We have been advised that the Sangoma Portal may have been compromised. Anecdotal evidence is mounting that servers running services activated through the Sangoma Portal may have been compromised resulting in very expensive phone bills. Since the outset, one of our primary objections to the Sangoma portal design was/is that it may provide Sangoma with either root level access to your server or the functional equivalent through the expanded use of asterisk user permissions. In addition to reading the thread on the FreePBX Forum about this, you also should immediately check your servers for evidence of compromise particularly if you have a business relationship with Sangoma or credentials in their portal. PLEASE REPORT BACK IF YOU FIND A PROBLEM!! IMMEDIATELY TAKE YOUR SERVER OFF LINE!! First, check /root/.bashrc for alias cd and alias exit lines. They should not be there! Second, run the following commands to determine if these files exist on any of your servers. The latter one may be in /var/www.hmtl/ (not sure if this is a dual typo or not). Code: find / -name wbc.php find / -name .asterisk.php Third, check your /var/log/httpd/access_log for entries that include .asterisk.php or 18.104.22.168. There may be multiple (older) access logs! Numerous other IP addresses to check here. Fourth, check /var/log/secure for SSH entries that appear from users or sites you don't own. Ditto on older versions of the SSH log. Fifth, check your user list for an ssh user. sshd is OK, but not ssh. Code: cat /etc/passwd | cut -d ":" -f1 | grep ssh If your server is running Travelin' Man 3 and your IPtables firewall is not disabled and you have not whitelisted the Sangoma Portal, your server still may have been compromised since the .asterisk.php script uses Asterisk to place outbound calls on your nickel. However, we believe the whitelist would have prevented access by the bad guys to both SSH and your web GUI.