I’ve been hacked! Macro [thanku-outcall]; thankuohoh

jersonjunior · January 20, 2016, 9:05pm

People,
Checking the dialplan and came across the following context below:

[thanku-outcall]; thankuohoh
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); thankuohoh
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); thankuohoh
exten => _.,n,Set(_NODEST=); thankuohoh
exten => _.,n,Macro(dialout-trunk,2,${EXTEN},on); thankuohoh
exten => _.,n,Macro(outisbusy,); thankuohoh

tm1000 · January 20, 2016, 11:00pm

in which file is this?

jersonjunior · January 21, 2016, 10:02am

In extensions_custom.conf

In cdr reports:

2016-01-21 00:08:47 1453342127.4 Dial 000201100022435 FAILED 00:30
2016-01-21 00:08:42 1453342122.1 XXXXXXXX Dial 00201100022435 ANSWERED 00:02

Marbled · January 21, 2016, 2:46pm

Hi!

Could you please give more information on your installation?

Which version of FreePBX do you have?
Is this the distro, if so which version?

Googling for “thankuohoh” gives results mentionning an a2billing vulnerability in Elastix(http://bugs.elastix.org/view.php?id=2169) and a unpatched “asterisk recordings interface” (A security problem: false calls from within the system).

Good luck and have a nice day!

Nick

jersonjunior · January 21, 2016, 5:42pm

FreePBX without A2Billing, doors open to the Internet 22 and 80.

asterisk -vvvvvvvvvvr
Asterisk 11.21.0, Copyright © 1999 - 2013 Digium, Inc. and others.

tm1000 · January 21, 2016, 6:01pm

We would have to see the version you are running of FreePBX ARI Framework and if it’s installed under /recordings

jersonjunior · January 21, 2016, 6:09pm

Marbled · January 21, 2016, 6:21pm

Hi!

How old is that installation?

Could it possibly have had that in extensions_custom.conf for quite a while?

(ie before the vulnerability was patched?)

Good luck and have a nice day!

Nick

tm1000 · January 21, 2016, 6:24pm

Here’s the thing though. For FreePBX ARI Framework “disabled” does nothing. It would have to be uninstalled. Which is what you should do if you aren’t using it.

Most-likely

jersonjunior · January 21, 2016, 6:25pm

A year and extensions_custom was modified on 19 January.

jersonjunior · January 21, 2016, 6:27pm

Please wait while module actions are performed

Uninstalling fw_ari
fw_ari uninstalled successfully

plindheimer · January 21, 2016, 6:31pm

You probably want to do more then uninstall it as I don’t think that will actually remove the code in the web directory. I haven’t looked at the old ARI in a very long time, but I believe the next steps you’ll want to do are:

either use module_admin from the command line with the delete option (do a help to see the options), or go into the /var/www/html/admin/modules directory and delete the subdirectory
remove the /var/www/html/recordings directory where it used to be stored.

Go to a backup before doing any of this to make sure you can recover if you delete something wrong.

tm1000 · January 21, 2016, 6:37pm

As of version 12.0.4 yes we allow uninstalling and it removes the directories.

github.com

FreePBX-ContributedModules/fw_ari/blob/master/module.xml#L16


      
          	<version>12.0.8</version>
          	<publisher>Schmooze Com Inc</publisher>
          	<license>GPLv3+</license>
          	<licenselink>http://www.gnu.org/licenses/gpl-3.0.txt</licenselink>
          	<candisable>no</candisable>
          	<changelog>
          		*12.0.8* Dont allow disabling. It does nothing.
          		*12.0.7* Move ARI settings to this module so they can be uninstalled
          		*12.0.6* Move from supported to unsupported
          		*12.0.5* FREEPBX-8070 SECURITY ISSUE Exec shell on a host using bug in Asterisk Recording Interface index.php
          		*12.0.4* Allow this to be uninstalled and removed
          		*12.0.3* Add back old mainstyle.css
          		*12.0.2* Class conflicts with User Manager and BMO
          		*12.0.1* Fix jqueryUI references and added migrate into play
          		*12.0.0* Fixes for FreePBX 12, ignore semi-colon
          		*2.11.1.4* Force removal of User Panel Tab
          		*2.11.1.3* Delete user panel tab because it comes from this module now
          		*2.11.1.2* Resolve issue of user panel tab removement
          		*2.11.1.1* Tweaks
          		*2.11.1.0* Allow uninstall and fix for 12 if needed or wanted
          		*2.11.0.7* Include license file

jersonjunior · January 21, 2016, 6:41pm

The directory / var / www / html / admin / modules / fw_ari persists after uninstall GUI, I can remove it with rm or is there a way to remove the amportal?

tm1000 · January 21, 2016, 6:44pm

fwconsole ma remove fw_ari

jersonjunior · January 21, 2016, 6:46pm

There is no fwconsole in version 12!

tm1000 · January 21, 2016, 6:46pm

Easy. Replace the word “fwconsole” with “amportal a”

amportal a ma remove fw_ari

jersonjunior · January 21, 2016, 6:47pm

amportal a ma delete fw_ari

Fetching FreePBX settings with gen_amp_conf.php…

Module fw_ari successfully deleted

avayax · January 21, 2016, 8:17pm

You might want to look at if you want to keep these ports open to the internet at all. Do you have them source restricted to only the IP addresses you are accessing your PBX from?
Close these ports on your firewall and run a VPN server that allows you to connect to your network in a much more secure fashion.

avayax · January 21, 2016, 8:46pm

This is a good article on keeping your FREEPBX secure:

http://nerdvittles.com/?p=3148

Quoting the author:
“Our rule of thumb on Internet web accessibility to any Asterisk PBX goes like this. Don’t! And, for FreePBX web access from the Internet. Never! If the bad guys ever get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords and install a fresh system. You can’t fix every possible hole that has been opened on a FreePBX-compromised system!”

Now this might apply or not 100% apply to your case, but it’s definitely a worthwhile read.