I got a security update on Wake up call and MOH
I use Module Admin to push the new updates (all). Everything works after the update
The next day, I can’t access the Administration GUI. I’m getting the error message
A Session had already been started
No issue accessing User Control Panel
A new framework is due to be released shortly, but you can manually fix with the following:
- delete the file /var/www/html/admin/libraries/pest/index.php
- fwconsole ma downloadinstall framework
Since I don’t have any update and I don’t have an immediate need of access, I will wait for the final fix.
Since module admin is not accessible, please let me know how to apply the new fix manually.
Those two commands will fix the machine now, and remove the hackers ability to control your machine.
It’s also possible they may have added stuff to /etc/asterisk/extensions_custom.conf - you should validate the contents of that file (it will normally be empty, unless you have deliberately put stuff there). If it’s not, simply delete that file, as well.
Lorne gave you the console command to do that:
Log into the console as “root” (or SSH in from a trusted host) and enter that command.
To remove a file in Linux, use ‘rm’ - like this ‘rm /var/www/html/admin/libraries/pest/index.php’.
All servers has nothing on /etc/asterisk/extensions_custom.conf
Except on one server. The content is
Should I delete the file /etc/asterisk/extensions_custom.conf or just delete the content. I always use the GUI and never edited the files manually
I to received the exact same error “whoops\Exception\ErrorException
A Session had already been started …” on 2 out of 5 servers. 1 of my servers also had the same junk in the extensions_custom.conf file as rsarceno’s did.
What does this all exactly mean? Was the servers that had the “whoops\Exception\ErrorException
A Session had already been started” error hacked?
Do we need to worry about anything else other than the extensions_custom.conf??
All my servers have alternate ports, none of them are using ANY standard ports (http - https - sip - ssh - etc). If the system was hacked (which it had to be with the info in the extensions_custom.conf on one of the servers) how did it get hacked?
I only allow admin access and ssh access to certain ip addresses. Only SIP and the UCP are not regulated by certain ip access, but again are on very unique ports.
The only 2 servers with the “whoops\Exception\ErrorException
A Session had already been started” error message where the 2 that I use the FreePBX firewall, the other 3 servers I own I use APF (Advanced Policy Firewall).
I was able to upgrade my servers via the module admin gui and everything was good, was never locked out of the webpages.
The 2 servers that were effected are our main servers, one was the primary hosted in Milwaukee and the other was the backup server to this primary and the backup server is hosted in Phoenix. We use FreePBX hosting for all of our hosted servers.
Any information that you can provide would be greatly appreciated, it is extreamly scary that both our primary and our backup servers were both affected - we are a managed service provider and we have some extreamly important clients phone systems being hosted on these servers.
Bump … Can anyone help shed any light on the subject?? My big concern is how the hacker got to the server. I understand the software vulnerability however with the Sangoma firewall in place I didn’t think anyone could get to the server even if their was a vulnerability except by way of SIP and or the UCP since those are the only ports open to the world.
A quick check on Google. revealed this.
The short answer - take the machines down to bare metal and start over.
At a guess through your https port. Have you ensured that it’s not open to the world?
Hi and thanks for the reply. I have now read your references in google. The big difference here is that this is a brand new install not more than 1 month old. This is not an old freepbx distro, this was just installed by the folks over at freepbx hosting.
PBX Firmware 10.13.66-15
PBX Service Pack 1
Asterisk Version 11.23.0
Everything I have read about this xploit is that it happens on older unpatched systems. These servers were up to date as of 2 weeks ago. No updates were applied within the last 2 weeks, however they are fully patched as of 11pm last evening.
After going through the google results you had referenced I looked for any other modifications that the hacker might have made that was referenced in the articles and I cannot find anything else.
Still my big question that no one has answered quite yet is how did it happen? Why didn’t the firewall prevent this? Again the only ports open are the sip port and the UCP port which are both NOT STANDARD ports on our system.
Did you have HTTPS open or not?
Here is the why: http://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation
When I go to System Admin > Port management > it shows their that “HTTPS Not available”.
When I go to Connectivity > Firewall > I only see the not standard http port that we have assigned for Web Management and then I also see Web management (Secure) and yes it does say tcp port 443 and yes it was assigned to the External Zone ARGGGGGGGGG!!!
I have changed that to Internal now. Is their anything else that you recommend that I change to secure this system more??
Is there anything else you recommend me looking for to make sure my system is not compromised by the hacker??
As far as we know, the latest framework (182, 183 in edge) fixes all the potential exploits, and cleans up everything we’re aware of.
Thanks so much for replying, and I did just reply to Robs request from a little bit ago. Yes I did not realize that it was, we don’t currently use it, but I have corrected it and have patched the system with your latest updates.
Is there anything else you can share that I might look for to make sure that my system is not compromised by the hacker any longer?
Fantastic, I will sleep much better tonight than I did last night after finding the system was hacked at about 11pm cst.