i think the hackers have found a new way into the system. i found this code on a system that was just recently built from the latest distro. i have not yet figured out how they got in.
i will open a support ticket but i am not sure what you are suggesting in your comment “this may be in a backup”
i found the code on a number of systems, but by no means all of them. some had yesterday’s date on them, some had 9/16, others had 7/16. all very strange.
What is your install workflow, new install -> restore a backup?
You said this was a fresh install. Other wise if it was exposed for a period then a backdoor can be in any exposed page.
pretty much what we always do, set up the network, turn off clear text login for ssh,lsetup the GUI user id and password, setup the freepbx firewall, and then configure the system. this system was pretty small (less than 15 phones). once we were done configuring the system we upgraded it to that latest level. it has been online less than 2 weeks.