K.php - a RestApps malicious script

crap it looks like most of my systems got hit by this… I only have two weeks of backups so can’t do that. Is there any official way to clean this mess off a system?

Which passwords secrets?? just the phone system one or system
root passwords etc?

I don’t know much about iptables, but putting 37.49.230.74 in the blacklist of the firewall doesn’t seem to stop outbound connections to the hackers server.
Can anyone post the rules needed to stop the script connecting? I can see the outbound connections keep happening using Netstat.

I don’t have such problems.
Try to change repos to another mirror
fwconsole setting MODULE_REPO https://{mirror or mirror1}.freepbx.org
yum update and reboot.
After logon you need block access to ip 37.49.230.74 and try to clean

You need block 37.49.230.74 by your network hw\sw. Freepbx blacklist is useless

1 Like

if you edit /var/www/html/admin/modules/freepbx_ha/licence.php and remove all the commands except the delete users command. then save it an delete the line from the root crontab and asterisk crontab and it should stop the cycle…

Exploit script steals SIP information and configs:

ls -la
ps -aux --forest
asterisk -rx ‘core show channels’
asterisk -rx ‘sip show peers’
cat /etc/elastix.conf
cat /etc/asterisk/sip_additional.conf
cat /etc/asterisk/extensions_custom.conf
cat /etc/amportal.conf

So after clean you need to change all passwords in internal and external SIP accounts

In my case exploit modify some ajax.php, config.php, .htaccess and create self scripts.
So I deleted them and reinstall modules for original scripts versions.

Some exploit modifications:

/var/www/html/admin/views/ajax.php
mkdir -p /var/www/html/digium_phones/
mkdir -p /var/www/html/rest_phones/
cp /var/www/html/admin/views/ajax.php /var/www/html/rest_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/modules/core/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/digium_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/js/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/ajax.php
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php

RewriteEngine On

enable symbolic links

Options +FollowSymLinks
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^\s+ config.php [L] /var/www/html/admin/views/.htaccess

Changed ~/.bashrc and ~/.bash_profile is reason of command line inaccessible after login without ability FreePBX connect to ip 37.49.230.74

1 Like

after changing all the sip account passwords under the extensions module I’m assuming will need to re-generate all the profiles in EPM?

getting failed to authenticate as ‘admin’ in the asterisk logs after changing the asterisk manager password in Settings > advanced settings

UPDATE: had to change the AMPMGRPASS entry in /etc/asterisk/extensions_additional.conf to match the setting that was changed in the UI Advanced settings ‘manager password’

1 Like

Thanks for this info. I’m new to freepbx, and only somewhat familiar with debugging this sort of thing. I think I’m fine, here, there is no evidence as far as these tips go.

My question:

I’ve looked through the wiki and cve, and these forums, but I can’t quite understand how this exploit might reach the system.

I don’t have any external users, I’m set up at the moment with a hardware server natted behind a firewall, with only port 80 TCP for letsencrypt and udp 10000:20000 forwarded to the server, and responsive firewall enabled for let’s encrypt, and with networks and interfaces tight, and intrusion dectection enabled on the server

Would this setup prevent the vector for this particular attack?

Thanks

Meaning, you have the GUI running on a different port?
Then I believe you should be good. The exploit is in RestApps. If you can browse to pbx.domain/restapps then you are/were at risk.

when I browse to pbx.domain/restapps on a “cleaned” system I get this…

{“application_name”:null,“application_display”:null,“page_name”:null,“type”:“display”,“exitPath”:null,“layout”:[],“action”:[],“error”:[{“reason”:400,“display”:“Phone Apps module not licensed.”}]}

if I use pbx.domain/RestApps I get a 404 not found

there seems to be no difference in machines that were compromised or not. Although all have long had the restapps updated to the patched version…

My response was to @cleftstone’s post, to which I assume that he has port 80 set only for LE verification (can be set in System Admin)
I am not sure if that exposes RestApps. If it doesn’t then he’s good.

1 Like

I believe it is correct
xxxtedtwefd.com/admin/config.php?display=sysadmin&view=portmgmt

i see no alternative to openvpn

Do you have SysAdmin Pro and is your PBX up to date? [FREEPBX-12422] Request that OpenVPN Server port be user configurable in Sysadmin - Sangoma Issue Tracker

yes I have sysadmin, updated. It would be interesting wireguard hope me well I opened an issue

do you have sysadmin?

Do you have Sysadmin Pro? What version of SysAdmin do you have?

pro=yes
16.0.6 why?

Wanted to make sure that it is greater than the version specified in that feature request

:slight_smile: I understand

latest fun… Have one system with all D series phones using OpenVPN. After cleaning out the hacked files the phones will not connect using OpenVPN. Just sit there contacting sip:[email protected]

also, anytime I make a change now and hit the apply button in the UI, it pops up an error message

There was an error during reload: Unknown Error. Please Run: fwconsole reload --verbose

if I run the fwconsole reload it does apply the settings. which module needs to be re-installed to fix this?

UPDATE: Deleted all the profiles under the system admin > VPN Server and then enabled VPN in user manager again to re-create them. Apply button issue went away. VPN Still not working with phones however.

I was able to get the Phone’s connecting via OpenVPN again. I had to turn off the OpenVPN server, delete all the existing profiles in the OpenVPN server. Then go into user manager, click to edit every user individually, then simply save and apply without making any changes.
Then turn on the VPN server again and ensure that “routing” was off and “auto renew” was off.
Then I went into each VPN profile and hard coded the IP’s. (Prob not necessary but it’s always worked better for me this way).
then rebuilt the phone configs in EPM