- Edited
Greetings, I sent this to the "Elastix" community a week ago but nobody has answered and quite frankly I am not impressed for they don't care about anything anymore that is not their 3CX thing.
Since Issabel is a fork of Elastix 2.5 and 4.0 that still uses the core programming of the former project and also FreePBX 2.11.0.26 this is something that could potentially happen to Issabel users and I wanted to share it with you all:
POST SENT TO THE ELASTIX FORUMS:
New Elastix 2.5 FreePBX 2.11.0.26 exploit.. please help!
Greetings,
I have seen a couple of posts where users complain about a blank screen after they click on the PBX Configuration tab. Well, I have experienced the same on my server and I have all updates applied to the server both for CentOS 5.11 (defunct now according to Centos.org) and also the remaining Elastix repos on the internet.
The problem is fixed by running "yum reinstall freePBX" but sadly, it is only temporal. It looks like there is some php injection or exploit hackers have found to mess up with freePBX 2.11.0.26 (the latest Elastix installs). The intruders DELETE all php files of the freePBX GUI leaving it unusable and broken. Thank god they do not mess with the databases hence your PBX will still operate, take calls, make calls, record calls, transfer calls, register extensions and more but you won't be able to reach the GUI for further configuration until you reinstall freePBX again.
I have found myself reinstalling freePBX every single day and quite frankly this is getting on my nerves. I even set the firewall to block everything except the local network and the public IP of my customers but regardless, the intruder finds a way to break into the system and delete all php files of FreePBX.
What I found is in the /tmp folder a file called "magnito23.php" "magnito.php" or "MesSI.php" They are base64 encoded but by decoding them I realize they are obtaining admin access by retrieving the password. In addition, in the /var/www/html/_asterisk folder you will also find this "magnito.php" file which clearly means someone is injecting that code.
Oh, and it also messes with the anti hacker module!! You have to upload the license file and reconfigure it completely to make it work properly again.
I have searched for solutions on the internet to no avail. Question is... Has someone found this threat and eliminated it for good? If so, please do share because I am TIRED to reinstall FreePBX in all my servers. Oh, and it happens on Elastix 4.0 with CentOS 7 as well. I have a mix of Elastix 2.5 and 4.0 servers and the same happens on both platforms.
Your help will be greatly appreciated.
Best Regards,
Paul D Fabre