I went to update a system today and found the GUI gone. Logged in at the root level and found framework disabled. When I go to install it I see the following error:
unlink(/var/www/html/admin/views/config.php): Operation not permitted
When I run fwconsole chown I see
[[email protected] ~]# fwconsole chown
Taking too long? Customize the chown command, See http://wiki.freepbx.org/display/FOP/FreePBX+Chown+Conf
Setting base permissions...chmod: changing permissions of `/var/www/html/admin/views/config.php': Operation not permitted
chown: changing ownership of `/var/www/html/admin/views/config.php': Operation not permitted
Setting specific permissions...
Finished setting permissions
I found the config.php file and I can’t delete it. In it there is:
You’ve been compromised, that file is not legit. You can prob remove by changing attributes
I had a feeling it was compromised. I’m not familiar with the chattr command but I"ll give it a shot. Thank you.
Before you change it, provide output of:
and if the above is not the full content share it all via pastbin:
-rwSr–r-- 1 root root 4759 Jun 14 2018 /var/www/html/admin/views/config.php
This is not good, the spurious file is owned by root. Look for evidence of ssh login from unknown IPs in /var/log/secure. See if the Apache or Asterisk services are running as root (they should not be).
If you have a root compromise, i fear you are in restore from backup territory.
How do I check to see if asterisk or apache is running as root?
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.