ERROR "you got hacked with trixbox exploit look it on http://milw0rm.com/exploits/6045"

Hi, somedays ago I logged in to my Trixbox and this error appeared:

assign(“tbversion”,tbversion()); $smarty->assign(“title”,“trixbox - User Mode”); $smarty->assign(“main_tab”,$tabsArray[“main_tab”]); $smarty->assign(“module_name”,$tabsArray[“module_name”]); $smarty->assign(“module_folder”,$tabsArray[“module_folder”]); $smarty->assign(“tab_text”,$tabsArray[“tab_text”]); $smarty->assign(“module_folder”,$tabsArray[“module_folder”]); $smarty->assign(“tab_text_constant”,$tabsArray[“tab_text_constant”]); $smarty->assign(“mouseover_title”,$tabsArray[“mouseover_title”]); $smarty->assign(“tab_image”,$tabsArray[“tab_image”]); $smarty->assign(“hidden_tab”,$tabsArray[“hidden_tab”]); $smarty->assign(“version_num”,$tabsArray[“version_num”]); foreach($tabsArray[“tab_url”] as $key => $value){ $tabsArray[“tab_url”][$key] = $_SERVER[‘PHP_SELF’].$value; } $smarty->assign(“tab_url”,$tabsArray[“tab_url”]); $smarty->assign(“newwindow_url”,$tabsArray[“newwindow_url”]); $smarty->assign(“template”,$tabsArray[“template”]); $smarty->assign(“config_file”,$tabsArray[“config_file”]); $smarty->assign(“innerVar”,$tabsArray[“innerVar”]); $smarty->assign(“new_window”,$tabsArray[“new_window”]); $smarty->assign(“description”,$tabsArray[“description”]); $smarty->assign(“site_url”,$tabsArray[“site_url”]); $smarty->assign(“site_description”,$tabsArray[“site_description”]); $smarty->assign(“contact”,$tabsArray[“contact”]); // Include configModules file in the appropriate module folder depending upon the tab that is chosen $getVariable = “”; foreach($tabsArray[‘innerVar’] as $key => $value){ if(isset($_GET[$value])){ $getVariable = $_GET[$value]; include(‘modules/’.$tabsArray[‘module_folder’][$key].’/’.$tabsArray[‘config_file’][$key]); break; }elseif((count($_GET)==0)){ include(‘modules/’.$tabsArray[‘module_folder’][0].’/’.$tabsArray[‘config_file’][0]); break; } } //include(‘modules/configModules.php’); include_once(‘includes/application_top.php’); $browser = detectBrowser(); $smarty->assign(“browser”, $browser); foreach($tabsArray[“module_folder”] as $key => $value){ if(file_exists(‘modules/’.$value.’/language/’.$language.’.php’)){ include(‘modules/’.$value.’/language/’.$language.’.php’); if($tabsArray[“module_name”][$key] == $MODULE_NAME){ $params = array(‘charString’ => $TAB_NAME, ‘language’ => $_SESSION[‘trixbox_Language’]); $tabsArray[“tab_text”][$key] = specialCharacterReplace($params, 1); $params = array(‘charString’ => $TAB_LABEL, ‘language’ => $_SESSION[‘trixbox_Language’]); $tabsArray[“mouseover_title”][$key] = specialCharacterReplace($params, 1); } } } include(‘includes/functions/xajaxPackagesLink.php’); $xajax = new xajax(); $xajax->registerFunction(“setSession_value”); $xajax->processRequests(); $smarty->assign(‘xajax_javascript’, $xajax->getJavascript()); $smarty->assign(“tab_text”,$tabsArray[“tab_text”]); $smarty->assign(“mouseover_title”,$tabsArray[“mouseover_title”]); $smarty->register_function(‘translation’, ‘specialCharacterReplace’); $smarty->display(‘index.tpl’); ?> you got hacked with trixbox exploit look it on http://milw0rm.com/exploits/6045 and try to update it every time,dont leave week passwords there`s a bruteforce ssh mass scanner,dont leave mysql_history,/etc/psa/.webmail.shadow etc… I pached your trixbox … good luck

I don’t know what is error here, and how I can repair this. Please help me with this, I’m new in Trixbox.

Thank,

Juan Sebastian

Your only option is to completely re-image your machine. You have no idea what may have been left behind. In general, you should limit access to your system through SSH and tunnel when you need to get to the GUI, or secure VPN’s. On the FreePBX side, we take security issues that are reported to us seriously and try to address them quickly.

On the trixbox side, which has nothing to do with FreePBX and is out of our control, they have had nothing but security problems and if you look at many of the really irresponsible things that they do, you may want to consider trying other alternatives such as the new AsteriskNow, Elastix or PIAF. I can tell you that if you reload trixbox, even the latest version, there are still very serious security issues in their configuration that would keep any knowledgeable Linux administrator from touching it with a 10 foot poll.

Sorry to hear that you are in a potential world of hurt. I’d not trust the box at all and plan on rebuilding it from scratch tonight at the latest. The message implies that they fixed your box but who knows and would you trust somebody that had the nurve to hack you to also be a do gooder?

Here is what I would do.

1. Lock it down at the firewall and close everything you don’t need to have open. That means SSH, HTTP, and even SIP if you are not doing external SIP with anybody. and Lock it down at the firewall NOT iptables as the box was compromised so they can compromise anything on it including iptables and hide it from you.

I’d NOT trust it and find a different distro that keeps current with all compromises. Then determine which version of FreePBX that new version uses. make a backup of the freepbx settings in it’s current state, then upgrade to the matching version of FreePBX and do a complete backup of FreePBX and all it’s settings. Move both backups off to a safe location for later restoration.

Then take the box and remove/Disable ALL firewall rules to it.

Next install the new distro, get it updated to the latest level possible for everything (watch that you don’t go past the FreePBX version you made a backup from). restore the FreePBX backup and the update to the newest FreePBX out.

Then and only then open only what is REALLY needed. If you need ssh open it only to the ip’s you connect from not the whole world. DO NOT open the HTTP interface, if people need to get to the web interface SECURE IT. That means use htaccess and SSL or best thing is get a VPN solution and use that.

Lastly keep on top of security updates. That means checking it every week or even daily. If you end up using a distro bassed on the RedHat/CentOS distro you can see if there are updates by doing yum check-updates.

Anything for the OS should be considered critical. The distro portion go visit the site and see why a package is being updated. If it is a security update they will tell you, if it is just a upgrade for functionality then that is your call but don’t get to far behind or it becomes hard to get support.

Hope that helps.
Good luck.

Look for distro that already uses it or add it yourself. fail2ban will block an ip address after a set amount of failed logins. Like 3. I like it.

The PiaF team is currently testing fail2ban with not only Apache, but SIP and SSH as well. A person could either use what they have on a PiaF box or extrapolate what they are doing and hand install on an AsteriskNow 1.5 box.

As others have suggested, get rid of your current image and load something else.
I personally can’t recommend PIAF enough, especially as it has fail2ban bundled and preconfigured with it.
Setting up and configuring the entire PIAF system will most likely only take an hour or two out of your day.

I’ve installed it for a number of people, and where previously they were getting hammered by hundreds of ssh requests, fail2ban quietly ignores the ssh brute force attempts after 3 failed attempts.

You’re very fortunate that your uninvited guest didn’t decide to run up thousands of dollars of toll calls on your system, but you’re unlikely to get a second warning.