We started having the same problem with A2Billing v2.0.1 around the same time, in late August.
We have since upgraded to v 2.2.0, and this has ostensibly fixed the issue, although the attacker still had all our old accounts. We've been changing those accounts as we see them since the upgrade, and the problem has been getting better.
This suggests that there was a serious security flaw in v2.0.1 that has been fixed in later releases. Hope that helps!
I don't really think that you have solved any issue by this update... even, the must recent version is 2.1.1, not 2.2, I couldn’t find in the repo such as version 2.2.0, where the must recent release not have any relation with any security implementation...
What I think is simple, the hackers just let you to grow up again, and they will come back to you in some months later, believe me!!!!
My current solution to the situation is:
1) Block access to the admin folder absolutely by a specific very hard and restrictive .htaccess, even, by restricting access by IP, and drop all others.
2) Per sure, we are talking about having the web servers in different host then the master asterisk host, so no web server is running together with the asterisk hosts!!!!
3) I have detected, after documentation investigation, that the nat field, in cc_sip_buddies, it's critical dangerous to be exposed in realtime. I have to be set in the general section of the sip file, and not exposed in the DB. So, I have removed that field from the DB, and edited all over the hard coded requirements in the files, referring the the nat field, even, it's useless to be set in realtime, and used by files.
4) we have hard-coded 128bits sip password, and set option to be re-updated periodically by used in the customer portal.
I don't know if this is enough for now... because each attack is different, and each couple of years we have some sort of attack, or scam, and we take some steps and modification, so this is a large experience, and each changes are fine to be shared, and taken in consideration, but keep in mind that the current hacker are very professional and known hacker, so he will still working, so you never should go to sleep!!!!!