I had my system hacked, and a miner installed.
I was running the latest version and strong passwords.
I am not looking to get it fixed, rather I want to find out how they did it, and fix it so it does not happen to others.
I attemted to contact a developer about this but he said to use the forums.
The pbx was on a vm so I have taken a snapshot of it, and removed network access. I can provide a copy of the virtual hdd, so if anyone wants to sandbox it and do some digging let me know.
I first noticed that my cpu usage was at 100%
I logged in and in top I saw “/tmp/tester -o stratum+tcp://multi1.wemineall.com:80 -u weedee.1 -p x --algo scry”
I looked in /tmp/tester and I see a whole new user! Bash history and all!
Now I have no idea how they got in. The scary part is that I rarely use it.
Let’s start with what versions of FreePBX, Asterisk how it was installed (distro or on another OS), if a distro which one and version, if scratch what OS and version.
What ports do you have open to the Internet? What is your network topology?
Yeah exposing the FreePBX interface to the world is not cool. In this day of putty proxies and sysadmin pro letting you run ARI on a different port there just is no justification.
opsview is a package that contains nagios. It was included over 2 years ago after numerous users had requested it. In the past it was always chkconfiged off so it would not start at boot but it appears a newer version now auto chkconfigs it on at install time.
If you do not use it just follow the directions to turn it off.
Same happened with our pbxs.
New user ‘nagios’ which is running “.HOLDMYWEEVE” till 100% cpu.
We killed the user with "pkill -KILL -u nagios"
And than removed user nagios with: "userdel -r nagios"
Then the script stops.
I was digging in logs and files, but still can not put my finger on it exactly.
We know exposing the web interface is not the brightest idea, but this is very awkword.
so processes consuming too much resource would be quickly noted and you would be emailed. By it’s default firwewall rules the attacker would never have been let in in the first place. Add rkhunter and you are much better protected from services you didn’t even know you had running than previously.
Thanks Dicko,
We are already looking for CSF solutions. But I see that webmin would be nice to configure it.
We will also look at rkhunter, we have heard great story’s about this malware scanner.
Yes, the webmin inerface is nice, as is the cellphone app, but for “belt and braces” security concerns, change the port it runs on in /etc/webmin/miniserv.conf and only run it when you need to.
The audit process will also have all sorts of recommendations for further securing your box, one is to make /tmp and /usr/tmp ephemeral, that would have stopped these attacks on reboot.
We have had a internal ticket here for along time to work with CSF as we use it with some hosting stuff but our big problem has been the lack of any true license. Its not a open source license so it can not be included in FreePBX and based on the license we are not comfortable letting something like Sysadmin Module manage it since that is a commercial license.