Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-7310

The new framework also attacked after vulnerability update

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.11
    • Fix Version/s: 2.10, 2.11, 12
    • Component/s: FreePBX Framework
    • Labels:
      None
    • ToDo:
    • Distro Version:
      5.211.65-8

      Description

      We updated all Framework modules, and deleted all infected files. Systems run fine for a week, butt suddenly users deleted again and a hacker user injected again.
      Can this still be possible with the framework updated.
      Even a fresh new distro 5.211.65-8, installed only a week ago, was infected.
      Looks like there is still a leak.
      The only thing we can find is a adjusted config.php file. How can this be done?
      We are trying to figure out where this can happen.

      The only thing we found in the access.log file was:
      ---------------------------------------------------
      46.165.220.215 - - [07/Apr/2014:05:43:44 +0200] "POST /admin/config.php HTTP/1.1" 200 181 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:45 +0200] "POST /admin/config.php HTTP/1.1" 200 2 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:46 +0200] "POST /admin/config.php HTTP/1.1" 200 2 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:46 +0200] "POST /admin/config.php HTTP/1.1" 200 45 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:46 +0200] "POST /admin/config.php HTTP/1.1" 200 47 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:47 +0200] "POST /admin/config.php HTTP/1.1" 200 2 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:47 +0200] "POST /admin/config.php HTTP/1.1" 200 6371 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:47 +0200] "POST /admin/config.php?display=A&handler=api&file=A&module=A&function=System HTTP/1.1" 200 2 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
      46.165.220.215 - - [07/Apr/2014:05:43:47 +0200] "POST /admin/config.php?display=A&handler=api&file=A&module=A&function=System HTTP/1.1" 200 2 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                tm1000 Andrew Nagy
                Reporter:
                4allbusiness 4AllBusiness
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.