set(“Local/[email protected];2”, “CDR(cnum)=”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:54] Set(“Local/[email protected];2”, “CHANNEL(language)=en”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:2] Set(“Local/[email protected];2”, “MOHCLASS=default”) in new stack
[2022-01-23 02:47:38] VERBOSE[32329][C-00020173] pbx.c: Executing [[email protected]:3] Set(“Local/[email protected];2”, “LANGUAGE()=en”) in new stack
[2022-01-23 02:47:38] ERROR[32329][C-00020173] pbx_functions.c: Function LANGUAGE not registered

possibly a variation of

Do you have port tcp/5038 open to the world?

Given the timing of your issue it seems likely to be related to K.php - a RestApps malicious script

Look for evidence listed in that thread. In other compromised systems discussed on the forum, the attackers did not modify dialplan, but yours may have gotten some extra special treatment by the attackers.

tcp/5038 is closed

Thanks @billsimon although had RestApps disabled for almost a year ago I have spotted the same line in the thread you posted in my system.

Sorry to hear it. To get your system working again you may be able to remove all the files listed in that thread, use fwconsole ma refreshsignatures to fix any tampered modules, fwconsole validate to check for other tampered files that don’t get fixed with the sig update, and remove any junk dialplan from /etc/asterisk/extensions_custom.conf. Don’t forget also to use fwconsole ma upgradeall to get your modules current.

Close off your system to the public internet if possible and block the IP network listed in that thread.

Then catch your breath and go through a rebuild as soon as possible.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.