We found a file called config.php in admin/libraries/php-upgrade/ext
The file is base64 encoded and not on any other installation we have done. The file allows a remote user to post commands that execute as system calls.
Sure enough… we could not find where they were getting in again and again.
We have our systems patched and updated, yet this kept occurring.
Under /var/www/html/admin/libraries/php-upgrade/ext we found the config.php file noted above.
Only the systems were this was occurring had this extra file.
The file has been deleted, so hopefully there are no other files placed in the system.
Sorry to ask but would it be too painful to just start over with a fresh (not compromised) system and configure it as the old one? Because it sounds like you are playing “whack a mole” game on your old system. You can never know how many other back doors left by the attacker you have not yet discovered.
Another piece to the puzzle.
Check for /var/www/html/admin/modules/weatherzip
It will probably show up in your module list but as not installed. It’s a front for something else.
Open http://[IP]/admin/modules/weatherzip in browser and you get form with text input and Marvels button.
The index.php is webadmin.php with the code check at the beginning. The code check compares the input to an md5 hash. I don’t know what the secret code is but I put in my own hash and logged in and found that you have access to webadmin.php.
https://gist.github.com/nic-o/1219610
I assume the code check at the beginning is to keep others out.
Yes, with webadmin.php you can upload and view files, etc., as long as the web server has the proper permissions to the selected file/folder.
Thank you Noel
Sure enough, that was there… and showing as not installed in module list.
Now that it has been removed… hopefully this kills them for good.
I am rebuilding all servers, but it takes time to test and migrate… especially with the massive changes in v13 (from v11).
Hi, Please how was the decoding here done?. Found a similar file after getting multiple calls passing through my server (Using Elastix - Basically FreePBX with a diff gui) got the same gibberish in the file after tracking it down (thanks for the tips). PS. Also trying to add forcing the Callers IP into the CDR’s because it seems to be sending calls out as Local/01150932242459@thanku-outcall-00000093;2 so would like to see if I can add some more blocked IP’s to my firewall.
They did make it a pain to know what to paste though by putting comments with base 64 like garbage in them…
Again, in the case of the code that was posted what to paste into the base 64 decoder started with “LypZUjc5REppblR” and ended with “cDlCNFgqLwo=” (the “=” is a padding character in base 64, when you see them these are the last characters of the base 64 encoded string)…
I guess in an effort to confuse people further the decoded base 64 output of the code that was posted has comments which look like base 64 themselves but are, as far as I know, just garbage…
There are some parts missing compared to what was posted earlier (it is supposed to contains an HTML form) but they were quite likely removed by the forum software…
I am no PHP guru but amongst other things they are getting your database info and passwords and your ARI admin user and password…
What version of FreePBX are you using and is it the distro?