I’m attempting to clean up a hack system. I started by running
wget http://mirror1.freepbx.org/validate.phar.gz
gzip -d validate.phar.gz
php validate.phar
After it scans it lists the questionable files and then tells me
System must be cleaned up before proceeding to the next step. Run this script withth the argument ‘–clean’ to attempt cleanup.
Where do I insert the --clean with the script I ran? Thanks!
php validate.phar --clean
Disclaimer: I’m not responsible for the files that you may potentially could lost or any other stuff just saying the syntax of the command
Thank you and no responsibility assigned!
For future, the validate script is integrated into fwconsole if you are running a current framework. You can scan with:
fwconsole validate
fwconsole validate --clean
https://wiki.freepbx.org/pages/viewpage.action?pageId=37912685#fwconsolecommands(13+)-validate
works great. thank you
so I tried fwconsole validate on a 10.13.66-20 test system and I get the output listed below. The system is fairly new and I doubt it’s hacked. Anyone care to comment? Can --clean break my system?
Found /var/www/html/admin/images/originals that shouldn't be there?
Found /var/www/html/admin/images/formatted that shouldn't be there?
Found /var/www/html/admin/libraries/Composer/vendor/guzzlehttp/guzzle/docs/conf.pyo that shouldn't be there?
Found /var/www/html/admin/libraries/Composer/vendor/guzzlehttp/guzzle/docs/conf.pyc that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/DBHelperTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/DoctrineTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/PKCSTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/CronTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/genaccts.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/InstallerTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/RequestTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/ModulesTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/WebTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/PHPTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/AstmanTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/LoadConfigTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/GPGTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/FwconsoleTest.php that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Sms that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Presencestate that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Xmpp that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Webrtc that shouldn't be there?
Found /var/www/html/admin/assets/parkpro that shouldn't be there?
Found /var/www/html/admin/assets/qxact_reports that shouldn't be there?
Found /var/www/html/admin/assets/sangomacrm that shouldn't be there?
Found /var/www/html/admin/assets/webcallback that shouldn't be there?
Found /var/www/html/admin/assets/broadcast that shouldn't be there?
Found /var/www/html/admin/assets/freepbx_ha that shouldn't be there?
Found /var/www/html/admin/assets/dahdiconfig that shouldn't be there?
Found /var/www/html/admin/assets/cos that shouldn't be there?
Found /var/www/html/admin/assets/arimanager that shouldn't be there?
Found /var/www/html/admin/assets/vqplus that shouldn't be there?
Found /var/www/html/admin/assets/endpoint that shouldn't be there?
Found /var/www/html/admin/assets/pagingpro that shouldn't be there?
Found /var/www/html/admin/assets/voicemail_report that shouldn't be there?
Found /var/www/html/admin/assets/recording_report that shouldn't be there?
Found /var/www/html/admin/assets/callerid that shouldn't be there?
Found /var/www/html/admin/assets/zulu that shouldn't be there?running fwconsole validate --clean
removed the files but I still don’t know what the files were and now that I am checking, I see the same files on other systems too. Is it a leftover from previous versions? Anybody know?
All of those files you removed were fine. They won’t hurt anything and arent listed probably because of upgrades or you removed them.
Thanks. Now fwconsole validate is is telling me the following but these files are not even supposed to be in that directory. I don’t see them on any other system. Safe to delete?
Serious Error! The module /var/www/html/admin/modules/import.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/modlist.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/remove.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/status.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/update.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/versionupgrade-2.10.0beta1.0.tgz is not signed!
It is not possible to validate this module.If you got a rootkit I think is better to reinstall, you cannot be sure that you have actually cleaned all the files. I hope that you succeed please keep posting as this issues interests me also.
As far as I can tell there is no indication of a virus on this system. These files seems to be leftovers from previous versions of freepbx. This system was upgraded all the way from 4 or 5 (I don’t remember)
Those files are from 2.10 or 2.9 from our former build processes. You can remove them.