I am unable to upgrade the FreePBX frame work module from 184.108.40.206 to 220.127.116.11. It fails on both the GUI and command line. For command line, the output I get is:
fwconsole ma upgrade framework
No repos specified, using: [standard,commercial] from last GUI settings
Starting framework download..
Verifying local module download...Verified
Module framework successfully downloaded
unlink(/var/www/html/admin/views/config.php): Operation not permitted
ma [-f|--force] [-d|--debug] [--edge] [--color] [--skipchown] [-e|--autoenable] [--skipdisabled] [--snapshot SNAPSHOT] [--format FORMAT] [-R|--repo REPO] [-t|--tag TAG] [--] [<args>]...
I was able to solve this, the fact that
fwconsole chown also failed on that file was a clue.
chattr -i -a /var/www/html/admin/views/config.php
chmod ug+w /var/www/html/admin/views/config.php
It’s also a good idea to confirm the directory in which the file lives has the correct permissions.
Permissions for FreePBX files are fixed by running:
I tried that first. It failed. So did running it as root, and several other methods. My solution post mentioned that
fwconsole chown failed.
Do you think your system was compromised?
I would love to know, but it seems unlikely. apache does not run as a privileged user. SSH is completely blocked from the outside world.
Apache runs as “asterisk” which is largely not an unprivileged user. It isn’t ‘root’, to be sure, but the Asterisk user has a lot of control over a lot of the hardware.
There are exploits that have been fixed that allowed the Web user to access important parts of the system.
The place I’d look first is in the /etc/asterisk/extensions_custom.conf file. If you find anything in there you don’t recognize, strip the system down to bare metal and re-implement with the latest version.
I guess my day just got more exciting…but I do not see anything unusual there, or in any other extension. Asterisk reports look normal too.
The asterisk user was not able to delete that file or run chattr on it, for what it’s worth. sudo was required.
Almost all of the “hack” attempts will leave tell-tale effluvia around. Some will leave code in the extensions_custom.conf file, others will leave extensions you don’t recognize. Others will chop out swathes of your CDR logs. If you aren’t seeing any of that, you’re probably fine. The fact that the Asterisk user wasn’t able to modify the file is odd, but not necessarily suspicious.
I would wager to say that any immutable or append only files in /var/www/html/admin/* is a tell-tale sign, I’ve never had to remove immutable/append only flags from any files on a system running freepbx, but also its not clear to me if OP had immutable files or if they were just copy/pasting something from a post somewhere.
Not sure what you mean by “just copy and paste”, I described the steps I took to resolve the problem.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.