Gotta say those ‘guys’ in the Netherlands/Iceland/CountryCode7 did a very quick , very clever and very nasty opportunistic compromise in a very short time span.
They are well organized, well distributed, very skillful and likely well funded.
The script touches large parts of a compromised system.
I suggest anyone with a tendency to ‘paranoid’ or ‘wise virgin’ to check the existence , timestamp and content of all of
/etc/passwd
/tmp/test.sh
/usr/local/asterisk/ha_trigger
/var/spool/asterisk/tmp/k
/var/spool/asterisk/tmp/test.sh
/var/www/html/admin/assets/ajax.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/modules/core/ajax.php
/var/www/html/admin/modules/freepbx_ha/license
/var/www/html/admin/modules/freepbx_ha/license.php
/var/www/html/admin/views/ajax.php
/var/www/html/admin/views/footer.php
/var/www/html/digium_phones/ajax.php
/var/www/html/rest_phones/ajax.php
Properly installing and configuring a ‘root kit’ detector can help detect future compromises. I use http://rkhunter.sourceforge.net/
Also DROP 37.49.230.0/24 in your firewall
whois -h whois.cymru.com ’ -v -f 37.49.230.74’
and related networks belonging to AS213371