I’ve run into an issue with the Backup & Restore module not running a scheduled backup. The backup can be successfully run manually. When it doesn’t run, the backup failure notification email doesn’t get sent either. I only clued in on the failure since I run a script on the backup storage server that checks for fresh backups and notifies if they aren’t there.
I found that the job disappears from /var/spool/cron/asterisk, and I’m not sure what is removing it. If I change the timing on the backup by a minute and save it, it gets put back into the cron config, works for a couple days, then disappears again. This started happening on one system, but yesterday started happening on a 2nd system.
Both systems are FreePBX 15.0.17.64 and use the Backup & Restore module version 15.0.10.68.
It was disappearing altogether. I’ve been checking the /var/spool/cron/asterisk file daily to see if it disappears, and today I found something interesting.
The backup job (after being updated and saved in the modue, which adds it the cron config again) was the last item in the cron config yesterday. No longer the case today. So whatever is automatically updating this file strips out the backup job sometimes.
Was notified by the backup server that the backup file for last night was missing. Checked the cron file and the only thing in it was a wget to the malicious script.
Unless you are very confident that you have purged EVERY part of that compromise (and that is not trivial) , I suggest you consider your system failed, restore a backup taken prior to the compromise or rebuild from scratch, and know that all your ‘family jewels’ are now compromised and need to be replaced piecemeal but completely.
I would take the opportunity to install a rootkit detector at this point in time ‘just in case’/‘before’ it happens again
