To assist in checking machines, for those that aren’t already on FreePBX 12, I wrote a little script that will let you take advantage of FreePBX 12’s GPG based module signing infrastructure.
Whilst it isn’t used in 2.11 (or 2.10), we have been signing ALL modules that have been updated for most of this year, for every version. You’ll see that all new modules have a signed ‘module.sig’ file in them, that contains a hash of every file.
This turns out to be extremely handy for people who want an easy way to check their systems.
Here it is: http://git.freepbx.org/projects/FL/repos/freepbx-check/browse
Now before you get all crosseyed and wonder what is going on, there’s actually only one file that you NEED. It’s this one: http://git.freepbx.org/projects/FL/repos/freepbx-check/browse/fpbxseccheck.phar - you should be able to use wget to get it from any machine connected to the internet. It doesn’t require anything extra, even taking that phar on a USB stick to a potentially hacked machine will work.
That is a phar, which is a php archive – kinda like a .zip, but you can run it. Everything in that Git repository is contained in that phar, and it’s completely stand alone. It doesn’t rely on anything on the existing freepbx machine, so it’s going to be extremely hard for a (non root-kitted) machine to hide.
Simply download and run it:
wget http://git.freepbx.org/projects/FL/repos/freepbx-check/browse/fpbxseccheck.phar?raw -O /tmp/fpbxseccheck.phar
chmod +x /tmp/fpbxseccheck.phar
/tmp/fpbxseccheck.phar
It will try to validate any modules that ARE signed, and tell you about any that aren’t. Note that it does REQUIRE framework to be signed, so make sure you’re up to date with that before anything else.
It’s 100% open source, and you can build the phar yourself by cloning the repo and running build.php.
Basic Usage:
./fpbxseccheck.phar
This will tell you if any modules have invalid files or modified files, you can then redownload said modules manually or run the commands below
Automatically attempt to clean up a compromised system
./fpbxseccheck.phar --clean
Automatically redownload any invalidly signed modules
./fpbxseccheck.phar --redownload