I received the odd email this morning from my Sangoma FreePBX appliance:
You have 1 tampered files:
Module: “FreePBX Framework”, File: “/var/www/html/admin/config.php altered”
There are 4 modules vulnerable to security threats:
backup (Cur v. 126.96.36.199) should be upgraded to v. 188.8.131.52 to fix
security issues: SEC-2020-003
superfecta (Cur v. 14.0.23) should be upgraded to v. 14.0.25 to fix security
cel (Cur v. 184.108.40.206) should be upgraded to v. 220.127.116.11 to fix security
framework (Cur v. 18.104.22.168) should be upgraded to v. 22.214.171.124 to fix
security issues: SEC-2019-000
I logged in remotely, and the config.php file was most certainly hacked - it had lines to delete a lot of files in the system, and lines to allow any user named “mohammed” to login to the admin page. I immediately deleted the file, and am now trying to figure out how to restore it from an RPM package using yum or rpm.
Any guidance on how to restore the now deleted config.php file is appreciated. Or what should be in it.
Note that I cannot find references to the above security updates on the FreePBX community either, so am now questioning the legitimacy of the email.
Reinstalling or upgrading framework will probably restore the config.php.
You almost certainly are allowing untrusted access to the admin GUI, you wan’t to disallow that.
Thanks - can I reinstall framework using yum?
Thanks for the list of vulnerabilities - looks like those were in the list. By untrusted access, I guess you mean I need to restrict the IP access to the admin GUI login page to trusted IP’s? Is there an easy way to go about that or do I just dig into the firewall rules on the appliance?
No. Framework is a pbx module, use the Module Admin page.
Unfortunately, I cannot get into the Module Admin page - the entire admin page is offline, as it appears config.php is the main file used. I guess I can download FreePBX to one of my Linux boxes, and unpack it and try to find the admin/config.php file I need, then copy it over to the Sangoma appliance.
Once I get it up, I’ll start looking at the firewall rules. It is enabled, but I have some users who needed remote access to the admin page, to change forwarding rules and ring groups remotely. I’ll just have to shut that off to anyone who is not VPN’ed into the office.
fwconsole ma downloadinstall framework --force
Thanks, I actually grabbed the latest FreePBX 14 tarball, unpacked it here on my laptop and copied up to the PBX at the office. I’m into the admin panel now, and am installing updated modules, then locking down the firewall to the LAN and my home IP only, since I am the only person that truly needs remote access on port 443. The user control panel is on its own port, and I will leave that open for now.
At this point you should assume that your PBX is completely conpromised, more than just a hacked php file. I don’t want to sound paranoid but if I were you I would start from scratch and re-install from the ISO.
Also have Sangoma post mortem how you were hacked before you ‘start from scratch’
Unfortunately a full rebuild right now is not an option, as the PBX is routing calls for 24/7 technical support for customers. Also, I installed the PBX appliance while working there full-time - now I am in a new job, and just helping the out on an as-needed basis after hours.
About the best I could do would be to provision an unused Dell 1U server in the same rack as a new FreePBX box, and install FreePBX from scratch over there, then cut things over from the Sangoma appliance, but I would need to prove the need for it before I could justify the time and money the effort would cost.
I have confirmed that no unusual call activity appears in the CDR call logs. The last time I had a FreePBX/asterisk server get hacked, it was for the purpose of someone making international calls via SIP traffic from the internet and through the server. This server is behind a router that does not forward SIP traffic, so that can’t happen.
So at the moment, I’m going to keep an eye on things, I’ve ensured that the admin page is only accessible to LOCAL addresses plus my fixed IP, and SIP traffic is blocked from the internet. I appreciate the help and advice.
Well there were serious XSS vulnerabilities found and fixes released back in December for them. Your config.php was hack/modified. So I guess the question becomes before you updated the Framework module did you actually look at the config.php to see when it was last modified, what was changed, get a copy of it so someone else could review it if you’re not sure?
Has anything else been done to verify that this system hasn’t been compromised? Because if not and due to the fact it sat open with these known XSS exploits (which people did get hit by) I would say you can’t give them a 100% answer that this box hasn’t been touched by outside hands.
Toll fraud could rise to a lot more money than the cost of fixing the PBX, the customer should know better than that…
When your system has been hacked, then the absence of CDR records is just possibly that have been well hacked and they are likely cleverer than you or FreePBX ;- )
Check with your VSP for usage
Yup, slapping a NoCDR() in the hack dialplan will do exactly that, stop a CDR from being created for the call.
You guys have to get used to how it all works, accepting traffic from UDP:5060 is just waiting for sh*t to happen, 9999 out of 10000 attempts come from there so two suggestions:-
a) don’t do it
b) if you do , ask yourself why you did
UDP traffic from outside the LAN was not allowed - just the admin page was exposed. A seperate physical firewall prevented that. Just ports 443 (admin) and the user page were exposed to the Internet. Now just the user page on port 4443.
The config.php file was modified this morning, shortly before I got the notice from the system. The contents had been modified so that it would delete certain files when the admin page was accessed, but those files don’t appear to have been deleted. It had hard coded authentication information as well. Unfortunately I didn’t save it off before killing it.
I’ve found no “NoCDR()” entries on any dial plans, but I did I find one suspicious custom destination that pointed to a phone number in the Dominican Republic. They do have customers down there, so I’ll talk to them in the morning and and see if they really wanted a speed dial that dialed that number. For the moment it is deleted. I will also have them check the call records with AT&T tomorrow to be sure nothing is going on. If it is then obviously further action is warranted.
Web compromise is a different problem, we have all been assured that FreePBX code is safe, please document the intrusions
Yes, as long as you had updated the modules that had the XSS exploits in them. Based on this entire thread, this morning (or at least very recently) the OP saw a security alert email showing that those modules had yet to be updated since their releases late December.
However, there are documented exploits that require users to be on certain versions of modules in order to ensure it is safe.
Addon: So basically if you haven’t bothered to update your system since the last week of December or earlier in December (there were two rounds of fixes for different modules) you are not safe.
Luckily that’s automatic for all users, or is it ?