Yesterday i performed updates on my FreePBX system as i always do once in a while. The issues with these updates is that after performing the updates the firewall (shorewall) is stopped.
Usually not a big problem, because the monitoring will notice this, so i can start the firewall. But yesterday i forget to enable the firewall. So the machine was running without a firewall for
[04-10-2018 09:50:18] SERVICE ALERT: iptables-rules;CRITICAL;HARD;3
[05-10-2018 23:10:18] SERVICE ALERT: iptables-rules;OK;HARD;3;OK
This was enough time to register on the voicemail extension and start making international calls. The international calls where automatically blocked by the SIP provider because they do that on more then x calls. So the damage is somehow limited.
But now comes the hard part. The voicemail extension is a pjsip extension, it is protected by a password of 32 characters so i don`t think they guessed the password.
How did the get the password of this extension, and why did the use this extension and not another one?
I think you need to clarify this because you are using terms that can be taken in multiple contexts.
First, there is not such thing as a âVoicemail extensionâ. You have a dialable extension (aka 100) that will ring device(s) and based on the response can be sent to a voicemail mailbox.
Second, the Voicemail App allows for uses to make outbound calls from the Voicemail system. So how the call was actually made will make a big difference in how we tell you to take the next steps.
So did this breach make calls as the extension themselves? You said they registered, which means they had a device that authenticated to your system?
And why on earth are you disabling your firewall to run system updates?! There is absolutely no need for that.
The system is running FreePBX 13.0.195.13 and i found an extra config.php which hase base64 coding.
/admin/views/config.php
This file is nog there on an fresh installation, and it looks to be something to download config files containing passwords. After this they registered on extension 200 which is directed to voicemail but it`s a normal extension.
This extension was making the expensive international calls
We can look to see if it is anything new. There are many security researchers who keep an eye on our project and they are very good about responsible disclosure so most things are fixed weeks before any PoC etc hits the wild.
Freepbx.php is a hacked file. There is no file like that in freepbx. Last modified April 17th. Your system has been hacked since at least April 17th. You probably have other files sitting in other directories.
Edit. Actually freepbx.php is from freepbx 2.10 or so. It doesnât exist in 13
Edit2. Looks like version 12.0 and lower, before the GUI redesign
Iâm willing to wager that your system is pretty old. Probably 2.10 or earlier that youâve upgraded. Most likely when a security issue came out in the past you didnât immediately upgrade and got hacked long ago. The hacks are often automated. Therefore you are now feeling the effects of this hack that was never cleaned up.
@tm1000 edited his posted and stated that freepbx.php is an old file that is no longer being used. So if your system has that file it means youâve been updating it for a long time.
I guarantee you that freepbx.php is not part of FreePBX 14 in framework, in the location we are TALKING about here â/var/www/html/admin/viewsâ
This is not even related to this thread. âfreepbx.phpâ doesnât exist in the location mentioned in this thread (/var/www/html/admin/views). Just because you went and located another file called freepbx.php (in User Manager, a completely separate module). Does not mean that its the same file (Its not!)
No please donât spread false information around.
/var/www/html/admin/views/freepbx.php exists
This particular FreePBX is:
] # cat /etc/redhat-release
SHMZ release 6.6 (Final)
] # cat /etc/schmooze/pbx-version 10.13.66-22
Another FreePBX Server
]# ll /var/www/html/admin/views/freepbx.php
-rw-rw-r-- 1 asterisk asterisk 2117 Mar 27 2018 /var/www/html/admin/views/freepbx.php
]# cat /etc/redhat-release
SHMZ release 6.6 (Final)
]# cat /etc/schmooze/pbx-version
10.13.66-22
And you are saying freepbx.php should NOT exist in /var/www/html/admin/views/
None of the above FreePBX servers were installed < 10.13.
It does not exist in a freshly installed 14 system. I just installed a 14 system last week. The file we are discussing â/var/www/html/admin/views/freepbx.phpâ does not exist.
Also it really doesnât matter if it does.
No I never said this. Please fully re-read this thread. Including my edits and Tomâs replies to you.
The file is really irrelevant at this point if you read this thread in itâs entirety
I am not arguing, but when I saw you mentioned âhackedâ I wanted to see where that file is.
Ok, so you are taking about 14 and the two examples I wrote about are 13.
On a 14 installation freepbx.php does NOT exist in /admin/views as youâve clearly stated.
Considering you have stated freepbx.php doesnât exist in /var/www/html/admin/views then there is a problem.
Below is the content of /var/www/html/admin/views/freepbx.php
]# cat freepbx.php
<?php
/** Main FreePBX view - sets up the base HTML page, and FreePBX header
*/
// BRANDABLE COMPONENTS
//
// get version info to be used to version images, css, etc.
//
?>
<?php
if (isset($amp_conf['DEVEL']) && $amp_conf['DEVEL']) {
$benchmark_time = number_format(microtime_float() - $benchmark_starttime, 4);
echo '
Page loaded in ' . $benchmark_time . 's
';
}
// Production versions should include the packed consolidated javascript library but if it
// is not present (useful for development, then include each individual library below
if ($amp_conf['USE_PACKAGED_JS'] && file_exists("assets/js/pbxlib.js")) {
$pbxlibver = '.' . filectime("assets/js/pbxlib.js");
$html .= '';
} else {
/*
* files below:
* jquery.cookie.js - for setting cookies
* script.legacy.js - freepbx library
* jquery.toggleval.3.0.js - similar to html5 form's placeholder. depreciated
* interface.dim.js - interface blocking (reload, modadmin)
* tabber-minimized.js - sed for module admin (hiding content)
*/
echo ' '
. ''
. ''
. ''
. ''
. '';
}
if (isset($module_name) && $module_name != '') {
echo framework_include_js($this_time_append, $version_tag);
}
?>
The one thing that is suspicious is the date of freepbx.php vs. the rest of the files in /admin/views
There is NO problem. You are blowing this way out of proportion. âfreepbx.phpâ is an old file. It could exist in a 13 system if it was previously upgraded or restored from an older version of freepbx. The file used to exist in 12.0 and earlier, as I said earlier.
Here is what I said last week
Here is what I added just now
If you follow the github links Iâve provided you can see the file doesnt exist.
But again itâs irrelevant because I said
But it seems like that statement I made last week is being completely ignored.