My FreePBX 15 server has been attacked

I noticed last night for two hours that the CPU of our FreePBX 15 server was past 50% for over 2 hours.

I searched the logs and this is what I found:

Feb  8 03:04:40 sbc in.tftpd[27181]: RRQ from 45.125.65.107 filename 00085DEF13DB.cfg
Feb  8 03:04:40 sbc in.tftpd[27181]: Client 45.125.65.107 File not found 00085DEF13DB.cfg
Feb  8 03:04:40 sbc in.tftpd[27182]: RRQ from 45.125.65.107 filename 00085DFBD9A3.cfg
Feb  8 03:04:40 sbc in.tftpd[27182]: Client 45.125.65.107 File not found 00085DFBD9A3.cfg
Feb  8 03:04:40 sbc in.tftpd[27183]: RRQ from 45.125.65.107 filename 00085DEC00D2.cfg
Feb  8 03:04:40 sbc in.tftpd[27183]: Client 45.125.65.107 File not found 00085DEC00D2.cfg
Feb  8 03:04:40 sbc in.tftpd[27184]: RRQ from 45.125.65.107 filename 00085DFC61CC.cfg
Feb  8 03:04:40 sbc in.tftpd[27184]: Client 45.125.65.107 File not found 00085DFC61CC.cfg
Feb  8 03:04:40 sbc in.tftpd[27185]: RRQ from 45.125.65.107 filename 00085DFFF954.cfg
Feb  8 03:04:40 sbc in.tftpd[27185]: Client 45.125.65.107 File not found 00085DFFF954.cfg

I have almost 400’000 lines like that!

I assume that TFTP provisioning has been explored.
How to disable TFTP completely on FreePBX 15?

Admin>System Admin>Provisioning Protocols

But if you have truly been compromised, you might need to move to a new server or roll back to an uncompromised snapshot (if virtual) to be sure the point of ingress can be truly mitigated.

Thanks for the answer!

I studied the logs, it was the configuration files of the Mittel phones that were searched.
We have none, only Yealink.
And no files were downloaded successfully.

So, I disabled TFTP on the PBX and also in our firewall, I think the case is closed.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.