@eagle wrote:
I got a notification today from my SIP provider that a known fraudulent number had been used on my account and they shut down my SIP. I've gotten this before and typically I go in and change all my passwords and life is good, not this time.
When I fired up my FreePBX site I got a notice that my module signing was invalid and Ajax.php could not be found. I went into the HTML folder and saw that someone renamed the Ajax.php to a random name and in it's place was something that said I was hacked. Fine, I renamed the file back and followed the instructions on http://wiki.freepbx.org/display/F2/Module+Signing to make sure everything was correct. FreePBX is back up and running now.
The issue I'm having is when I SSH'd into my box to change my passwords I noticed a new account called 'dude', I tried to remove the user but couldn't because it says it was used by process 1 (/sbin/init). I changed the password and I'm unsure what to do to my system so that 'dude' is not running /sbin/init any longer.
I ran a find / -user dude and saw tons of files "owned" by him but when I check the files they say they are owned by root, making me wonder if 'dude' is some kind of alias for 'root'.
What can I do to start cleaning this mess up?
Thank you!
Posts: 12
Participants: 3