Has anyone seen their dialpans magically change in the last couple of days/weeks? On a few of my servers I've seen my dialplans rewritten with the 6666 user from IP address 188.161.18.171.
At first I thought these edits were from a manger who was playing with the dial plans, but then I started seeing edits from this IP on other servers with other organizations. Uh oh.
IP address is sourced from Palestine.
Each server has different unique, randomly generated passwords. All my systems haven't been hit yet, and all they're doing is rewriting dialplans to something like:
- Code: Select all
exten => _9.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _9.,2,Dial(${TELNYX}/${EXTEN:1},,To)
exten => _9.,3,Dial(${TELNYX2}/${EXTEN:1},,To)
exten => _9.,4,Hangup
exten => _8.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _8.,2,Dial(${TELNYX}/${EXTEN:2},,To)
exten => _8.,3,Dial(${TELNYX2}/${EXTEN:2},,To)
exten => _8.,4,Hangup
exten => _7.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _7.,2,Dial(${TELNYX}/1${EXTEN:1},,To)
exten => _7.,3,Dial(${TELNYX2}/1${EXTEN:1},,To)
exten => _7.,4,Hangup
exten => _5.,1,AGI(agi://127.0.0.1:4577/call_log)
exten => _5.,2,Dial(${TELNYX}/1${EXTEN},,To)
exten => _5.,3,Dial(${TELNYX2}/1${EXTEN},,To)
exten => _5.,4,Hangup
When all that was there before was a 10 digit match with a 9 prefix. But, obviously, if more people than me are seeing this, then we have a problem.