Hacked with the "thanku-outcall" macro

Hey guys,

We just fell victim to this hack. Our systems are: Ast:11.14.2 Fpbx: 2.11.0.43. Is there a good way to disable access to the web? We use IPTables locking down access to our whitelist only. Port 80 is definitely in the lock down list. When we checked httpd logs, the IP address that hacked us was not in our list… How in the heck are they able to get through IPTables and how can we stop them?

your iptables config is not as good as you think it is…

The exploit they are using is very old. My recommendation would be to do a clean install with something newer. We did patch the exploit back to I think 2.9 so updating the asterisk recording interface would be job 1 if nothing else. Note they likely left them selves a backdoor in the form of an exec command in a common file so patching may no longer be enough.

We have over a hundred deployments…OMG!

Could be automated slightly… off the top of my head…

ssh [email protected] 'amportal a ma upgrade fw_ari'

Thank you very much, I’m trying it now.

This is the result, does it look like it installed correctly?

[[email protected] ~]# amportal a ma upgrade fw_ari

Fetching FreePBX settings with gen_amp_conf.php…

Downloading 0 of 249070 (0%) --2016-01-25 11:36:49-- http://mirror1. freepbx.org/modules/packages/fw_ari/fw_ari-2.11.1.5.tgz?installid=fea2191f824576 5d239aa33287655d6b
Resolving mirror1.freepbx.org… 199.102.239.170
Connecting to mirror1.freepbx.org|199.102.239.170|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 249070 (243K) [application/octet-stream]
Saving to: “/var/www/html/admin/modules/_cache/fw_ari-2.11.1.5.tgz”

100%[======================================>] 249,070 1.55M/s in 0.2s

2016-01-25 11:36:49 (1.55 MB/s) - “/var/www/html/admin/modules/_cache/fw_ari-2.1 1.1.5.tgz” saved [249070/249070]

Downloading 249070 of 249070 (100%)

Untaring…Done
Module fw_ari successfully downloaded
Module fw_ari successfully installed

SETTING FILE PERMISSIONS
chattr: Operation not supported while reading flags on /var/www/html/cxpanel
Permissions OK
[[email protected] ~]#

I checked several of the other systems and they were all at the 2.11.1.5 version of fw_ari. Even the others that were hacked…

do you use the “recordings” panel ?

I would say 99% of our customers don’t.

after updating to you should be able to do

amportal a ma uninstall fw_ari

After updating the entire system or just the module?

I get an error, the system wants to do an upgrade before the uninstall…


[[email protected] ~]# amportal a ma uninstall fw_ari

Fetching FreePBX settings with gen_amp_conf.php…

The following error(s) occured:

  • Cannot disable: The following modules depend on this one: versionupgrade
    [[email protected] ~]#