wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,200
- Reaction score
- 5,218
We have been advised that the Sangoma Portal may have been compromised. Anecdotal evidence is mounting that servers running services activated through the Sangoma Portal may have been compromised resulting in very expensive phone bills. Since the outset, one of our primary objections to the Sangoma portal design was/is that it may provide Sangoma with either root level access to your server or the functional equivalent through the expanded use of asterisk user permissions.
In addition to reading the thread on the FreePBX Forum about this, you also should immediately check your servers for evidence of compromise particularly if you have a business relationship with Sangoma or credentials in their portal.
PLEASE REPORT BACK IF YOU FIND A PROBLEM!! IMMEDIATELY TAKE YOUR SERVER OFF LINE!!
First, check /root/.bashrc for alias cd and alias exit lines. They should not be there!
Second, run the following commands to determine if these files exist on any of your servers. The latter one may be in /var/www.hmtl/ (not sure if this is a dual typo or not).
Third, check your /var/log/httpd/access_log for entries that include .asterisk.php or 5.79.73.246. There may be multiple (older) access logs! Numerous other IP addresses to check here.
Fourth, check /var/log/secure for SSH entries that appear from users or sites you don't own. Ditto on older versions of the SSH log.
Fifth, check your user list for an ssh user. sshd is OK, but not ssh.
If your server is running Travelin' Man 3 and your IPtables firewall is not disabled and you have not whitelisted the Sangoma Portal, your server still may have been compromised since the .asterisk.php script uses Asterisk to place outbound calls on your nickel. However, we believe the whitelist would have prevented access by the bad guys to both SSH and your web GUI.
In addition to reading the thread on the FreePBX Forum about this, you also should immediately check your servers for evidence of compromise particularly if you have a business relationship with Sangoma or credentials in their portal.
PLEASE REPORT BACK IF YOU FIND A PROBLEM!! IMMEDIATELY TAKE YOUR SERVER OFF LINE!!
First, check /root/.bashrc for alias cd and alias exit lines. They should not be there!
Second, run the following commands to determine if these files exist on any of your servers. The latter one may be in /var/www.hmtl/ (not sure if this is a dual typo or not).
Code:
find / -name wbc.php
find / -name .asterisk.php
Third, check your /var/log/httpd/access_log for entries that include .asterisk.php or 5.79.73.246. There may be multiple (older) access logs! Numerous other IP addresses to check here.
Fourth, check /var/log/secure for SSH entries that appear from users or sites you don't own. Ditto on older versions of the SSH log.
Fifth, check your user list for an ssh user. sshd is OK, but not ssh.
Code:
cat /etc/passwd | cut -d ":" -f1 | grep ssh
If your server is running Travelin' Man 3 and your IPtables firewall is not disabled and you have not whitelisted the Sangoma Portal, your server still may have been compromised since the .asterisk.php script uses Asterisk to place outbound calls on your nickel. However, we believe the whitelist would have prevented access by the bad guys to both SSH and your web GUI.
Last edited: