Thanku-outcall is back

i think the hackers have found a new way into the system. i found this code on a system that was just recently built from the latest distro. i have not yet figured out how they got in.

[thanku-outcall]; thankuohoh
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); thankuohoh
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); thankuohoh
exten => _.,n,Set(_NODEST=); thankuohoh
exten => _.,n,NoCDR(); thankuohoh
exten => _.,n,Macro(dialout-trunk,1,${EXTEN},on); thankuohoh
exten => _.,n,Macro(dialout-trunk,3,${EXTEN},on); thankuohoh
exten => _.,n,Macro(outisbusy,); thankuohoh

Feel free to go to support. This may be in a backup.

i will open a support ticket but i am not sure what you are suggesting in your comment “this may be in a backup”

i found the code on a number of systems, but by no means all of them. some had yesterday’s date on them, some had 9/16, others had 7/16. all very strange.

What is your install workflow, new install -> restore a backup?
You said this was a fresh install. Other wise if it was exposed for a period then a backdoor can be in any exposed page.

yes it was a fresh install from the latest distro - that is what bothered me.

what did you do after the install.

pretty much what we always do, set up the network, turn off clear text login for ssh,lsetup the GUI user id and password, setup the freepbx firewall, and then configure the system. this system was pretty small (less than 15 phones). once we were done configuring the system we upgraded it to that latest level. it has been online less than 2 weeks.

OK but we had a security issue with Hotel Wakeup call that was patched last week. Was this system updated for that exploit

it was but probably not for several hours after you guys released the update. we do try to stay on top of these updates.