The PBX machine is closed from outside world, by outside independent firewall.
But, whenever I delete this file, it will show up automatically few hours later. There are no logged attempts uploading this file, or even trying to use this code.
Still has nothing happened on this PBX, except this file showed up there.
The PBX machine itself is used for educational purposes, so actually nothing bad can even happen…but I would like to have some explanation for this behavior before I format machine and reinstall everything from scratch.
Has anyone noticed similar code showing on this location? I tried to figure out cron jobs, or something else that could create this file, but so far I could not find anything.
I do not have this file anywhere in my freepbx installation (Distro verion 10.13.66-16). If it keeps reappearing check crontab if there is any script running.
Your firewall is either not properly configured or someone hacked you from the inside. That’s the only way this file can show up there is nothing in the code that adds weather.
As i wrote, it was in cronmanager as an added record. The attack itself obviously arrived from outside, as http port was opened to the outside world (this is a demo system), and ajax.php and several other files had vulnerabilities that came from freepbx update.
After this incident all the ports were closed, but the file still appeared.
Later I found it was showing up since php shell_exec code (found as sql record) was getting source from http://api.src-elsahel.com/c (uri is still available)
SQL code that was inserted is (after decode and clean-up )