Search for and delete files question - hacked system

I have what looks to be an infected system here. I have found 3 php files in particular - (example --> graph.php) that are linked to the infection. How would I run a grep command to search for and delete all the graph.php files? Thank you!

find / -name graph.php // will search the desk for graph.php
find / -name *graph* // will search the desk for any file with the name graph

See [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server to set an alert if someone access your system


Works great. Is there a way I can work in a find and delete command for these files?

Thank you!

You can do it with the -exec option on find or using xargs, but if you are not confident with Unix command line commands, I’d suggest it is safer to do the actual deletions manually.

find / -name graph.php will list the path for all graph.php files

rm /path/to/graph.php will remove the file. Caution you will not recover the delete file

And once you are done. make print outs of all your settings and then make a new PBX. Manually re-enter everything.

This system can never be trusted again.


What about Bulk Handler Export / Import? it does not transport files nor codes

In addition to moving to a new system, try to find why this happened the first place so it does not happen again.

1 Like

I appreciate the help. Certainly the system is a ticking time bomb. I believe it was open to the web via http for a brief period of time. Not ideal.

Do you mind asking what version of FreePBX / Asterisk Version you have?

FreePBX V14 and Asterisk 13.22 but it was at FreePBX V13 prior to the upgrade. Not sure what Version of Asterisk it was. Symptom was a system that just froze. No sign of hacking in the GUI which I have seen from time to time. In the www/html file there were 3 php files in particular that were obvious hacks, all with the phrase Emad was here

1 Like

Were the other files graph_view.php, graph_xport.php or tree.php along with the graph.php that you said you found?

And where are these files? In /tmp or only within the webroot ? (always suspect /tmp :wink: )

1 Like

The good question is: Why your FreePBX has been hacked?

I assume your FreePBX version and your O.S was not up to date. (Here Asterisk version is 13.29 today and not 13.22).
I know there’s some bugs fixed around XSS injection in some Freepbx modules.
But anyway, you must be careful with your system about the security?
There’s lots of update on O.S and FreePBX modules every weeks. it makes sense to check if there’s some update everyday, or every weeks
Of course, there’s an embedeed firewall, you should set the good rules regarding your networks. If you need to manage FreePBX from remote, you have VPN access for that.
I don’t say that your system was not up to date. The zero risk doesn’t exist. But it’s just to be careful on the security.

Just an idea like that.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.