FreePBX / CentOS / Apache / PHP – security exploit

The FreePBX development team are advising of a security issue affecting all current installs of FreePBX based on CentOS.

This from Tony Lewis at Schmooze Communications –

“I think you need to evaluate your version of php and apache for exploits as we have spent countless hours on FreePBX Support the past week with customers from PBXiaF, Trixbox, Elastix, AsteriskNow and yes the FreePBX Distro who have been hacked from these exploits. We rolled an upgrade today that patches the exploits in 3 different packages.

Neither Centos 5.5, 5.6 or 6.0 have versions of apache that closes this exploit”

At this time I have no further information and suggest you check the PIAF forum –

http://pbxinaflash.com/forum/showthread.php?p=69504

or FreePBX forum –

http://www.freepbx.org/forum/freepbx-distro/distro-discussion-help/freepbx-distro-rooted

for more information.

 

UPDATE – 11/8/2011

Unfortunately, from all the information that I’ve read, none of it points to the method used to compromise the servers discussed in the posts above. The outcome I’ve seen many times (doing sys admin work for people) –  the compromised box is used to scan for other servers with vulnerabilities.

This is just a guess but I would assume they did not get root access to the box. Most of the servers that I’ve seen that have been root compromised have had a root kit, or other back door installed, and updating Apache / PHP would not prevent them having access to the box.

It’s likely that the user that was running the Apache process was compromised, allowing uloaded scripts to be excuted locally.

The advice remains the same though, where at all possible do not allow general access to your web server ports.

UPDATE – 13/08/11

The original machine in this thread was compromised due to this exploit in phpmyadmin – http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3055.

As things stand (13/8/11) it looks like the version of phpmyadmin included in the FreePBX Distro repos is vulnerable. I suggest not installing it, especially if your machine is accessible over the web.

I still have no further information on any other potential exploits.

 

 

 

 

 

3 thoughts on “FreePBX / CentOS / Apache / PHP – security exploit

  1. matt Post author

    My understanding so far is this – they FreePBX guys saw attacks and compromises of some (many?) servers. They tried many things to track down the problem. One of those was updating Apache/PHP, and after that they saw no more compromises.

    I’ve seen nothing which describes how they were compromised, only results of the compromises (various script kiddy tools being used to scan other servers to compromise).

    If you can update your version of Apache using the inbuilt package manager (yum), then I would. If it means having to compile from source I’d be quite wary about going down that route as it means you need to update from source from now on.

    Much better (as it doesn’t only mitigate a single attack) is to block access to the web port using a firewall, like iptables.

Comments are closed.