The file says it is 1kb but if you open it and close it is is 0KB. Have I been hacked?
Yes, that’s an indicator of compromise.
Any idea how I’m getting compromised?
This was a discussion about this from a year ago:
My ARI passwords are unique and I don’t have a stasis app “hey” running or created. So any ides HOW lgaetz.php got written into my web root? This is a very serious security issue!
I wouldn’t have a guess. That is the last time this was being reported and there isn’t any other instances of this happening reported by anyone else that I am aware of.
When did you change your ARI Password? Was it way after these breaches were initially reported last year? When did you apply the relevant patches?
You’ll need to establish the time line of your system and how it correlates to the reported security breach/incident and the response from Sangoma to the report.
If you are not sure how to forensically research a breach event then maybe hiring a specialist is the next step if this is running in any sort of business environment.
I changed all the password when I got the ARI password notification. I have since upgraded these systems to FreePBX 16 and they all have different ARI passwords.
@lgaetz Do you know where the lgaetz.php file comes from or how it got in /var/www/html which is only writeable by root? It has the contents “https:// t. me/+2YOda50Cw4RiZWJk” (spaces added as the url displays as “Telegram: Join Group Chat" in post.)
It is possible that your system was compromised prior to you making the changes and they have since established a backdoor that allowed them to access your system even after things were patched and changed.
That’s really something you would need to hunt down on your specific system.
You may need to backup your current configuration, install FreePBX on a completely new system and then restore your configuration to ensure that there is no persistent footholds present on the system that you lost trust in.