1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

TB Rootkit Exploit Found

Discussion in 'Open Discussion' started by wardmundy, Jan 26, 2009.

  1. wardmundy Nerd Uno

    A user on the trixbox forums has found a rootkit exploit on his server. :crazy:

    Simple test:

    Code:
    ls -all /sbin/init.zk
  2. TheShniz Guru

    I admittedly try to avoid any & all things green, and only know about the most recent occurences through other forums/articles/etc... so I took a quick scan of their Open Discussion, and found at the top:

    The Beginning of the End
    http://www.trixbox.org/forums/trixbox-forums/open-discussion/begining-end-ce

    Suprisingly, many of the same people I knew & loved are still there, all in various stages of having given up. I understand 'the mob' aka 'the masses' can be dumb as sheep, but these guys are the ones 'that know' and are intimately aware. I suppose things become self-evident to people at different levels of obviousness, lol.

    A very long, but interesting read... nothing different than what so many were saying this time last year I suppose.
  3. kevinfvc Member

    the trixbox link returns a page not found error for me...

    For hacks, rootkits, ect, how much is truly the blame of fonality platform vs. poor network security (operator fault)? Is there something inherently more insecure in trixbox vs PiaF, Elastix, Switchvox, ect???

    PiaF has done a good job being proactive on adding security features like fail2ban and setting IP Tables into the distribution, but if an operator choses to turn these features off, the system is as vulnerable as the next. Right?
  4. rugby Guru

    That page is gone.
  5. wardmundy Nerd Uno

    Interesting. It appears the thread was deleted about the time California got to work this morning. That's one way to handle security threats, I suppose. Here's what's left of it on Google...

    Rootkit Found on my Trixbox Server | trixbox

    Jan 26, 2009 ... A quick Google turned up many hints that this was rootkit related. I ran rootkit hunter, but this turned up nothing. ...
    www.trixbox.org/forums/trixbox-forums/open-discussion/rootkit-found-my-trixbox-server - 4 hours ago - Similar pages -

    Rootkit Found on my Trixbox Server | trixbox

    - 3:22pmJan 26, 2009 ... On further checking, I found evidence of the zk rootkit - eg: an init.zk file in /sbin. At this point I just started a reinstall - which took all of about 30 mins, including a config restore. Now, this server is behind a hardware firewall with no general access and the only ports open are those for SIP, RTP and IAX2. ...
    www.trixbox.org/forums/trixbox-forums/open-discussion/rootkit-found-my-trixbox-server - 5 hours ago

    Rootkit Found on my Trixbox Server | trixbox

    - 3:22pmJan 26, 2009 ... So I get in via this and get root via vmsplice and then suddenly Bob's your uncle and the box isn't yours anymore. ...
    www.trixbox.org/forums/trixbox-forums/open-discussion/rootkit-found-my-trixbox-server - 5 hours ago

    Rootkit Found on my Trixbox Server | trixbox

    - 3:22pmJan 26, 2009 ... SIP and IAX2 exploits are from 2007, there has been an information disclosure weakness in IAX2 too, which has been announced some days ago. ...
    www.trixbox.org/forums/trixbox-forums/open-discussion/rootkit-found-my-trixbox-server - 5 hours ago

    Rootkit Found on my Trixbox Server | trixbox

    - 3:22pmJan 26, 2009 ... The vmsplice 'exploit' requires user rights to execute code on the box, that requires access either locally or remotely. ... aka "Skyking".
    www.trixbox.org/forums/trixbox-forums/open-discussion/rootkit-found-my-trixbox-server - 5 hours ago


    And then there's this result from donbusca.com:
  6. The Deacon Guru

  7. jmullinix Guru

    The pure presence of a rootkit on a user's machine should not be worthy of deleting the thread. Therefore one could only assume that the root kit got in through a known security flaw.

Share This Page