I received the odd email this morning from my Sangoma FreePBX appliance:
You have 1 tampered files:
Module: “FreePBX Framework”, File: “/var/www/html/admin/config.php altered”
There are 4 modules vulnerable to security threats:
backup (Cur v. 188.8.131.52) should be upgraded to v. 184.108.40.206 to fix
security issues: SEC-2020-003
superfecta (Cur v. 14.0.23) should be upgraded to v. 14.0.25 to fix security
cel (Cur v. 220.127.116.11) should be upgraded to v. 18.104.22.168 to fix security
framework (Cur v. 22.214.171.124) should be upgraded to v. 126.96.36.199 to fix
security issues: SEC-2019-000
I logged in remotely, and the config.php file was most certainly hacked - it had lines to delete a lot of files in the system, and lines to allow any user named “mohammed” to login to the admin page. I immediately deleted the file, and am now trying to figure out how to restore it from an RPM package using yum or rpm.
Any guidance on how to restore the now deleted config.php file is appreciated. Or what should be in it.
Note that I cannot find references to the above security updates on the FreePBX community either, so am now questioning the legitimacy of the email.