Check the contents of those files/modules that are not being signed (ajax.php, freepbx_ha). Those two are specifically targeted in the hack described here:
If you were impacted by the restapps security regression a week or two ago, it is possible you were hit with a php script that is currently labeled “k.php” If you want to see if you were compromised by this script, I’ve included some content below that you can check. I do not claim to have identified everything, but I’m hoping this might help someone.
Anyways, here are the places you can look.
crontab -e -u root → if this line exists, you’re compromised. DO NOT run this for testing.
*/1 * …