FreePBX 14.0.13.6 - No menu bar - possible hacked

davidber · November 1, 2019, 5:58pm

I have a client that uses Flowroute for their SIP provider. He got a message asking if he wanted to block calls to the UK. He is in the US and wanted to know if that was spam or something else. I logged into his Flowroute account and noticed that over the last two days there were a lot of 2 minute phone calls. I pulled a CDR report and noticed that the origin IPs were not from his PBX. Ok, this looked interesting to me. I wondered . . . Hmm. Did his PBX get hacked. I went to log into his PBX and saw the missing menu bar. I get the system overview and feed modules, but the blue bar above has NO menus.

Ok, that seemed odd, so I logged into the box. I did a yum update then a yum upgrade then a fwconsole ma updateall. Still no menus. Then I saw another thread and the person suggested doing a fwconsole ma upgrade framework. I got a message stating I had the latest framework.

So I realize that this is really a two part question and they are somewhat related.

How do I get my menu back?
How do I determine if the server was hacked into. I have gone to Flowroute and whitelisted US calls only.

Thanks,

dave

moussa854 · November 1, 2019, 6:52pm

This will list the IP addresses accessed your server as long as they are in the access_log:

sudo cat /var/log/httpd/access_log | awk ‘{print $1}’ | sort -n | uniq | sort -nr | head -20

These will list all denied and failed access attempts:

sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ’ '| sed ‘s/.{7}$//’ | sort | uniq | sort -nr | more
sudo cat /var/log/secure | grep “Failed password” | grep -E -o “([0-9]{1,3}[.]){3}[0-9]{1,3}” | cut -f 11 -d ’ '| sort | uniq | tr ‘\n’ ’ ’ | sort -nr
sudo cat /var/log/secure | grep “authentication failures” |cut -f 16 -d ’ ’ |cut -f 2 -d = | sort | uniq | tr ‘\n’ ’ ’ | sort -nr

Look into logwatch you will get fail2ban-messages, sites probed the server, su/sshd/sudo-i/sudo sessions, users connected to the server, and many more in one output (as long as they exist in the logs)

system · November 8, 2019, 6:52pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.