It installs again and again on extensios_custom.conf and fills the system with outgoing calls that doesn’t get out but clog the system and the connection. I joggle between ip addresses to stop it and let the system work but I can’t get read of it. Any suggestion on how to clean the system or I have no option but reinstall it?
Also, the Intrusion Detection of Sys Admin module no longer active, while fail2ban seems to be working…Can I revive that function?
You need to search for the script that inserts this context. Try to run this command in your Linux console:
fgrep -R thankuohoh /etc
I have a feeling that you are using Elastix and it suppose to be in the /etc/asterisk_extensions_custom.conf file. Make sure to delete this file and the references to this file in the asterisk directory (more details here). If you are using also the A2Billing in this version of Elastix please make sure that you will read this link.
Basically, it means that you have to search the file that gives admin permissions to Elastix portal. The file’s name is A2B_php_stats.php. Make sure to delete this file and to correct the admin/Public/A2B_entity_restore.php file.
As I stated in my post I DO NOT use Elastix nor do I have a2billing installed. It is a FreePBX distro.
I’m quite aware of the holes existing in Elastix and seldom use it for totally locked systems from the outside world.
Since it is a small business, I installed a few weeks ago VtigerCRM on the same machine with Asterisk Integration.Could it be there the vulnerability comes from?
Likely you are using an unpatched “asterisk recordings interface”. This was one of the reasons we do module signing now. Note you likely have a system call in some random file that calls every time you load up a page. The safest move is to reinstall. If you install FreePBX 12+ it has module signing that will raise a flag if any files are tampered with.
You should had run my command fgrep -R thankuohoh /etc/ or fgrep -R thankuohoh /var/www/ to see where is that file that is inserting this context.
I am quite sure that you have a php file that is injecting this context and you have to find it and delete it.
Close the web ports to the world until you will figure this out or reinstall your system.
It is fgrep not grep. There is a file that is running every night. I would also check the cron library to verify that there is not a new daily cron that is running it.
Well @jfinstrom ??? Was I wrong? The hacker uploaded a php file that gained him admin permissions through the Vtiger and then inserted this context to the Asterisk’s dialplan.
@adorah1, do you still have these file names? Did you checked its content?
I just deleted them. I should have kept them for reference, sorry.
One was installed in /var/www/html/admin
the other was installed in the recording section…
OK I checked Vtiger folder and found one more PHP file of the same name…I just don’t know how to upload such a file that is now in a .txt file…or it may do some harm…
The file name (The same in the respective folders is ELMAYET_ELMAYET.php )
For some reason I can’t upload the .tgz file…uploading stuck…
I also found several Base 64 files in VtigerCRM folder and moved them away (Keep them this time)
Once the entries in extensions_custom.conf are removed, be sure to check for and
remove config.php file located in /var/www/html/admin/libraries/php-upgrade/ext
Otherwise, the hackers will still have access to your system.
The config.php file is not part of the distro or FreePBX.