I have a FreePBX version 15.0.37.9.
Recently I found a suspicious file in the web folder named “magnito.php” containing a code “eval(base64_decode())”.
By doing an analysis, I found 2 other files like this “/admin/modules/ajax.php” and “/admin/modules/core/ajax.php”.
What is strange is that when I delete it, I find it again after a short time.
Are these really compromised files?
There is no ajax.php on these folders.
I think you server has been hacked.
If you decide to reinstall a new server, I think you must install rk_hunter as well.
BTW, FreePBX 15 is pretty old, think to mograte on 16 or 17 asap.