Tampered file

FreePBX 12.0.76.4

Module: “FreePBX Framework”, File: “/var/www/html/admin/libraries/BMO/Ajax.class.php altered”

I have tried this solution.
amportal chown
amportal a ma refreshsignatures
amportal a reload

However, it still shows as tampered.

Upload the contents of Ajax.class.php somewhere like pastebin.com or pastebin.ca - you can also do it directly from your shell by something like this:

# curl -F 'f:1=<-' ix.io < /var/www/html/admin/libraries/BMO/Ajax.class.php

That will respond with an URL that you can paste here.

http://ix.io/1miX

Also, I did a diff on that file and another install I have and there were no differences.

Last night, I got an email to tell me several files had been tampered with.

You have 10 tampered files:
Module: “FreePBX Framework”, File: “/var/www/html/admin/.htaccess
altered"
Module: “FreePBX Framework”, File:
”/var/www/html/admin/assets/less/freepbx/page.less altered"
Module:
“FreePBX Framework”, File: “/var/www/html/admin/bootstrap.php
altered"
Module: “FreePBX Framework”, File:
”/var/www/html/admin/libraries/BMO/GPG.class.php altered"
Module:
“FreePBX Framework”, File:
"/var/www/html/admin/libraries/BMO/Notifications.class.php
altered"
Module: “FreePBX Framework”, File:
"/var/www/html/admin/libraries/Console/Chown.class.php altered"
Module:
“FreePBX Framework”, File:
"/var/www/html/admin/libraries/Console/Doctrine.class.php
altered"
Module: “FreePBX Framework”, File:
"/var/www/html/admin/libraries/media/Media/Driver/Drivers/SangomaRingtone.p
hp
altered"
Module: “FreePBX Framework”, File:
"/var/www/html/admin/libraries/media/Media/Media.php altered"
Module:
“FreePBX Framework”, File:
"/var/www/html/admin/libraries/modulefunctions.class.php altered"

amportal a ma refreshsignatures fixed my issue, not sure what that was all about.

I got exactly the same on several system that we manage and did the “fwconsole ma refreshsignatures” and again that fixed the problem. I don’t know why it happened though.

Please make sure you upgrade to the latest software versions.

I did do that as well.

1 Like