Hello!
We have a few boxes that have been communicating with 177.74.233.157 on port 8090 and we’re trying to figure out why and what it is. I’ve run fwconsole validate on a couple and this is what I see:
Check the contents of those files/modules that are not being signed (ajax.php, freepbx_ha). Those two are specifically targeted in the hack described here:
Hey I’m just getting to looking at this again. I ran the script provided in this forum post and it didn’t find anything on any of the server we saw this IP on. Super interesting.
In regards to where the servers are downloading from, I have no idea what that is. But it appears to be downloading (attempting to download) logo files and I’m trying to figure out what software is trying to download those logo files and why. I’ll update this when I find out more.