[FREEPBX-23280] FreePBX was hacked and Thankuohoh macro applied to extensions_custom.conf - Sangoma Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Support
Affects Version/s: None
Fix Version/s: None
Component/s: Other
Labels:
None

Bug Tracker:
Customer Issue
ToDo:

Asterisk Version:
16.20.0
Distro Version:
15.0.17.68
Distro:
FreePBX Distro

Description

FreePBX was hacked and Thankuohoh macro applied to extensions_custom.conf. A malicious configs.php file was found in /var/www/html. Error_log attached shows pastebin upload of configs.php to the aforementioned location. Could not find anything obvious in access_log.

Pastebin upload occurred on January 27, 2022 and international toll fraud calls started the next day, a Friday night, and went until early Monday morning.

The system is fully up to date, including all modules. Port 8080 was used for http access to GUI and was forwarded to server from router (i.e. exposed to the internet) and port 443 was used for https and also exposed.

Notes, error log, and access log are attached.

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

access_log.txt
1.69 MB
03/Feb/22 2:02 AM
error_log-20220130.txt
211 kB
03/Feb/22 2:02 AM
FreePBX Exploit- Thankuohoh - Sanitized.docx
168 kB
03/Feb/22 2:11 AM

Activity

People

Assignee:

Unassigned

Reporter:

Matthew Curran

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

03/Feb/22 2:10 AM

Updated:

08/Feb/22 2:47 PM

Resolved:

08/Feb/22 2:47 PM

NextupJiraPlusStatus

Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.