I am running multiple FreePBX systems hosted at Cyberlink, the official hosting partner of FreePBX. Today I hit my international limit of $100 in one day through a carrier. Found my extensions_custom.conf had all the thanku-outcall garbage you can find if you search. The posts I find here are 5-6 months old, so wanted to see if this is happening to everyone else. I was on 10.13.66-16 on all of them and upgraded them to 10.13.66-17 tonight and removed the extensions_custom.conf data. Any info on whether there is a new vulnerability or not would be appreciated.
A way for you to check your system right now is to go to admin -> Config edit. Look at the extensions_custom.conf file to see if [thanku-outcall]; thankuohoh exists.
I’m not sure if I should backup and rebuild. My only concern is that I’m not doing anything special at all with the servers. They are the distro servers. Nothing else installed or added. Locked down in the firewall to the remote sites. I don’t want to rebuild only to find the exploit is inherent within the distro and I have to rebuild again.
I’ve just been assisting someone in IRC with a similar hack. There doesn’t appear to be a new vulnerability, but it may be something that hasn’t been cleaned up properly from previous attacks.
I’ll send you a PM here on the forums, and if you don’t mind, I’d like to have a quick look at your machine.
Note: This is NOT an official support response, this is just me, a random guy from the internet, who happens to know a lot about security and freepbx, helping you out.
morplot,
You have the firewall on with the responsive part turned off with just what you needed to be listed in the network zone as trusted?
If so how could someone get in? Did you allow the whole IP block from your wan?
It looks like there was some files that were left over after the CVE in September that were missed, that the attacker finally exploited.
I’ve published a new framework (13.0.190.7 - stable, not edge) that cleans up those files, and there’ll be a couple of new packages being released either today or tomorrow that blocks similar attacks in the future.
I’m ALSO marking this as a major security vulnerability, so everyone will get a notification that they need to upgrade. It’s not actually a new vulnerability, but, if you have your admin page open to the internet, there’s a possibility that you may have previously been hacked, and not automatically cleaned up.