Security Warning - Module...File... altered

Hi,

Every 2-3 days, I get a list of Modules Files Altered. Every time, I need to run fwconsole ma refreshsignatures and then fwconsole restart to fix the problem.

Anyone has anything related to this bug?

Frédéric

What files?
Are you sure something is NOT altering them?
This message is there to catch such things.

I don’t have any tampered file at the moment but next time I’ll have I’ll put the file list here.

Frédéric

Sorry for the delay! You know what they say… You are never sick when you’re in the doctor’s office! But the server finally gave me a list of tampered files this morning!

Module: “Core”, File: "/var/www/html/admin/modules/core/XML_Parser.php altered"
Module: “Core”, File: "/var/www/html/admin/modules/core/XML_Unserializer.php altered"
Module: “Core”, File: "/var/www/html/admin/modules/core/sounds/es/featurecode.wav altered"
Module: “Core”, File: "/var/www/html/admin/modules/core/sounds/ja/featurecode.sln altered"
Module: “Core”, File: "/var/www/html/admin/modules/core/views/did/advanced_form.php altered"
Module: “Dictation”, File: "/var/www/html/admin/modules/dictate/sounds/en/dictation-sent.sln altered"
Module: “Dictation”, File: "/var/www/html/admin/modules/dictate/sounds/es/dictation-being-processed.wav altered"
Module: “Backup & Restore”, File: "/var/www/html/admin/modules/backup/assets/js/backup.js altered"
Module: “Backup & Restore”, File: "/var/www/html/admin/modules/backup/assets/js/views/themes/default-rtl/style.css altered"
Module: “System Firewall”, File: "/var/www/html/admin/modules/firewall/views/page.services.php altered"
Module: “Text To Speech Engines”, File: "/var/www/html/admin/modules/ttsengines/LICENSE altered"
Module: “Voicemail Blasting”, File: "/var/www/html/admin/modules/vmblast/LICENSE altered"
Module: “Bulk Handler”, File: "/var/www/html/admin/modules/bulkhandler/assets/js/async.js altered"
Module: “Localization Updates”, File: "/var/www/html/admin/modules/fw_langpacks/install.php altered"
Module: “Voicemail”, File: "/var/www/html/admin/modules/voicemail/ucp/assets/images/button_pause_green.png altered"
Module: “Voicemail”, File: "/var/www/html/admin/modules/voicemail/ucp/assets/js/global.js altered"
Module: “Call Event Logging”, File: "/var/www/html/admin/modules/cel/LICENSE altered"
Module: “Call Event Logging”, File: "/var/www/html/admin/modules/cel/ucp/assets/js/global.js altered"
Module: “Time Conditions”, File: "/var/www/html/admin/modules/timeconditions/assets/js/zmoment-timezone.js altered"
Module: “Do-Not-Disturb (DND)”, File: "/var/www/html/admin/modules/donotdisturb/LICENSE altered"
Module: “Config Edit”, File: "/var/www/html/admin/modules/configedit/assets/css/themes/default-dark/40px.png altered"
Module: “Config Edit”, File: "/var/www/html/admin/modules/configedit/assets/js/modes/xml.js altered"
Module: “Config Edit”, File: "/var/www/html/admin/modules/configedit/LICENSE altered"
Module: “CID Superfecta”, File: "/var/www/html/admin/modules/superfecta/includes/oauth-google/Google/IO/Abstract.php altered"
Module: “CID Superfecta”, File: "/var/www/html/admin/modules/superfecta/includes/oauth-google/Google/IO/cacerts.pem altered"
Module: “CID Superfecta”, File: "/var/www/html/admin/modules/superfecta/includes/oauth-php/test/oauth_test.php altered"
Module: “CID Superfecta”, File: "/var/www/html/admin/modules/superfecta/includes/superfecta_base.php altered"
Module: “Weak Password Detection”, File: "/var/www/html/admin/modules/weakpasswords/LICENSE altered"
Module: “Speed Dial Functions”, File: "/var/www/html/admin/modules/speeddial/sounds/en/speed-enterlocation.gsm altered"
Module: “Speed Dial Functions”, File: "/var/www/html/admin/modules/speeddial/sounds/es/speed-enternumber.wav altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/css/bootstrap.min.css altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/fonts/FontAwesome.otf altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/fonts/Schmooze.woff altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/fonts/cinzel-bold-demo.html altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/fonts/fontawesome-webfont.ttf altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/fonts/lato-bold-webfont.woff2 altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/fonts/lato-regular-webfont.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/png/1F3BF.png altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/svg/1F333.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/svg/1F355.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/svg/1F36F.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/svg/1F3A2.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/svg/1F450.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/images/emoji/svg/1F457.svg altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/js/Jplayer.swf altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/js/jquery.tokenize.js altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/assets/js/miniColors/jquery.minicolors.png altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/includes/UploadHandler.class.php altered"
Module: “User Control Panel”, File: "/var/www/html/admin/modules/ucp/htdocs/views/dashboard.php altered"
Module: “WebRTC Phone”, File: "/var/www/html/admin/modules/webrtc/ari/theme/webrtcimages/message-btn-lite2.gif altered"
Module: “WebRTC Phone”, File: "/var/www/html/admin/modules/webrtc/ari/theme/webrtcimages/push/key9.png altered"
Module: “WebRTC Phone”, File: "/var/www/html/admin/modules/webrtc/ari/theme/webrtcsounds/dtmf_p.mp3 altered"
Module: “WebRTC Phone”, File: "/var/www/html/admin/modules/webrtc/ucp/assets/sounds/ring.ogg altered"
Module: “Phonebook Directory”, File: "/var/www/html/admin/modules/pbdirectory/sounds/en/pbdirectory-first-three-letters-entry.sln altered"
Module: “Phonebook Directory”, File: "/var/www/html/admin/modules/pbdirectory/sounds/en/pbdirectory-welcome-to-phonebook.sln altered"
Module: “Recordings”, File: "/var/www/html/admin/modules/recordings/LICENSE altered"
Module: “Directory”, File: "/var/www/html/admin/modules/directory/sounds/en/cdir-transferring-further-assistance.wav altered"
Module: “Directory”, File: "/var/www/html/admin/modules/directory/sounds/es/cdir-sorry-no-entries.wav altered"
Module: “Parking Lot”, File: "/var/www/html/admin/modules/parking/LICENSE altered"
Module: “Parking Lot”, File: "/var/www/html/admin/modules/parking/views/lot.php altered"
Module: “SIPSTATION”, File: "/var/www/html/admin/modules/sipstation/assets/images/storeFrontSipStation-00002.png altered"
Module: “SIPSTATION”, File: "/var/www/html/admin/modules/sipstation/assets/js/jquery.form.js altered"
Module: “IVR”, File: "/var/www/html/admin/modules/ivr/sounds/ja/no-valid-responce-transfering.sln altered"
Module: “OSS PBX End Point Manager”, File: "/var/www/html/admin/modules/endpointman/assets/js/mode/xml.js altered"
Module: “OSS PBX End Point Manager”, File: "/var/www/html/admin/modules/endpointman/templates/freepbx/devices_manager.html altered"
Module: “OSS PBX End Point Manager”, File: "/var/www/html/admin/modules/endpointman/views/epm_advanced_manual_upload.page.php altered"
Module: “System Admin”, File: "/var/www/html/admin/modules/sysadmin/assets/js/zmoment-timezone.js altered"
Module: “System Admin”, File: "/var/www/html/admin/modules/sysadmin/hooks/config-postfix altered"
Module: “System Admin”, File: "/var/www/html/admin/modules/sysadmin/views/updates.php altered"
Module: “iSymphonyV3”, File: "/var/www/html/admin/modules/cxpanel/install.php altered"
Module: “DUNDi Lookup Registry”, File: “/var/www/html/admin/modules/dundicheck/LICENSE altered”

Doing a fwconsole ma refreshsignatures fixed the problem again…
Any tips?
Thanks :slightly_smiling:

Oh wait! When I reloaded FreePBX after the refreshsignature, I had an other list of tampered files… Maybe a problem with the reload?

do you see any errors in dmesg?

Do you have any scheduled restores?

I agree with James - there’s definitely something hinky about your system.

It might help if you were to look at the files that are identified as “changed” and see if the version number (near the top of the file) is OK.

Also, you might try using “find /var/www/html/admin/modules | cpio -pdmv /home/you/modules/” when you get all of the files upgraded and the error message is gone. When the problem comes back, you can pick and choose a file that was “changed” and see what changes are actually happening using “diff”.

There are two possibilities: your system is mucking about with your files through some “well intentioned” cron job or your system is compromised and you don’t have control. Knowing what kinds of changes are getting made will help you identify where the issues is stemming from.

I regularly get this message, but only for the one file in my system that I’ve made changes to. You’re getting called out on dozens of files throughout the modules hierarchy. There is clearly something going on with your system that needs attention.

My primary thought due to the randomness of files including sound files is corruption. Bad RAM, bad hard drive

I’m with you, but he’s not going to look until we make it impotant.

My first idea was for the bad RAM too cause I had a problem of RAM on this server… Only thing is the problem is fix… Or is supposed to be… I’ll test it again tonight…

I’ll try Dave’s copy method… I’ll keep you up to date!

Thanks

Ok so I had new tempered files, and I compared a few of them with the one saved earlier today, and there is no difference between them.

So the files are marked as altered, but are not…

This is because the sha1 of the files is different.

sha1 checksum :

ff608a459d02c8f8ad06e3656cf35fafa75d7c7b  /var/www/html/admin/modules/core/agi-bin/directory
ff608a459d02c8f8ad06e3656cf35fafa75d7c7b  /root/modulesBCK/var/www/html/admin/modules/core/agi-bin/directory 

/root/modulesBCK is the copy I made earlier (when no error)…

Is it possible that the problem is in the security verification of the files? By just reloading the freepbx (after a minor modification), the errors disappeared…

If that was true then more than just you would be reporting it. It’s a problem with your system

I did a RAM test overnight. The RAM was set to use 75% of my total RAM, and the system on idle normally use about 20…25% of it so we can say that the whole RAM was tested, 10 times overnight (using memtester). The test gave no error. I guess it’s ok to eliminate the RAM from the source of problem?

For the hard drive, it might be possible but I guess I would probably have corrupted files… However, the SHA and the file comparison shows that the “corrupted” file and the “not corrupted” one are identical… I’m really clue less…