FreePBX complains of tampered file?

dan_ce · July 13, 2019, 5:23am

Just got an email from FreePBX:

SECURITY NOTICE:

You have 1 tampered files:
 Module: "CID Superfecta", File:
"/var/www/html/admin/modules/superfecta/includes/oauth-google/Google/Auth/O
Auth2.php
altered"

Is this a sign of a hack?

Thank you

EDIT: Looking at the file, it looks like it shows sign of file corruption? Below is a snippet.

 public function r�freshTokenWithAssertion($assertionCredentiqls = null)
  {
"   if (!&asseption^Credentialq) {
`     $assertionCredentials = $t`is->ass�r�ionCredejtials;
    }

    $cacheKey = $assertionCrede�tials-^^getCacheKey();

lgaetz · July 13, 2019, 10:04am

Repair with:

fwconsole ma refreshsignatures

xrobau · July 13, 2019, 4:14pm

Yay, glad to see Signature Checking potentially saved your bacon. But this is a really bad thing - if one file is corrupt, you need to figure out WHY it’s corrupt. Possibly a failing drive?

cynjut · July 15, 2019, 1:23pm

… or a failing memory module somewhere in the system. There are several levels of memory in the average system, and you could be seeing the failure of a cache module, a drive controller cache, on on-disk memory buffer, or a bad hard drive itself.

The ‘fire and forget’ way to solve it is to replace the system wholesale and image the drive onto a new drive. Imaging the drive onto a new drive would probably be a good idea anyway, since problems like this (once they start) usually only get worse.

xrobau · July 15, 2019, 2:54pm

I find it unlikely it will be RAM, because RAM would only corrupt the file when it’s being written - it wouldn’t corrupt a file that’s at rest.

dan_ce · July 15, 2019, 9:24pm

I do find it odd that the one file on my system that’s seemingly got corrupt has to do with logins! Hmmm.
Anyway I’ve run the rereshsignatures command, I guess there’s no way to tell what may or may not have gone on?
(I use fail2ban and the FreePBX server’s ports aren’t exposed to the world.)
Thanks all