Last week I noticed some “new” files in my html root folder which looked suspicuos.
I opened the file in a text editor and noticed they were base64encoded, after which i was sure this is malware. I used ChatGPT to analyse and fix the issue. Below is a summary written by ChatGPT on how we fixed the error.
The 2 files that I noticed were ajax.php and jubba.php in the /var/www/html folder.
I’m running a fully up to date Official Distro of FreePBX 15 running Asterisk 13.83.3
In addition to whats written below, I found an “administrator” user called MagicJuba as well - which i obviously went ahead and deleted. Haven’t found anything else yet.
Didn’t find anything under “Asterisk Manager Users”, neither any new extensions or anything under “User Management”
Wondering what else should I do in order to make sure my system isn’t compromised. I do plan to migrate to either FreePBX 16 or 17 during the next few months for security.
Also should i share the malicous files here? I did save 2 of them in order to figure out what they were up to.
Here’s the heading for one of the pages
THEY CALL ME JUBAVOIP 2025 :)
Malware cleanup notes: ajax.php keeps reappearing (FreePBX)
Symptoms
-
Malicious ajax.php reappeared after deletion in these paths:
-
/var/www/html/ajax.php
-
/var/www/html/admin/modules/ajax.php
-
/var/www/html/admin/modules/core/ajax.php
-
1) Verify if core OS binaries were tampered
In our case rpm -V showed mismatches like S.5…T. for coreutils files (example: /usr/bin/ls, /usr/bin/cp, /usr/bin/cat).
rpm -V coreutils | head -n 200
rpm -qf /usr/bin/ls
sha256sum /usr/bin/ls /bin/ls
Fix: reinstall coreutils (and any other packages that show verification issues)
yum -y reinstall coreutils
rpm -V coreutils | head -n 50 # should return nothing for coreutils now
We also reinstalled a few “high risk / commonly targeted” packages to be safe:
yum -y reinstall coreutils bash openssh-server openssh-clients php httpd sudo util-linux
(Then optionally) run a broader check:
rpm -Va > /root/rpm-verify.txt
egrep '^\S' /root/rpm-verify.txt | head -n 200
2) Stop the process that was restoring the malware
For us, it was incrond doing filesystem-triggered restores (not Apache, not FreePBX, not cron).
systemctl stop httpd
systemctl stop incrond
3) Watch file recreation (optional but recommended)
Use auditd to log who recreates files if they come back:
auditctl -D
auditctl -w /var/www/html -p wa -k WWW_W
auditctl -w /var/www/html/admin/modules -p wa -k MOD_W
auditctl -w /var/www/html/admin/modules/core -p wa -k CORE_W
4) Delete the malicious files and confirm they don’t return
rm -f /var/www/html/ajax.php \
/var/www/html/admin/modules/ajax.php \
/var/www/html/admin/modules/core/ajax.php
for i in {1..120}; do
if [[ -e /var/www/html/ajax.php || -e /var/www/html/admin/modules/ajax.php || -e /var/www/html/admin/modules/core/ajax.php ]]; then
echo "REAPPEARED at second $i"
break
fi
sleep 1
done
If they stop reappearing once incrond is stopped, you’ve likely broken persistence.
5) Identify / disable the incron rule (if applicable)
Check incron rules, especially anything that watches Asterisk/FreePBX dirs and executes a helper:
ls -la /etc/incron.d /etc/incron.*
grep -RIn "incron\|IN_" /etc/incron* /etc/incron.d 2>/dev/null
If you find a rule that triggers restores, disable incrond until you fully verify the system:
systemctl disable incrond
Outcome
- After reinstalling tampered RPM packages and stopping incrond (the persistence mechanism), the malicious ajax.php files stopped reappearing and stayed gone.
Courtesy Reminder that FreePBX v15 is EOL Starting 1 October 2025
it looks pretty nasty, so checking that you hold on to back-ups saved externally from before the infection is probably wise.
why wait ?