Hacked after update to FreePBX16?

Hi guys,
I have a system that has been running for some years without issue. I decided to upgrade to FreePBX16 via the web interface.

Yesterday, I completed the upgrade and then found that some of the menus had changed… such as Admin | Module Admin…
The page displayed had changed to display only an input box and the text “BlackBan” followed by V 0.9

I tried a reinstall of all modules via the CLI, but this did not fix the issue.

Accordingly, I decided to revert to the previous days backup (VM image)… all was then normal.
I made some small changes such as passwords, and tidied up a few modules, then waited for another backup image to be created.

So, convinced I must have made some mistake, we then take todays image which seems to have run fine for a day, and attempt to upgrade again.
Everything went through fine, but having installed/updated endpoint manager and its dependancies - we now have the “BlackBan” message.

A web search for BlackBan gives me this URL, which looks like the same code https://www.unphp.net/decode/eb83d2f1355338ea47e2c63be86d2a9d/

Oddly, doing a grep from the root of the filesystem searching for ‘BlackBan’ doesn’t seem to find it on my PBX.

Any ideas?
Is this a bug, or a hack?
The system is behind a decent firewall so isn’t easy to get to. Only port 5060 is open to the world.

Not sure now if I should revert back to my backup image of the early hours of this morning.
However, if I do that, then do the update, it looks like I will end up in the same place.

Thanks for any help

you need to grep for base64_decode as the php is likely obscured… you will see something like

1 Like

Replying to my own post with a little more info.

From the cli, the system ‘throws up’ with a part of the BlackBan code…

[[email protected] ~]# fwconsole ma upgradeall
No repos specified, using: [standard,extended,commercial] from last GUI settings

Up to date.
Updating Hooks…

[form action=“” method=“post”][input type=“text” name=“md4” size=“32” /][input type=“submit” name=“Black” value=“BlackBan” /] [/form>[? – ((/server internal IP here/)) – ?] V 0.9

[[email protected] ~]#

Now that can’t be right!
(Sorry - now updated as the tags in my quote got interpreted by the forum… triangular brackets replaced with square so as to display the whole message)

You should mark up logs, etc., as pre-formatted text, using the </> button.

[[email protected] ~]# fwconsole ma upgradeall
No repos specified, using: [standard,extended,commercial] from last GUI settings

Up to date.
Updating Hooks...<form action="" method="post"><input type="text" name="md4" size="32" /><input type="submit" name="Black" value="BlackBan" /> </form><? --  ((/**/)) -- ?> V 0.9

[[email protected] ~]#

If this is a ‘real thing’ you should call in Sangoma support, very few have the skills to DIY

Thanks for the replies guys.
It is a live system, but only has four users… more a bit of a test system.
I am in the middle of a restore of the VM from yesterday mornings image… this should bring me back to the release 15 working state.
Purpose of posting here, is partly to make a record of this happening. I hope Sangoma will pick up on this and see if there is a bigger problem developing.
As mentioned above, the BlackBan code is ‘out there’ as I found it via a web search - so not unique to me.

From my repeated install/upgrade, it appears that this becomes apparent after doing a module update for the end point manager. Before that, it appeared fine… of course there maybe something already hidden at that point.

I am wondering if the best way forwards is to build a competely new PBX from the latest distribution, then make a backup from my existing instalation via the backup option… then import that in to the new PBX. I realise this is ‘cross-version’ but I believe that is supposed to work.

I have recovered my VM from backup, so the system is back up and running and appears clean so far.

I will now spin up another VM and do a new install for FreePBX16 to experiment with.
Hopefully I can export the old V15 data and import to the new box.

New build plus importing the backup seemed to be the way to go.
All now back up and running on V16

Thanks for everyones suggestions.

What do you think was the underlying issue here? Some malicious code on your FreePBX 15 server that came to life when you upgraded to 16? That would be my speculation since a clean install and restore (which only restores data, not code) didn’t have the same problem.

Side note please regenerate all of your credentials. You don’t know what was compromised

It is an interesting one.
It only seemed to be a problem after upgrading the end point manager modules.
As far as I could tell 15 → 16 went okay. I still had proper functioning menus…
in fact I could use the menu to get to the module upgrade screen.
It was only after doing an upgrade of those modules that the problem occured.
I realise that makes little sense.

There was an oddness when I checked the firewall… an unknown IP had been added… RIPE indicate it was in France (we are in the UK). No idea when or how that had appeared.

The whole box is behind a decent hardware firewall with only port 5060 open to the rest of the planet.

I didn’t really have the time to do a full analysis… hopefully this post will stay searchable so if any one does run in to a similar issue with ‘BlackBan V0.9’ it will get a hit on this thread and may be some use.

I have to say I am quite impressed that the back up seemed to work ‘cross versions’. I did rebuild the end points, but that was not 100% the same in the backups. We had OS End Point manager on V15 which had to go, and has been replaced with the new one which supports our Sangoma/Digium handsets.

Thanks again for everyone’s input.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.