It’s probably worth checking these steps. I’m pretty sure one of the machines I managed had problems running fwconsole commands when it was compromised with this hack (due to the missing/empty freepbx.conf file).
Visit your FreePBX Administrator web interface - is it broken ? Not loading like it used to ? Does /etc/freepbx.conf file still exist - check with this command:$ ls -l /etc/freepbx.conf
Look for the tell-tale leftover sign of the exploit - this file should not exist on normal systems: /var/www/html/.clean.sh So check for it like this:$ ls -l /var/www/html/.clean.sh
Check Apache logs for POST requests to modular.php - reaching back to at least August 21st. A command like the following should help you quickly look through all the relevant logs on both v16 and v17:$ zgrep modular.php /var/log/{httpd,apache2}/access*
Check Asterisk logs for calls to extension 9998 - reaching back to at least August 21st (slight variations in this command may exist between systems):$ grep 9998 /var/log/asterisk/full*
Review MariaDB/MySQL logs and tables for MACD of unknown users in the ampusers table - specifically looking for a suspicious ampuser username in the far-left column:$ mysql -e "SELECT * FROM ampusers" asterisk
Full thread:
The Sangoma FreePBX Security Team is aware of a potential exploit affecting some systems with the administrator control panel exposed to the public internet. AUG. 28 GOOD NEWS: FIX IS NOW DEPLOYED IN STABLE REPOS FOR AFFECTED SUPPORTED VERSIONS, INCLUDING ALL RELEASES OF ENDPOINT MODULE IN 15, 16 & 17. PLEASE UPDATE! Users are advised to limit access to the FreePBX Administrator by using the Firewall module to limit access to only known trusted hosts.
2 Likes