Automatic updates not happening

I have a v17 system that was just hacked. Last time fwconsole ma upgradeall was run manually was maybe a month or two ago (?) so this may be a fairly recent exploit. It looks like they got in through a vulnerable freepbx module. I have it set to automatically update once a week on Saturday but it appears that was not happening. I see there are several modules with critical security updates which I had to manually update. Running fwconsole ma upgradeall worked normally with no errors.

Why are automatic updates not happening? I have Module Admin > Scheduler Automatic Module updates and Automatic Module Security updates Enabled in the GUI.

This is my crontab -u asterisk -e

1 0 * * * [ -e /usr/sbin/fwconsole ] && sleep $((RANDOM%30)) && /usr/sbin/fwconsole cdr  --purnedata >> /var/log/asterisk/freepbx.log 2>&1
26 0 * * * /usr/sbin/fwconsole certificates --updateall -q 2>&1 >/dev/null
*/15 * * * * [ -e /usr/sbin/fwconsole ] && sleep $((RANDOM%30)) && /usr/sbin/fwconsole userman --syncall -q

/var/lib/asterisk/bin/queue_reset_stats.php --id=620

/var/lib/asterisk/bin/queue_reset_stats.php --id=621

2 * * * /usr/sbin/fwconsole util cleanplaybackcache -q
54 11 * * 6 [ -e /usr/sbin/fwconsole ] && /usr/sbin/fwconsole ma listonline --sendemail -q > /dev/null 2>&1
54 13 * * 6 [ -e /usr/sbin/fwconsole ] && /usr/sbin/fwconsole ma upgradeall --sendemail -q > /dev/null 2>&1

* * * * * [ -e /usr/sbin/fwconsole ] && /usr/sbin/fwconsole job --run --quiet 2>&1 > /dev/null


Change it to Sunday. The automated module updates struggle on Saturdays due to demand.

You can also check for current mirror performance here: FreePBX Mirror Status — IN1CLICK

How do you know you were hacked?

Are you exposing the Admin GUI or SSH to the public internet?

I know because they created a forwarded extension in Freepbx and then made a bunch of calls to premium numbers. It was done through a vulnerability in one or more freepbx modules. Just look at the recent security updates if you want to know more.

I don’t think that answered the last question. Is your admin GUI or SSH exposed to the Internet at large? If so, that’s something that should be looked into sooner rather than later. With all of the AI stuff that pokes holes in vulnerabilities, it’s dicey nowadays.

Thanks for the suggestion. I have now done that.

If you do have more logs and information that you’d like to privately share, then please use the separate FreePBX security reporting repo.