Just picked this up at a client where the firewall provider dropped the ball by allowing external access which should not have been in place.
By exploiting the callme page a call is made back to the attacker's exploit. This allows him full access to the asterisk config files, exposing your SIP credentials, which is then used to register a SIP extension against the server. What's even more scary is it will expose your VoIP providers credentials as well (if you have one) so they can register directly to your VoIP provider to make calls.
Easiest fix seems to be to delete recordings/misc/callme_page.php from your web root. FreePBX devs are saying this is fixed from 2.6 and up, but some people are claiming otherwise.
Read more here: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ (if the tech stuff is greek to you, watch the video at the bottom of the page)
Discussion in FreePBX forum: http://www.freepbx.org/forum/freepb...on-with-this-alleged-security-exploit-in-fpbx
By exploiting the callme page a call is made back to the attacker's exploit. This allows him full access to the asterisk config files, exposing your SIP credentials, which is then used to register a SIP extension against the server. What's even more scary is it will expose your VoIP providers credentials as well (if you have one) so they can register directly to your VoIP provider to make calls.
Easiest fix seems to be to delete recordings/misc/callme_page.php from your web root. FreePBX devs are saying this is fixed from 2.6 and up, but some people are claiming otherwise.
Read more here: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ (if the tech stuff is greek to you, watch the video at the bottom of the page)
Discussion in FreePBX forum: http://www.freepbx.org/forum/freepb...on-with-this-alleged-security-exploit-in-fpbx