Possible hack?

We have a few boxes that have been communicating with on port 8090 and we’re trying to figure out why and what it is. I’ve run fwconsole validate on a couple and this is what I see:

And here is what it appears to be transferring:

Does anyone know if this could be malware? Or are these valid? It appears to be transferring video files.


The IP you posted goes to a login for http://www.otonipbx.com.br/
Gravacoes is Portuguese for recordings.

I don’t know if that puts you in the right direction for whether this is legit or not.

Check the contents of those files/modules that are not being signed (ajax.php, freepbx_ha). Those two are specifically targeted in the hack described here:

Hey I’m just getting to looking at this again. I ran the script provided in this forum post and it didn’t find anything on any of the server we saw this IP on. Super interesting.

In regards to where the servers are downloading from, I have no idea what that is. But it appears to be downloading (attempting to download) logo files and I’m trying to figure out what software is trying to download those logo files and why. I’ll update this when I find out more.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.