FreePBX 15 - Vulnerability Used to take down a server

bmartindcs · July 24, 2021, 3:04am

Hey all,

I manage a large number of deployments hosted in a major datacenter. One of the systems GUI went down but Asterisk was still working. The entire HTML folder was wiped clean, save for a couple skeleton folders with nothing in them. I dug through the logs and saw some hammering related to Digium before it appears the issue took place. I am not exactly sure how to interpret what I am seeing in the logs and unclear why fail2ban didn’t block them either since they were hammering the server. This system was fairly up to date from a freepbx standpoint, and also from a OS standpoint per Yum.

I have all the HTTP logs, but am not sure what is meaningful vs not within them.

Are the logs something that Dev would be interested in? How do I go about reporting properly?

jfinstrom · July 24, 2021, 5:20am

You can post the logs via pastebin and we can at least figure out if it is something new or old. Usually they leave behind some sort of php file with something like eval(base64_decode(...)) somewhere inside which reopens back doors if they are closed.

bmartindcs · July 24, 2021, 5:22am

No files left behind anywhere obvious. I made a tarball of the var/log folder then blew the machine out. I’ll sanitize the logs tomorrow.

jfinstrom · July 24, 2021, 5:26am

https://wiki.freepbx.org/plugins/servlet/mobile?contentId=183861302#content/view/183861302

Note this was the last known active exploit

system · August 24, 2021, 5:26am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.