[ABUSE] VoiceMail extension is used for outbound international calls

Yesterday i performed updates on my FreePBX system as i always do once in a while. The issues with these updates is that after performing the updates the firewall (shorewall) is stopped.

Usually not a big problem, because the monitoring will notice this, so i can start the firewall. But yesterday i forget to enable the firewall. So the machine was running without a firewall for

[04-10-2018 09:50:18] SERVICE ALERT: iptables-rules;CRITICAL;HARD;3
[05-10-2018 23:10:18] SERVICE ALERT: iptables-rules;OK;HARD;3;OK

This was enough time to register on the voicemail extension and start making international calls. The international calls where automatically blocked by the SIP provider because they do that on more then x calls. So the damage is somehow limited.

But now comes the hard part. The voicemail extension is a pjsip extension, it is protected by a password of 32 characters so i don`t think they guessed the password.

How did the get the password of this extension, and why did the use this extension and not another one?

I think you need to clarify this because you are using terms that can be taken in multiple contexts.

First, there is not such thing as a “Voicemail extension”. You have a dialable extension (aka 100) that will ring device(s) and based on the response can be sent to a voicemail mailbox.

Second, the Voicemail App allows for uses to make outbound calls from the Voicemail system. So how the call was actually made will make a big difference in how we tell you to take the next steps.

So did this breach make calls as the extension themselves? You said they registered, which means they had a device that authenticated to your system?

And why on earth are you disabling your firewall to run system updates?! There is absolutely no need for that.

No version numbers. No logs. How do you expect people to help?

The system is running FreePBX 13.0.195.13 and i found an extra config.php which hase base64 coding.

/admin/views/config.php

This file is nog there on an fresh installation, and it looks to be something to download config files containing passwords. After this they registered on extension 200 which is directed to voicemail but it`s a normal extension.

This extension was making the expensive international calls

Feel free to send the base64 string and files to

[email protected]

We can look to see if it is anything new. There are many security researchers who keep an eye on our project and they are very good about responsible disclosure so most things are fixed weeks before any PoC etc hits the wild.

1 Like

This is also most likely an old hack from years ago that someone found sitting on your system that someone is just now exploiting

This is not matching the timestamp of the files. All the files have the same timestamp (which is in the morning when i upgraded the system)

[[email protected] views]# pwd
/var/www/html/admin/views
[[email protected] views]# ls -ltr
total 120
drwxrwxr-x. 2 asterisk asterisk  4096 dec 10  2016 module_admin
-rw-rw-r--. 1 asterisk asterisk  2117 apr 17 16:28 freepbx.php
-rw-rw-r--. 1 asterisk asterisk   347 okt  4 11:53 zend_config.php
-rw-rw-r--. 1 asterisk asterisk  2269 okt  4 11:53 welcome.php
-rw-rw-r--. 1 asterisk asterisk   223 okt  4 11:53 welcome_nomanager.php
-rw-rw-r--. 1 asterisk asterisk   672 okt  4 11:53 reports.php
-rw-rw-r--. 1 asterisk asterisk  1439 okt  4 11:53 popover_js.php
-rw-rw-r--. 1 asterisk asterisk   312 okt  4 11:53 panel.php
-rw-rw-r--. 1 asterisk asterisk  4543 okt  4 11:53 oobe.php
-rw-rw-r--. 1 asterisk asterisk  2402 okt  4 11:53 obe.php
-rw-rw-r--. 1 asterisk asterisk  2751 okt  4 11:53 noaccess.php
-rw-rw-r--. 1 asterisk asterisk  4915 okt  4 11:53 menu_items.php
-rw-rw-r--. 1 asterisk asterisk  2144 okt  4 11:53 login.php
-rw-rw-r--. 1 asterisk asterisk  7465 okt  4 11:53 header.php
-rw-rw-r--. 1 asterisk asterisk 13236 okt  4 11:53 footer.php
-rw-rw-r--. 1 asterisk asterisk  2015 okt  4 11:53 footer_content.php
-rw-rw-r--. 1 asterisk asterisk  4327 okt  4 11:53 currentcomponent.php
-rwSr--r--  1 root     root      4775 okt  4 11:53 config.php
-rw-rw-r--. 1 asterisk asterisk   509 okt  4 11:53 beta_notice.php
-rw-rw-r--. 1 asterisk asterisk  1290 okt  4 11:53 bad_refferer.php
-rw-rw-r--. 1 asterisk asterisk  3177 okt  4 11:53 menu.php
-rw-rw-r--. 1 asterisk asterisk   261 okt  4 11:53 menuitem_disabled.php
[[email protected] views]#

Freepbx.php is a hacked file. There is no file like that in freepbx. Last modified April 17th. Your system has been hacked since at least April 17th. You probably have other files sitting in other directories.

Edit. Actually freepbx.php is from freepbx 2.10 or so. It doesn’t exist in 13
Edit2. Looks like version 12.0 and lower, before the GUI redesign

This is the contents of the file

https://pastebin.com/ViiNn36Q

No freepbx.php in 13 https://github.com/FreePBX/framework/tree/release/13.0/amp_conf/htdocs/admin/views

I’m willing to wager that your system is pretty old. Probably 2.10 or earlier that you’ve upgraded. Most likely when a security issue came out in the past you didn’t immediately upgrade and got hacked long ago. The hacks are often automated. Therefore you are now feeling the effects of this hack that was never cleaned up.

The file was also placed by ‘root’

2 Likes

After reading your comment that freepbx.php doesn’t exist on new systems installed a new FreePBX Server using SNG7-FPBX-64bit-1805-1.iso.

First thing, # updatedb

[[email protected] ~]# locate freepbx.php
/var/www/html/admin/modules/userman/views/freepbx.php

If freepbx.php is a hacked file, then isn’t the .iso hacked?

@tm1000 edited his posted and stated that freepbx.php is an old file that is no longer being used. So if your system has that file it means you’ve been updating it for a long time.

As mentioned in my post in this thread, just installed a new FreePBX 14 server using SNG7-FPBX-64bit-1805-1.iso

The server was installed < 15 minutes ago. There was no update other than running updatedb.

freepbx.php definitely exists in SNG7-FPBX-64bit-1805-1.iso

I guarantee you that freepbx.php is not part of FreePBX 14 in framework, in the location we are TALKING about here “/var/www/html/admin/views”

This is not even related to this thread. “freepbx.php” doesn’t exist in the location mentioned in this thread (/var/www/html/admin/views). Just because you went and located another file called freepbx.php (in User Manager, a completely separate module). Does not mean that its the same file (Its not!)

No please don’t spread false information around.

/var/www/html/admin/views/freepbx.php exists
This particular FreePBX is:
] # cat /etc/redhat-release
SHMZ release 6.6 (Final)
] # cat /etc/schmooze/pbx-version
10.13.66-22

Another FreePBX Server
]# ll /var/www/html/admin/views/freepbx.php
-rw-rw-r-- 1 asterisk asterisk 2117 Mar 27 2018 /var/www/html/admin/views/freepbx.php
]# cat /etc/redhat-release
SHMZ release 6.6 (Final)
]# cat /etc/schmooze/pbx-version
10.13.66-22
And you are saying freepbx.php should NOT exist in /var/www/html/admin/views/

None of the above FreePBX servers were installed < 10.13.

It does not exist in a freshly installed 14 system. I just installed a 14 system last week. The file we are discussing “/var/www/html/admin/views/freepbx.php” does not exist.

Also it really doesn’t matter if it does.

No I never said this. Please fully re-read this thread. Including my edits and Tom’s replies to you.

The file is really irrelevant at this point if you read this thread in it’s entirety

I am not arguing, but when I saw you mentioned ‘hacked’ I wanted to see where that file is.
Ok, so you are taking about 14 and the two examples I wrote about are 13.

On a 14 installation freepbx.php does NOT exist in /admin/views as you’ve clearly stated.

]# updatedb
]# locate freepbx.php
/var/www/html/admin/modules/userman/views/freepbx.php
]# cat /etc/schmooze/pbx-version
12.7.5-1807-1.sng7

It does not exist in a 13 installation either

well Mr. Nagy, in this FreePBX Server it does exist:

]# updatedb
]# locate freepbx.php
/usr/src/freepbx-13.0.192.16/amp_conf/htdocs/admin/modules/userman/views/freepbx.php
/usr/src/freepbx-13.0.192.16/amp_conf/htdocs/admin/views/freepbx.php
/var/www/html/admin/modules/userman/views/freepbx.php
/var/www/html/admin/views/freepbx.php

]# cat /etc/redhat-release
SHMZ release 6.6 (Final)
]# cat /etc/schmooze/pbx-version
10.13.66-21

Considering you have stated freepbx.php doesn’t exist in /var/www/html/admin/views then there is a problem.

Below is the content of /var/www/html/admin/views/freepbx.php

]# cat freepbx.php

<?php /** Main FreePBX view - sets up the base HTML page, and FreePBX header */ // BRANDABLE COMPONENTS // // get version info to be used to version images, css, etc. // ?> <?php if (isset($amp_conf['DEVEL']) && $amp_conf['DEVEL']) { $benchmark_time = number_format(microtime_float() - $benchmark_starttime, 4); echo '
Page loaded in ' . $benchmark_time . 's
'; } // Production versions should include the packed consolidated javascript library but if it // is not present (useful for development, then include each individual library below if ($amp_conf['USE_PACKAGED_JS'] && file_exists("assets/js/pbxlib.js")) { $pbxlibver = '.' . filectime("assets/js/pbxlib.js"); $html .= ''; } else { /* * files below: * jquery.cookie.js - for setting cookies * script.legacy.js - freepbx library * jquery.toggleval.3.0.js - similar to html5 form's placeholder. depreciated * interface.dim.js - interface blocking (reload, modadmin) * tabber-minimized.js - sed for module admin (hiding content) */ echo ' ' . '' . '' . '' . '' . ''; } if (isset($module_name) && $module_name != '') { echo framework_include_js($this_time_append, $version_tag); } ?>

The one thing that is suspicious is the date of freepbx.php vs. the rest of the files in /admin/views

]# ll
total 112
-rw-rw-r-- 1 asterisk asterisk 1290 Sep 30 00:55 bad_refferer.php
-rw-rw-r-- 1 asterisk asterisk 509 Sep 30 00:55 beta_notice.php
-rw-rw-r-- 1 asterisk asterisk 4327 Sep 30 00:55 currentcomponent.php
-rw-rw-r-- 1 asterisk asterisk 13236 Sep 30 00:55 footer.php
-rw-rw-r–. 1 asterisk asterisk 2009 Sep 26 2017 footer_content.php
-rw-rw-r-- 1 asterisk asterisk 2117 Mar 27 2018 freepbx.php
-rw-rw-r-- 1 asterisk asterisk 7465 Sep 30 00:55 header.php
-rw-rw-r-- 1 asterisk asterisk 2144 Sep 30 00:55 login.php
-rw-rw-r-- 1 asterisk asterisk 3177 Sep 30 00:55 menu.php
-rw-rw-r-- 1 asterisk asterisk 4915 Sep 30 00:55 menu_items.php
-rw-rw-r-- 1 asterisk asterisk 261 Sep 30 00:55 menuitem_disabled.php
drwxrwxr-x. 2 asterisk asterisk 4096 Sep 26 2017 module_admin
-rw-rw-r-- 1 asterisk asterisk 2751 Sep 30 00:55 noaccess.php
-rw-rw-r-- 1 asterisk asterisk 2402 Sep 30 00:55 obe.php
-rw-rw-r-- 1 asterisk asterisk 4543 Sep 30 00:55 oobe.php
-rw-rw-r-- 1 asterisk asterisk 312 Sep 30 00:55 panel.php
-rw-rw-r-- 1 asterisk asterisk 1439 Sep 30 00:55 popover_js.php
-rw-rw-r-- 1 asterisk asterisk 672 Sep 30 00:55 reports.php
-rw-rw-r-- 1 asterisk asterisk 2269 Sep 30 00:55 welcome.php
-rw-rw-r-- 1 asterisk asterisk 223 Sep 30 00:55 welcome_nomanager.php
-rw-rw-r-- 1 asterisk asterisk 347 Sep 30 00:55 zend_config.php

There is NO problem. You are blowing this way out of proportion. ‘freepbx.php’ is an old file. It could exist in a 13 system if it was previously upgraded or restored from an older version of freepbx. The file used to exist in 12.0 and earlier, as I said earlier.

Here is what I said last week

Here is what I added just now

If you follow the github links I’ve provided you can see the file doesnt exist.

But again it’s irrelevant because I said

But it seems like that statement I made last week is being completely ignored.