Config.php hacked - need to replace


(Tom Ray) #21

Not always. Both automatic updates and automatic security updates can be turned off or (I would have to check) need to be enabled to be used. I know automatic updates needs to be turned on, not sure if the security ones happen automatically.

But those would be if you installed a new system. If you did a 13 --> 14 upgrade those settings wouldn’t be automatically set. So it would depend on the environment I would say.


#22

That’s great comfort to everyone, thanks


(Jared Busch) #23

On new installs these are enabled by default.


(Itzik) #24

Perhaps you have a config backup that you can restore from?


(Franck Danard) #25

You can try to install another clean system and export what you may have and once this new install ready, then use it.
To be honest, the wrong is done and we don’t know what is hacked right now. So, IMHO, no need to get some risk.
Improve you security for your system appplying good rules in the firewall. (the best is , to accept only trusted ip address, and drop the others).
Otherwise, you can compare any settings manually and swap to the new system once ready.

Also, you can use fwconsole ma downloadinstall for all module one by one, and next, take a look your dialpan, sip settings…etc (extensions_custom.conf, sip ,pjsip, manager…etc) if some hacked contexts, manager or devices are present somewhere in your system.

rkhunter is useful to check if there’s some stuff wrong in your system. You can install it even if it’s a little bit old.

Don’t forget to update your system (O.S + Freepbx) as often as possible.


(Jekyll) #26

I’ve had the same issue. Security notification on PBX admin page saying config.php was altered and I found a LOT of code that was new and many sections relating to a user named “mohammed” and to delete a bunch of files.

I put the config on pastebin for others to see: https://pastebin.com/GgD3PeLS

I had originally changed the MD5 hashes to a hash of ‘fuckyoumohammed’ before finding this thread.
(If you’re interested) The original hashes were:
9f31a8d9977013a88c3f4124ac68df91
8e5f010a024fdddc481d436aeef1b0f8
cbc1df103f16f7a05c2fc77851f1c6bd
018709df06af5a7e138a821ab9bfd1f4
43d1a57554eacc6102cf218afaf056df


#27

I had turned off automatic updates last year after a set of automatic system updates let to Asterisk instability. I had to roll back the asterisk to the prior RPM’s to stabilize the system, and in fact, still have asterisk itself held at that level. I have reenabled FreePBX security updates, and gone to daily emails about other available updates.


#28

Jekyll,

That file you shared is exactly what I saw.

The only things I found awry so far was a custom destination and extension that ended up dialing a phone number in the Dominican Republic. But we confirmed with AT&T that no unusual international calls happened over the weekend. It is possible that a sales person we had that is now gone had one of the former IT guys setup this custom extension to point to a prospective customer down there, but no one there today knows about it (they have had a lot of turnover in the past year).


(Jekyll) #29

Did you find out how this dbag got into the system?
I couldn’t find any logs showing logins or compromises so I’m not sure how he was able to make changes to the admin config file.

My PBX didn’t have any extra routes or extensions added. But I only set up my PBX so my family could call each other from overseas for free, So mohammed wouldn’t be able to make any calls for free. lol.
Since the code was to delete files, do you think this is just someone being destructive? or actually trying to get free calls?


#30

Jekyll, I am not sure, but I imagine the fact that the admin page was exposed to the internet at all was sufficient to let someone exploit one of the XSS vulnerabilities, a buffer overflow, or something. I.e. it was a web based hack.