AsteriskNow security issue

There’s a fairly well know, but easy to miss, security issue with AsteriskNow (potentially all FreePBX installs) that there is a hidden user account that allows admin access to the FreePBX web interface.

The account details are those used in the amportal.conf file to connect to the MySQL database and the settings are called AMPDBUSER and AMPDBPASS.

In AsteriskNow these are set to username – ‘freepbx’ and password ‘fpbx’. If you have a standard AsterisNow install those will be the defaults and will allow admin access to the FreePBX web GUI.

If your server is accessible over the internet check to see if you are vulnerable and change the password or block access ASAP.

See here for some instructions – http://forums.asterisk.org/viewtopic.php?f=14&t=74423&start=0

SysAdminMan has never offered AsteriskNOW hosting so customers are unaffected.