so I tried fwconsole validate on a 10.13.66-20 test system and I get the output listed below. The system is fairly new and I doubt it’s hacked. Anyone care to comment? Can --clean break my system?
Found /var/www/html/admin/images/originals that shouldn't be there?
Found /var/www/html/admin/images/formatted that shouldn't be there?
Found /var/www/html/admin/libraries/Composer/vendor/guzzlehttp/guzzle/docs/conf.pyo that shouldn't be there?
Found /var/www/html/admin/libraries/Composer/vendor/guzzlehttp/guzzle/docs/conf.pyc that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/DBHelperTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/DoctrineTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/PKCSTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/CronTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/genaccts.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/InstallerTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/RequestTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/ModulesTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/WebTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/PHPTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/AstmanTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/LoadConfigTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/GPGTest.php that shouldn't be there?
Found /var/www/html/admin/modules/framework/utests/FwconsoleTest.php that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Sms that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Presencestate that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Xmpp that shouldn't be there?
Found /var/www/html/admin/modules/ucp/htdocs/modules/Webrtc that shouldn't be there?
Found /var/www/html/admin/assets/parkpro that shouldn't be there?
Found /var/www/html/admin/assets/qxact_reports that shouldn't be there?
Found /var/www/html/admin/assets/sangomacrm that shouldn't be there?
Found /var/www/html/admin/assets/webcallback that shouldn't be there?
Found /var/www/html/admin/assets/broadcast that shouldn't be there?
Found /var/www/html/admin/assets/freepbx_ha that shouldn't be there?
Found /var/www/html/admin/assets/dahdiconfig that shouldn't be there?
Found /var/www/html/admin/assets/cos that shouldn't be there?
Found /var/www/html/admin/assets/arimanager that shouldn't be there?
Found /var/www/html/admin/assets/vqplus that shouldn't be there?
Found /var/www/html/admin/assets/endpoint that shouldn't be there?
Found /var/www/html/admin/assets/pagingpro that shouldn't be there?
Found /var/www/html/admin/assets/voicemail_report that shouldn't be there?
Found /var/www/html/admin/assets/recording_report that shouldn't be there?
Found /var/www/html/admin/assets/callerid that shouldn't be there?
Found /var/www/html/admin/assets/zulu that shouldn't be there?
running fwconsole validate --clean
removed the files but I still don’t know what the files were and now that I am checking, I see the same files on other systems too. Is it a leftover from previous versions? Anybody know?
Thanks. Now fwconsole validate is is telling me the following but these files are not even supposed to be in that directory. I don’t see them on any other system. Safe to delete?
Serious Error! The module /var/www/html/admin/modules/import.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/modlist.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/remove.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/status.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/update.sh is not signed!
It is not possible to validate this module.
Serious Error! The module /var/www/html/admin/modules/versionupgrade-2.10.0beta1.0.tgz is not signed!
It is not possible to validate this module.
If you got a rootkit I think is better to reinstall, you cannot be sure that you have actually cleaned all the files. I hope that you succeed please keep posting as this issues interests me also.
As far as I can tell there is no indication of a virus on this system. These files seems to be leftovers from previous versions of freepbx. This system was upgraded all the way from 4 or 5 (I don’t remember)