FreePBX | Register | Issues | Wiki | Portal | Support

FreePBX Hacker, help please!


#21

Just don’t run publically available http servers on port 80, such a simple measure will forestall all further compromises from that vector if your /etc/asterisk and “webroot” directories have been previously sanitized.

Because of the apparent obdurate aggressiveness of this penetration against the FreeBBX web service, an obvious observation might be to run

service httpd/apache2 stop

before even attempting to effectively run any fixit scripts, then run the fixit again :wink:

just for grins, before you restart that service, consider changing the service port . . .

JM2CWAE


#22

Thanks for all the advices, will see what happens next and will update you.


#23

that is exactly what I mean, if the hacker has access to my entire system why is he only interested in messing the freepbx credentials and why not other stuff? why not the a2billing database? but when I asked this question I tried to tell you guys that this issue is only related to freepbx and another proof for that no one can explain to me how to remove the MGKNIGH from the database and get access back to my freepbx!!!

Anyway I have restored my server to some while ago when I think my system was not “COMPROMISED” because people here thinks that I am a total idiot in this regards but I am not since the backup image of my system was taken immediately after installing my OS and freepbx (so it is like a fresh reinstall) and I always do this backup before connecting the box to the internet and before any updating or downloads so that I get a cleaner backup of my system.

Just to add more about this, I have also checked the log files and I can’t see any strange IPs accessing my system.

However, this time I have done all the updates except for downloading the security checker because all the other times I was getting hacked again was soon after the running the security check.

I hope no body takes my post wrongly as I say what I see and this time things have been going fine so far but will update you people more in details about my system if things go wrong again.

Cheers.


#24

Hi All

I have been running the freepbx security check but I don’t know if it is alright because it always say the same thing when I re-run the check, please kindly check the below output of the check :

Now Verifying all FreePBX Framework Files
*** File (/usr/sbin/amportal) is missing! ****
/usr/sbin/amportal has been modified!
Framework file(s) have been modified, re-downloading
Downloading Framework
Unable to open /dev/dahdi/ctl: No such file or directory
Downloading 3419164 of 3419164 (100%)

Untaring…Done
Module framework successfully downloaded
installing files to /var/www/html…done
installing files to /var/lib/asterisk/bin…done
installing files to /var/lib/asterisk/agi-bin…done
Checking for upgrades…No further upgrades necessary
framework file install done, removing packages from module
file/directory: /var/www/html/admin/modules/framework/amp_conf removed successfully
file/directory: /var/www/html/admin/modules/framework/upgrades removed successfully
file/directory: /var/www/html/admin/modules/framework/libfreepbx.install.php removed successfully
Module framework successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
chattr: Operation not supported while reading flags on /var/www/html/isymphony
chattr: Operation not supported while reading flags on /var/www/html/provisioning
chattr: Operation not supported while reading flags on /var/www/html/wcb.php
Permissions OK
Download complete
Finished upgrading Framework! Please re-run the check.

thanks.


#25

npfreepbx…Security checker will only check and modify back the files. You will have to keep your system up to date. Otherwise you will still get hit sooner or later


#26

Hey Scott - Yeah, I haven’t been around here much lately - too busy. Will I see you this week at Astricon?

I could not do two back to back shows in Vegas. Probably going to keep to FreePBX world for the next few years.


#27

I don’t know if you are an idiot but you are acting like one. Everyone is trying to help you.

All of your questions have been answered.

1 - The exploit that was utilized ads code that as soon as you execute any core or framework PHP the user is recreated.

2 - You must be restoring your /var/www/html when you do your restore, you are restoring the infection

3 - You can’t just delete this users, much more complex than that as you won’t be able to add users either.

You need to do a limited restore.


#28

Anyone can explain why I am asked to rerun the check whilst I always get the same message without any differences?

By the way I would like to thank CP3 for the advice I hope you can help me more.


#29

Hi again

I don’t know why I can’t get anywhere with this security scan thing since I have just installed the freepbx Distro and I ran the security check to see what is the difference between the out put of the scan and my other “Compromised” machine but found no differences at all and this is what explains all my questions so far because this fresh Distro install should be all perfect and have no files missing but each time I ran I hear the same song as in below:

[root@6 ~]# ./fpbxseccheck.phar --clean --redownload
Starting integrity check…
Clean defined, Will attempt to clean anything thing bad up
Redownload defined, will attempt to redownload where needed
Checking Framework for a valid signature…
Framework appears to be good
Cleaning up exploit 'mgknight’
Purging PHP Session storage
Done
Moving potentially compromised file /etc/asterisk/manager_custom.conf to /tmp/freepbx_quarantine/manager_custom.conf
Moving potentially compromised file /etc/asterisk/sip_custom.conf to /tmp/freepbx_quarantine/sip_custom.conf
Moving potentially compromised file /etc/asterisk/extensions_custom.conf to /tmp/freepbx_quarantine/extensions_custom.conf
Cleaned potential ‘mgknight’ exploit. Please check your system for any suspicious activity. This script might not have removed it all!
Checking FreePBX ARI Framework
FreePBX ARI Framework detected as installed, attempting to update
Downloading 249070 of 249070 (100%)

Untaring…Done
Module fw_ari successfully downloaded
installing files to /var/www/html/recordings…done
installing files to /var/www/html/recordings…done
fw_ari file install done, removing packages from module
files removed successfully
Module fw_ari successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
Permissions OK
Finished with FreePBX ARI Framework
Now Verifying all FreePBX Framework Files
**> *********** File (/usr/sbin/amportal) is missing! ****

/usr/sbin/amportal has been modified!
Framework file(s) have been modified, re-downloading**********
Downloading Framework
Downloading 3419742 of 3419742 (100%)

Untaring…Done
Module framework successfully downloaded
installing files to /var/www/html…done
installing files to /var/lib/asterisk/bin…done
installing files to /var/lib/asterisk/agi-bin…done
Checking for upgrades…No further upgrades necessary
framework file install done, removing packages from module
file/directory: /var/www/html/admin/modules/framework/amp_conf removed successfully
file/directory: /var/www/html/admin/modules/framework/upgrades removed successfully
file/directory: /var/www/html/admin/modules/framework/libfreepbx.install.php removed successfully
Module framework successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
Permissions OK
Download complete
Finished upgrading Framework! Please re-run the check.

I hope I get some help as this is clear that this Security Scanner is repeating itself and makes no differences in terms of restoring the Missing files.

No languages Please!

Thanks.


#30

Perhaps at some point you should just rebuild your seriously compromised system from scratch.


#31

I think there is a cognitive disconnect here, if the server is working, then the verbiage returned by the fixit script is possibly confusing and thusly @npfreepbx is confused . If not so, and indeed @npfreepbx system is not working, then that would be a sad rejoinder on FreePBX support.

Perhaps @npfreepbx should state absolutely whether his system is working or not, never mind the wording . . .

(My money is on that it does work and he has no concerns)


(Andrew Nagy) #32

This user never used freepbx support. So no.

The verbiage returned by the script is filled with key words such as “possible”. There is no way to differentiate between honest custom configs and hacker configs. We just make assumptions.

This will be the last time we make a “fix it” helper script. That does not mean we won’t patch and do security fixes. Of course we will. But creating a system cleaner was not a good idea since it only assumes and can’t catch all edge cases and can be confusing for people. Regardless of how hard we may try to work to make it perfect it never will be

I’m not sure what we are looking for in this thread. People have offered suggestions to the user and the user wants to continue to tirade about the security checker for no apparent reason that to prove a point (because solutions have been clearly offered but rejected or not followed)

I don’t think it matters if the system works or not as I asked that a few times. I also asked for compromised files to be zipped and sent and nothing has been done or sent. So here we are asking again? What’s the point?

In my mind this thread is over and done and is just dragging on for no apparent reason. Lessons learned.


#33

In effect he did, he posted here several times, my point is that although I have no experience of that penetration, I have read the various scripts and understand them and as I said, I believe he is currently fixed, just confused by your possibly unnecessary “Please re-run the check.”


(Andrew Nagy) #34

I asked for zipped html directories and logs sent to our security email. That has not been done. All that has been done in this thread is/are threats to never use this software again and “victim” mentality. No matter who replies (not only against myself)

I can go back and forth with this user for days and days but at some point I’m fighting a losing battle.

I can see how the wording is confusing but it does say “possible”. Again. We will NEVER make a script like this again and we might actually just pull down what is there anyways as it’s hurting more than helping. Especially if people like yourself associate the “fix it” script with freepbx support. As our support staff didn’t make it rob and I did for the community but I digress. Bad choices.

If someone makes sense of this and there is a real concern then by all means pull me back in. But I am out. I only have the patience for so much.


#35

Our posts crossed, but ultimately although I support your work and efforts to fix it, the fixit script was primarily necessary because your published code was “compromisable” and of course you where unaware of that til it happened, kudos for you for fixing it as quickly as you did, but please don’t say “never again”, who knows when the next exploit is discovered, either yours or inherited code.


(Andrew Nagy) #36

Sigh. You completely and utterly miss read what I wrote. The fix it script did NOT fix the compromise. The fix was in the code base. The script simply cleaned up backdoored files that were left as a result of the compromised entrance. It also force downloaded the fixes for the compromise in the codebase

You somehow did exactly what I didn’t want you to do and incorrectly assumed that I said we would never make patches again.

I never said that. Ever. I said no more clean up scripts. Patches and downloads and security updates yes

Please read what is written. Don’t make assumptions.

End of thread.


#37

Never mind, this time I was on your side, in your words “Please read what is written. Don’t make assumptions.”


(Andrew Nagy) #38

Dicko,

You are here to argue. Plain and simle. I have fallen into your trap once again and you miss quoted and misunderstood me.

Here is the exact timeline of events of the CVE (since you seem to be incorrectly assuming throughout this thread).

9-30-2014: Compromise Discovered, Patch released through module admin. Announcement made. CVE announced
10-1-2014: Hacker created script to exploit announced CVE (did not exist before 10-1-2014)
10-3-2014: Exploit seen in the wild. Discovered by support staff @ freepbx
10-5-2014: FreePBX cleanup script released. Giving people who were compromised a false sense of security after an exploit. Leaving them to NOT erase and restore their systems. Resulting in many “false” alarms and wasted effort by staff because of users saying that the “exploit” was not fixed by the CVE. Instead what was discovered was that the “cleanup” script was missing deleting random other backdoor files left around by systems that never applied the original patch but then only used our security script to cleanup their systems. Giving them a false sense of security.

Summary. Patch in Framework ARI solved and stops the exploit. If a system was already compromised, however, running the “fix it script” was not meant to be an end-all be-all. But that’s what it turned into and therefore that is why we will never release an end-all be-all clean-up script again. As it gave people a false sense of security AFTER they were hacked.

Will patches and security exploited be fixed in the future? YES OF COURSE!! :smile:


(Andrew Nagy) #39

I strongly believe this thread has run it’s course. To the original poster. I will work on the wordage of the clean up script tomorrow. Sorry for your troubles and sorry it was mis-worded and confusing. If you want to continue to discuss the CVE and such please head over to:

To the rest of you. Thank you for your time and support.

If you believe I am wrong, then you can flag my post here and the 10 other moderators (some of which do not work for schmooze/freepbx) will see this and they can decide what to do with it.

The next time an exploit is discovered we will release a fix ASAP just like last time. But I doubt we will come up with a cleanup script because compromises change hourly. Once a CVE is released many hackers get their dirty hands on it so that they can exploit systems and each one will do something different and it’s an impossible battle to try to figure out. The best way to stop these things is follow our threads and blogs. When we released the patch/fix for the CVE the “mgknight” attack was NOT (I REPEAT NOT) in the wild. It was created AFTER the CVE was released.

How can I be sure of this? Because the original attack vector for the CVE used a module called “admin dashboard” of which the mgknight script did not. They used the same entrance point however, which was the “Framework ARI” module. So they were different scripts that used the same CVE.


(Andrew Nagy) closed #40