Server Hacked - worth salvaging?

ayaggie · December 27, 2021, 5:50pm

I have a server that all of a sudden had 100% of the root partition filled, so started looking around / cleaning up, and found that the framework and other modules were deactivated…config.php cannot be modified or deleted and I see a variety of registrations on this server.

I am assuming this is likely due to the recent restapps bug, but who knows.

Unfortunately I didn’t have a backup as this is a fairly recent deployment of a cloud based instance on Vultr…

I would prefer not to start over and would be willing to hire anyone who is an expert with issues such as these.

Thoughts?

jfinstrom · December 27, 2021, 5:56pm

You may be able to get it to a point of pulling a backup but I would definitely go clean install. If you do a backup you only want the data and not any of the file structure.

try

fwconsole ma refreshsignatures

This may work to get you to the point mentioned above. Most of these hacks have something in place to re-infect so damage will probably come back if this fixes it.

ayaggie · December 27, 2021, 6:13pm

I could run that command and everything looked ok, but no dice on making a backup…framework isn’t running so it won’t work…

What’s the process for having Sangoma diagnose?

jfinstrom · December 27, 2021, 6:19pm

Pay them lol… You have to buy support credits https://support.sangoma.com Not sure though if they do this level of work so I am going to tag @lgaetz to see if buying credits and opening a ticket is worth it.

billsimon · December 27, 2021, 6:34pm

When you say “fairly recent,” how much configuration do you have in place?

Probably the most valuable data you have on your server are in these places:

mysql database asterisk
/etc/asterisk/voicemail.conf (voicemail configuration)
/var/spool/asterisk (recordings, voicemail greetings and messages)
astdb

Spinning up a new FreePBX server and then restoring these could get you pretty far along. Also, these pieces are unlikely to have been affected by the hack. (but you should change all passwords)

I would not copy over from old server to new:

anything in /var/www (this is where most of the junk has been deposited)
/etc/asterisk other than the voicemail.conf (attacker may have modified conf files)

Note that overwriting the asterisk database will result in some mismatches that you’ll have to fix, such as the Asterisk manager (AMI) password.

ayaggie · December 28, 2021, 2:52pm

I just decided to scrap it…small office with about 5 extensions and a minor number of advanced features set up. Since it was just recently setup, everything was fresh. Unfortunately this has been the deployment from hell, more so related to recent SIP provider DDos attacks…have had FreePBX deployments out there for about 4 years with zero issues, but can’t catch a break on this one.

system · January 27, 2022, 5:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.