Tampered File Warning .htaccess

I updated four modules yesterday to the latest version. They were Conferences Pro, Broadcast, UCP and Endpoint (Commercial). Upon reloading the GUI I was presented with a security warning:

Your have 1 tampered files
This is a critical issues and should be resolved urgently.
Module: “FreePBX Framework”, File: “/var/www/html/admin/.htaccess altered”

I did update Framework the previous day to the latest version but do not recall seeing this issue.

This is what is in my .htaccess file. It looks normal.

I have tried running:

amportal chown
amportal a ma refreshsignatures
amportal a r

But everything checked out OK.

Any ideas what is going on? This box is behind a firewall and is not exposed to the internet with the exception of Port 5060 which is restricted to only my provider IP addresses.

#       License for all code of this FreePBX module can be found in the license file inside the module
 directory
#       Copyright 2013 Schmooze Com Inc.
#
SetEnv HTACCESS on
# Disallow all file access first
#
<FilesMatch "\..*$">
        Deny from all
</FilesMatch>

# Now allow /admin, /admin/config.php and /admin/index.php as well as the various assets
#
<FilesMatch "(^$|index\.php|config\.php|ajax\.php|\.(gif|GIF|jpg|jpeg|png|css|js|swf|txt|ico|ttf|svg|e
ot|woff|wav|mp3|aac|ogg|webm|jar)$)">
        Allow from all
</FilesMatch>

php_value max_input_vars 5000

php_value max_input_vars 10000

My suggestion would be to disable

“Enable Module Signature Checking”

in advanced settings

even a simple edit of

/var/www/html/index.php

to

<?php // License for all code of this FreePBX module can be found in the license file inside the module directory // Copyright 2013 Schmooze Com Inc. // if (file_exists(dirname(__FILE__) . '/index_custom.php')) { include_once(dirname(__FILE__) . '/index_custom.php'); } else { $basename = pathinfo($_SERVER['PHP_SELF'],PATHINFO_DIRNAME); $uri = (!empty($basename) && $basename != '/') ? $basename . '/ucp' : '/ucp'; header('Location: '.$uri); (Would that not make sense to anyone reasonably using this software ?) will throw up a hairball while comparing any modules against "what is allowed, because we say so and you are wrong to even think about wanting to do that" , come on guys at schmooze, please find a way to allow benign modification of your open source code to be accepted without steadfastly bitching about it. . . True, the work around would be for most folks to edit the overloaded filer, but you would have to properly document how to edit index_custom.php No? If installed, ucp should without doubt be the default homepage, no muss no fuss . .

To be clear, I haven’t made any changes to the .htacess file. It appears one of the module upgrades has altered it or something else is going on.

If you ask for approval you can edit to your hearts content as many have already done. We allow others to edit the files as long as they have a key and have signed our agreement ( http://wiki.freepbx.org/pages/viewpage.action?pageId=29753662 ). This system, as much as you probably absolutely hate it, helps to protect you and others from getting hacked because PHP is by far the easiest language to hack. Note that “disabling” said setting disables it temporarily, checking online or uploading a module will re-enable it for security reasons. How can anyone even remotely tell the different between a “benign” modification to a file and a compromised file? Who is to say that “file_get_contents” is or is not allowed in different areas? There’s no way to have a “you can edit all these files cause you are a good boy johnny, but you sally, you are bad, I know because…?”. As I stated, you can get your own GPG key and then fill out our agreement and publish and edit files to your hearts content.

This is not and never has been the reason this was created. Please step down off of your soapbox and meet me at a logical level. The concept for signature signing came about during the second to the last huge security vulnerability. It may not be perfect but when the ARI vulnerability came around the person who discovered it was on a beta release of FreePBX 12 and only discovered said vulnerability because they saw the message, so take it for what it’s worth.

vim index_custom.php

Not so hard is it?

I have never heard you mention that once before except now in this ranty message. (also take note that “schmooze” does not exist). Let’s take a step back and remember that you have the same privileges as all of the other users who report bugs and features requests and you can do it the same as all of them so how about instead of ranting you just report a request. That would be lovely.

This was a bug in Endpoint Manager, first update to the newest endpoint manager (commercial). Then after you’ve done that delete the line from “.htaccess” (php_value max_input_vars 10000). Everything should be good.

Adnrew,

Thankyou, I managed to fix it as you suggested and running ‘amportal refreshsignatures’ following the edit. This thread can be closed now.

Greg

1 Like

Two systems on which we updated modules this AM no have this problem. Both report 34 “tampered” files. This after a module update pass barfed code into the inset progress window. The aforementioned “amportal refreshsignatures” doesn’t work- amportal is deprecated and fwconsole doesn’t support that command.

Suggestions?

Edit to add: FreePBX framework is disabled due to the version. Here is what we get in the progress windows when we try to upgrade and enable:

directory

/var/www/html/admin/modules/framework/install.php

if (file_exists("$wr/admin/libraries/pest/index.php")) {
unlink("$wr/admin/libraries/pest/index.php");
}

// Prune any invalid files in assets or images
$obj = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator("$wr/assets", FilesystemIterator::SKIP_DOTS),
RecursiveIteratorIterator::SELF_FIRST

A user said to run that command. I said to run “amportal a ma refreshsignatures”

fwconsole ma --help
fwconsole ma refreshsignatures

You have a messed up version of framework that was released for a total of 3 minutes. Simply run: fwconsole ma upgrade framework to get the newest one

Thank you for the quick response, Andrew. Unfortunately, that didn’t resolve the problem- the process of updating/enabling FreePBX Framework still barfs the error above into the update progress window.

You are half posting the error. Try it on the cli and paste the error here. What you are giving us is not helpful at all.

Note: This MUST BE DONE through the command line, as @tm1000 said above.

1 Like

Actually I said run the above command but then you replied with:

But you didn’t do what I asked. There is no update window in the CLI.

Our messages were crossing- my response was not to your most recent post because it was posted while I was writing :slight_smile:

The combination of first; fwconsole ma refreshsignatures
And then: fwconsole ma upgrade framework

Resolved the problem on both systems. THANK YOU very much for the quick response. Sorry for the crossed-message misunderstanding.

One more thing can you do this for me:

ls -l /var/www/html
ls -l /var/www/html/admin/pest
ls -l /var/www/html/admin

And return the output

Gladly.

[[email protected] ~]# ls -l /var/www/html
total 32
drwxr-xr-x  9 asterisk asterisk 4096 May 26 05:30 admin
drwxr-xr-x  2 asterisk asterisk 4096 Oct 15  2014 digium_phones
drwxr-xr-x 11 asterisk asterisk 4096 Aug 24 11:11 fop2
-rw-r--r--  1 asterisk asterisk  453 Sep  7 12:21 index.php
lrwxrwxrwx  1 asterisk asterisk   52 Feb 25  2015 provisioning -> /var/www/html/admin/modules/endpointman/provisioning
drwxr-xr-x  2 asterisk asterisk 4096 Apr 19 19:35 recordings
drwxr-xr-x  2 asterisk asterisk 4096 Apr 26 11:48 restapi
drwxr-xr-x  2 asterisk asterisk 4096 Jun 16 05:30 restapps
-rw-r--r--  1 asterisk asterisk  361 Sep  7 12:21 robots.txt
lrwxrwxrwx  1 asterisk asterisk   38 Apr 19 19:46 ucp -> /var/www/html/admin/modules/ucp/htdocs
lrwxrwxrwx  1 asterisk asterisk   47 Apr 26 11:58 wcb.php -> /var/www/html/admin/modules/webcallback/wcb.php
[[email protected] ~]# ls -l /var/www/html/pest
ls: cannot access /var/www/html/pest: No such file or directory
[[email protected] ~]# ls -l /var/www/html
total 32
drwxr-xr-x  9 asterisk asterisk 4096 May 26 05:30 admin
drwxr-xr-x  2 asterisk asterisk 4096 Oct 15  2014 digium_phones
drwxr-xr-x 11 asterisk asterisk 4096 Aug 24 11:11 fop2
-rw-r--r--  1 asterisk asterisk  453 Sep  7 12:21 index.php
lrwxrwxrwx  1 asterisk asterisk   52 Feb 25  2015 provisioning -> /var/www/html/admin/modules/endpointman/provisioning
drwxr-xr-x  2 asterisk asterisk 4096 Apr 19 19:35 recordings
drwxr-xr-x  2 asterisk asterisk 4096 Apr 26 11:48 restapi
drwxr-xr-x  2 asterisk asterisk 4096 Jun 16 05:30 restapps
-rw-r--r--  1 asterisk asterisk  361 Sep  7 12:21 robots.txt
lrwxrwxrwx  1 asterisk asterisk   38 Apr 19 19:46 ucp -> /var/www/html/admin/modules/ucp/htdocs
lrwxrwxrwx  1 asterisk asterisk   47 Apr 26 11:58 wcb.php -> /var/www/html/admin/modules/webcallback/wcb.php
[[email protected] ~]# ls -l /var/www/html/admin/pest
ls: cannot access /var/www/html/admin/pest: No such file or directory
[[email protected] ~]# ls -l /var/www/html/admin
total 208
-rw-r--r--   1 asterisk asterisk  1229 Sep  7 12:21 ajax.php
drwxr-xr-x   7 asterisk asterisk  4096 Aug 10 14:47 assets
-rw-r--r--   1 asterisk asterisk     0 Aug 10 14:44 ASTLOGDIRrecording_report
-rw-r--r--   1 asterisk asterisk 15772 Sep  7 12:21 bootstrap.php
-rw-r--r--   1 asterisk asterisk 44568 Apr 11  2014 CHANGES
-rw-r--r--   1 asterisk asterisk 27378 Sep  7 12:21 config.php
-rw-r--r--   1 asterisk asterisk 21048 Sep  7 12:21 functions.inc.php
drwxr-xr-x   2 asterisk asterisk  4096 Apr 12  2013 helpers
drwxr-xr-x  19 asterisk asterisk  4096 Apr 26 11:48 i18n
drwxr-xr-x   2 asterisk asterisk  4096 Sep  7 12:21 images
-rw-r--r--   1 asterisk asterisk   185 Sep  7 12:21 index.php
drwxr-xr-x   9 asterisk asterisk  4096 Apr 19 19:36 libraries
-rw-r--r--   1 asterisk asterisk   352 Sep  7 12:21 module-builtin.xml
drwxr-xr-x 118 asterisk asterisk  4096 Sep  7 12:28 modules
-rw-r--r--   1 asterisk asterisk 54545 Sep  7 12:21 page.modules.php
drwxr-xr-x   3 asterisk asterisk  4096 Apr 19 19:36 views
[[email protected] ~]#

On one system Web Callback started causing a tamper warning after I picked up some additional module updates. We don’t use it so I removed it entirely.

Whoops

ls -l /var/www/html/admin/libraries/pest

[[email protected] ~]# ls -l /var/www/html/admin/libraries/pest
total 28
-rw-r--r-- 1 asterisk asterisk  4955 Sep  7 12:21 PestJSON.php
-rw-r--r-- 1 asterisk asterisk 15463 Sep  7 12:21 Pest.php
-rw-r--r-- 1 asterisk asterisk  2313 Sep  7 12:21 PestXML.php
[[email protected] ~]#

A post was split to a new topic: Install no ui