Unknown Calls. Is my FreePBX hacked?

I am very concerned that my FreePBX has been hijacked. Based on the attached screenshot, there are a lot of unrecognized calls. If you look for 2 days, there are 92 pages!

Also under the column “Duration”, what is the unit of measure? Would the number ‘12’ mean minutes or seconds?

Look at your sip devices and make sure that what is registered is what you expect. You can also look at the log to see where/how these calls are originating.

I ran asterisk -rx “sip show peers” from the CLI and the extension are indeed what I expected them to be.

Could you be more specific about where I can find the specific log and what kind of patterns I should be looking for in /var/log/asterisk?

I hope guest and anonymous are off.

Implement a firewall

1 Like

It’s good to see you Dicko.
I’m sorry. please show me how I can check if guest and anonymous are off.
The FreePBX & router’s firewall is turned on

I should share that no calls gets thru to our desk or soft phones that are SIP attacks. In other words, our phones never ring. That leaves, would it be possible that someone is calling from our server? Judging from the asterisk CLI and running the show-peers, the extension that’s connected is OK and those which aren’t connected show “unknown” which is what I would expect.

Settings>Asterisk SIP Settings

Allow Anonymous Inbound SIP Calls. set to NO
Allow SIP Guests. set to YES

Tell me the bad news please!

both be set to NO?
Is this why the minutes have been burning up so quickly?

If you allow guests, you allow answer, the calls will last a few seconds each, you might or might not be charged for inbound call, but if you are, then depending on your vsp, they are likely billed in 6 seconds increments so if you have allow guests on, and 92 calls charged at 12/60 times inbound per minute charge, (which if above 2 cents a minute is extortionate) probably < 20 cents.

Turn off Guest calls unless you need them.

(As a further note , fail2ban will not notice maleficent calls if you have “allow guests” on. , if you turn it off, then expect a reduction of such calls if you are using fail2ban)

What would be purpose of Allow Guest calls then in FreePBX? They don’t terminate in a real person anyways.

Aren’t those outbound calls not inbound?

Very little :slight_smile: , I don’t understand the rationale if that is what is done.

Definitely no one inside the company is making outgoing calls.
So all are inbound calls.

So, did you disable guest calls yet?

I understand that you don’t know of anybody internally making all those calls, but if I am reading the call event log correctly then user 113 and user a’or’3=3-- are making a lot of outbound calls.

Yup. Guest calls has been set to NO.
I will monitor the length of the list and report back.


That’s really strange. As you can see from the screenshot, I don’t have any user with 113 or 3=3? What would this mean?

That you at that time you had guest calls allowed and the guests you allowed included 113 and 3=3

I don’t understand because, as I replied to @gerrymad, users 113 and 3=3 NEVER existed on said FreePBX server. I don’t know where these users came from. Any ideas?

Yes, they are the names that you allowed in as guests to use, which they did :slight_smile:

I still don’t understand your statement “…which they did.” I didn’t allow them in!