Awoke to tampered files erros, phones down

So I woke up to a number of emails, texts and calls about our phone system being down. We’ve had this Sangoma appliance for for 18 months, no issues.

I log in remotely and I am greeted with errors about tampered files.

I attempt to update the offending module, but there is no option to. I am not a freepbx guru, so I am sure there is some way to “redownload” the module from command line. I have been googling around and cant figure it out.

There doesnt seem to be any system updates available.

So I started thinking, maybe the appliance is failing. I have been playing with for a while so I decided I would deploy an instance and try restoring the most recent backup to a hosted server.

So I deploy a new instance and right off the bat I see these errors…

So maybe it needs updates??

Yeah, lets try that…

But it wont apply either update, even after a reboot…


So I am reading in the forums about expired GPG keys. I decide to check on a instance I deployed for another company. They are still up and running, mind you, but I log in and see this…

So… forget the new hosted instance, I deleted it. And for the hosted instance I setup for a friends company, I am afraid to touch it. I am back to just trying to fix the premise based installation we are using in our office.

Phones won’t register, inbound calls wont connect. I am not even sure where to start. Is there some key upgrade I need to do to all these systems?

I am not sure what settings I should dump out to post here, but I am primarily interested in fixing the system I posted the first 3 pics of, its the premise based sangoma appliance with v13 running.

Have you tried to refresh signatures

fwconsole chown
fwconsole a ma refreshsignatures
fwconsole a reload

Also run check updates via module admin

Also do you have ports forward to the pbx?

Is this box directly on the web?

Your machine has most likely been hacked since you didn’t update said modules that needed to be updated. Who knows what the hackers did.

As for getting module updates you need to click “check online” then you can update modules.

Did you click on check online under module admin?

What was the result after you clicked on check online?

Also check your firewall logs to see if your having problems connecting to the Freepbx mirrors.

In my set-up i am behind 2 firewalls.

In my experience, my updates stopped working. When i checked my boarder firewall logs it seems that i had a rule that did not like the response it was getting frorm the freepbx mirrors sits.

Check the blocked ip address in your log and see if some of them are form or cyberlink.

you may need to change a rule in your firewall.

good look 80)

Box can’t get hacked if it is not directly on the web.

I have installed over 20 freepbx distros and never had a box hacked why because they are not directly on the web no port forwarding.

They are all still running great minus a few issues here and there mostly because of update bugs

So, I am guessing this cant be done from the CLI web page?

Do I need to use SSH?

Check for updates via module admin first then I always ssh into the box and run fwconsole chown… amportal chown has been decommissioned use fwconsole. My bad on the previous post. I am so use to using amportal vs fwconsole

1 Like

Go to module admin, click on ‘check online’, then click on ‘download all’.

Please, stop panicing, and read what people are saying.

1 Like

tm1000, He might have been hacked indeed.

Check the firewall and see if you have an ip that is talking to your box that should not be there.

if you are hacked you might just backup your extension and rebuild the box.

if you have been hacked you still need to find out the ip address being used so you can block them at your firewall so they don’t hack you again later. that is if they us the same ip address.

I will focus on the first screen shots of the premise based system…

It IS indeed behind firewall and has worked flawlessy since around Jan 2015.

I was able to force updates to get the errors to go away. However, lots of strange errors in asterisk log…

Here are the last 500 lines…

Asterisk Log File

I only allow traffic from flowroute ip addresses through my perimeter firewall, thought a couple extra settings were made to enable direct audio.


I did that and all errors went away earlier. Now just trying to reregister my phones. I had defaulted them this morning thinking I would move to a, but getting registration failed errors on Yealink 48G.

I can dump log file out from phone on here unless there is a better log to share, I am looking for it now.

Yup, but calls still not completing inbound.

Can you make a outbound call?
run asterisk -rvvvvvv at the cli and look to see if the call even his the box.

I am remote, and I am just now realizing I probably should have replaced letters with a local number?

download putty to a PC and install and ssh into the box and run asterisk -rvvvvv

1 Like

You are already in the asterisk cli now make a incoming call

1 Like