I strongly believe this thread has run it’s course. To the original poster. I will work on the wordage of the clean up script tomorrow. Sorry for your troubles and sorry it was mis-worded and confusing. If you want to continue to discuss the CVE and such please head over to:
To the rest of you. Thank you for your time and support.
If you believe I am wrong, then you can flag my post here and the 10 other moderators (some of which do not work for schmooze/freepbx) will see this and they can decide what to do with it.
The next time an exploit is discovered we will release a fix ASAP just like last time. But I doubt we will come up with a cleanup script because compromises change hourly. Once a CVE is released many hackers get their dirty hands on it so that they can exploit systems and each one will do something different and it’s an impossible battle to try to figure out. The best way to stop these things is follow our threads and blogs. When we released the patch/fix for the CVE the “mgknight” attack was NOT (I REPEAT NOT) in the wild. It was created AFTER the CVE was released.
How can I be sure of this? Because the original attack vector for the CVE used a module called “admin dashboard” of which the mgknight script did not. They used the same entrance point however, which was the “Framework ARI” module. So they were different scripts that used the same CVE.