xajax not included
Submitted by giando1969 on Sat, 07/19/2008 - 2:38pm.
Since friday 18 almost all my trix machines have ajax broken with an error saying that the xajax.js script cannot be included. On the forum I found that it was caused by an exploit on php.
Anyway I update the machine and solved the vulnerability. The problem is that ajax still not working and a popup is reminding me every few second that ajax is not working.
I noticed that if I call direcly the script from the browser the file is spoiled with a long series of ?(Question marks) that make the php page compiler crash. The machine Ijust reistall from scratch this morning renders the xajax.js scripts without any ????????(Question marks).
Any idea?
You have more broken machines i guess
Sat, 07/19/2008 - 4:50pm
I take it you have fixed one machine by re installing and are looking for a quicker fix for others. As you've already tried updating and that didn't fix it. Perhaps try removing and re installing the package/s that provide the affected script. If you know the name of the file/s that are broken "yum provides filename" may help with which packages. Unfortunately I don't know what ones to suggest
Good luck
Packages for xajax.js
Sun, 07/20/2008 - 2:41am
There are different packages that provide a script xajax.js (tbm.GUIcore, or tbm-dhcp) they all provide script that are included in some php trixbox page. They all have the same problem. I tried to reinstall httpd and php but after that things got really messy. Is there someone of all the people that had this problem solved without reinstalling from scratch?
I don't think the folks at Trixbox understand how big
Sun, 07/20/2008 - 3:46am
I don't think the folks at Trixbox understand how big this is. Check out the thread below.
http://trixbox.org/forums/trixbox-forums/open-discussion/critical...
I actually had to resort to an old machine that had ver 2.4 on it.
On the affected machine I uninstalled EVERYTHING related to Trixbox (zaptel/php/trixbox/Freepbx) you name it I uninstalled it. I then cleaned up all the directories of any trace of Trixbox related files. Then I re-install it all and low and behold SAME DAMN error.
Trix has not gotten out in front of this and have decided to backburner it instead. Even to the point of not believing that the problem is real!
The ONLY thing you can do at this point is to re-install. Then once you have it set up make a back up of the disk so you can push a fresh copy back on the machine when the hack hits again, which I fully expect it will.
No one has even mentioned this xajax thing. It gets installed with Trix and goes away upon uninstalling Trix. So however Trix uses xajax has been hacked!
The machine is rendered useless!
Trix protect your brand and whack out this hack. This thing is starting to get a life of its own and has existed now for a week!
What was significant about that day?
Sun, 07/20/2008 - 7:57am
What happened on that day. Did you yum update the system or make any similar changes?
With regard to the link to the other forum thread, while it's nice to ask Fonality to make sure the code is secure enough to protect us from ourselves. You have to ask yourself how this happened. The vulnerability relates to the web interface only as I understand it so if you have port 80 open to the outside world why? It's a web interface to configure a phone system not a public web server. Would you open the config interface to you firewall/router to the outside world to play with.
Anyway back to fixing the problem
locate xajax.js shows
/var/www/html/maint/includes/xajax_js/xajax.js
/var/www/html/user/includes/xajax_js/xajax.js
Copying the scripts or maybe contents of these directories from a clean install may be one solution.
Of the packages listed above I'd be suggesting tbm.Guicore as the most likely. Remove it using rpm -e --nodeps rather than yum remove as the dependecies will cause it to remove half your system. Then you should be able to put it back with yum install.
running yum provides xajax.js will show you what packages you have installed that came with a version of the script and where they put it. Chances are not all copies are compromised
I have not suffered this problem so I can't make any promises but if it is already broken it can't hurt to try. I'd be more worried about the cause and the possibility of someone gaining root access and having root kitted the machine. have a look on the net for something called rkhunter but don't get paranoid just because I've mentioned it.
I already tried everything
Sun, 07/20/2008 - 9:52am
I already tried everything with the same nasty results. But then I noticed that trixbox is plenty of xajax.js used by different modules (i.e. tbm-dhcp) and all have the same problem. It must be something with http. Because on a spoiled machine every xajax.js I call directly from a browser has the ????????????? at the end problem. Those question marks make the include timeout disabling ajax script in trixbox.
Please don't
Sun, 07/20/2008 - 1:48pm
I eliminated everything related to Trix! PHP / HTTPD / Trix/ MYSQL / FREEPBX / etc!
I spent 2 hours scouring the folders to be sure to wipe out any trace of Trix and its supporting cast.
Then I re-installed everything using YUM. Not from disk/iso but on the same machine. That would be the only way to be able to determine if Trix was the culprit.
The same exact message appeared. And yes the machine was still useless.
Yes the port 80 was open as it has been for months and months. No it does not make sense to leave it open and the new machine I am using has it closed.
But that does not take away from the fact that the box is hacked and that Trix is hackable. I have several web-stores and all have to have port 80 open and yet not one of them has been down in over 5 years due to a hack.
Bottom line it appears that Trix is hackable, it has been hacked and a guy with everything buttoned down also got hacked with the same issue. Check the full thread.
Something more sinister than xajax is at hand here.
Please don't go rummaging for hours and hours as I did since the only fix is a complete re-install or restore from a lucky back-up.
I am just wondering how long till they are making calls to cell phones in Europe (high cost) using hacks.
Trix is awesome but now it is hackable!
Quote:
Trix is awesome but
Sun, 07/20/2008 - 2:31pm
Quote:
Trix is awesome but now it is hackable!
Please stop with your chicken little "the sky is falling" posts.
It is getting clearer and clearer that the root exploit and the ajax problem are two separate points.
If your machine is secured you don't have to worry about calls to Europe or any other misuse. You can expose SIP and IAX to the outside world. Make sure you have strong secrets in your extensions.
Now on to the ajax issue. Something had to be done to the system to introduce the ajax problem. We need someone who has a specific timeline to post what changed before and after.
--
Scott
aka "Skyking"
I am curious. If you think
Sun, 07/20/2008 - 3:02pm
Box is in Spain and I am in US
Sun, 07/20/2008 - 4:38pm
New to this forum I keep seeing a recurring defensiveness. Rude comments etc. There is definitely more discussion about how bad or stupid people are than any one providing solutions to the issues at hand.
Focus on the problems/issues and not on attacking the folks. Yes it is problem that the only box that I have have had hacked in 5 years is a Trixbox.
If they did hack Centos they did it through a hole in Trixbox.
I never attacked anyone in this forum. Defensiveness if the first sign that collectively no one has a clue on how to resolve this matter. Or they do but they may want to simply charge for the clues?
This whole Trixbox hack looks very suspicious. Wouldn't be the first time something was purposely broken in order to charge to fix it.
My hacked machine had no updates since the last time it was working days before. It had been up for weeks and weeks without a change. Then all I try to access the box and the xajax issue all out.
Well only Fonality would
Sun, 07/20/2008 - 10:35pm
Well only Fonality would have a financial stake in what you are claiming and they have been relatively quiet. Working on a fix.
As far as I am concerned I have not seen any data that is credible to claim their machine has been compromised.
The folks that where compromised indicated there machines used an IRC root exploit. I can't imagine someone would wast time with screwing up the trixbox wrapper when they could be doing DDOS attacks and running up your phone bill.
There are folks here (including myself) who have a large base of systems we manage. There has not been a single word of an issue from the folks I trust implicitly.
So I am not being defensive, I am being adversarial. It is a very effective technique for getting to the bottom of issues.
I am not here to win a popularity contest.
--
Scott
aka "Skyking"
First of, I just wanted say
Mon, 07/21/2008 - 10:10am
First off, I just wanted say thanks for the laugh.
I don't take offense at the idea that somehow, somebody (me?) is going to make money by purposefully breaking something in the code. That's just ludicrous. Its free software, people. And I don't get paid to break code. That kind of nonsense would probably get me fired, as well it should.
At any rate, I cannot duplicate this xajax error. I have performed the exploit, found that it works, and that afterward some weird things happen. Fixing this involves deleting some session files and cookies and clearing caches. I've described this several times now. After adding some code to filter that variable (langChoice), the exploit no longer works. I've tested this. Its in the updated RPM for guicore. We posted a script to perform the fix on 2.4 systems.
I am not sure what more we can do.
I am happy to fix problems, but I have to be able to duplicate them. So help me out. Throw me a bone. Send me a vmware image of your borked system if you have to.
Quote:
borked
Wow you used
Mon, 07/21/2008 - 10:16am
Quote:
borked
Wow you used Bork, did Kerry authorized this? I guess you have been promoted in trix box land.
Seriously, that's a great offer. I doubt you will get someone to spin you a vmware image of the damaged system however they should let you login.
I am very interested in what the real cause of the ajax errors are.
Scott
--
Scott
aka "Skyking"
hmm, I didn't know the usage
Mon, 07/21/2008 - 11:02am
hmm, I didn't know the usage of 'bork' was something that implied blessing by kerry (I'm not aware of there being a copyright on the term or anything..).
At any rate, I suppose the idea of a vmare image is probably impractical. But whatever. Send me a login, or screenshots, or step by step what you did to arrive at your issue, etc. Anything that would let me duplicate the situation so that I may fix it.
I am flexible and open to any all ideas to get these issues resolved,
I have already offered
Mon, 07/21/2008 - 1:23pm
Greywire,
If you want access to the hosed system I have I will be more than happy to give it to you.
Send me an e-mail to mclancycpa@gmail.com and I will provide you with the link and passwords.
The system is going to get wiped out once I am in front of it but right now it is the perfect test example of a hosed trixbox. Please be sure to take note of all the things I have already done to try to fix it as noted in my previous comments.
No need to try and duplicate the error since I have a handsomely hacked box waiting for someone who knows what they are doing to have a look under the hood.
Quote:
I didn't know the
Mon, 07/21/2008 - 2:24pm
Quote:
I didn't know the usage of 'bork' was something that implied blessing by kerry
Hey, Kerry uses the term borked frequently, I was trying to be funny.
Anyway, did not mean to volunteer you to access a system, however the opportunity seems a good one.
Looking forward to your take on the situation.
--
Scott
aka "Skyking"
Its ok I was trying to be
Mon, 07/21/2008 - 8:18pm
Its ok I was trying to be funny as well. I didn't intend to come of snippy (except for where I commented on the idea of making money from planned problems).
I will get that info on that compromised system and try to figure out what the deal is.
I will let you all know how it goes.
Workaround found
Wed, 07/23/2008 - 3:26am
Hi all.
As you have probably noticed, something enters ascii zeroes in files sent to the browser.
So, I think that there is a program that filters the characters sent through port 80.
I've adjusted settings of apache so as to listen on a different port (in my case 8080) and now everything works.
I did not understand what the cause is, but the problem of the GUI is solved.
Giovanni
That follows from what I
Wed, 07/23/2008 - 8:49am
That follows from what I tested on that system. The files are not physically messed up. If you do a wget for that file, it seems fine, even remotely. But in a browser it gets messed up. I don't know how this is happening...
changing the port is interesting. That's probably a good idea to do, anyways.
Quote:
So would you say this
Wed, 07/23/2008 - 2:20pm
It could also have been a
Wed, 07/23/2008 - 2:57pm
It could also have been a bot that used that exploit and injected a single line of code into some file - for what, for no purpose other than to say that "I did it", much like many of the other viruses out there that attack windows systems, the virus creator has very little gain by the spread of his virus, yet he lets it do its small deed across thousands of machines.
Many of these exploitations are brought about by companies like Lexsi, the exploit itself is definitely there due to the person that made it, whether it be a software developer, or a consultant that implemented the system - who is to blame? thats hard to say, everyone can take some measure of fault, from the security auditor, to the developer, to the implementer, to the bot/virus maker.
/randomspeculation
Member Since:
2006-11-02