RESEARCHERS are observing scans for the EncystPHP web shell, a tool Fortinet reported back in January as a weaponised web shell that is now appearing in attempts to compromise vulnerable FreePBX systems. The observed requests include a GET to /admin/modules/phones/ajax[.]php?md5=cf710203400b8c466e6dfcafcf36a411 with a host of the victim on port 8000 and a Mozilla/5.0 User-Agent, among other headers.
The parameter name md5 is misleading; the webshell simply compares the string to a hard-coded value, and attackers may use different values across campaigns. Probes originate from 160.119.76[.]250, an IP address located in the Netherlands hosting an unconfigured web server, which is also probing for various FreePBX vulnerabilities such as /restapps/applications[.]php?linestate=$$LINESTATE$$&user=100.
The EncystPHP variant observed also adds backdoor accounts like root, silla, and sugarmaint via chpasswd, which could be used to maintain access on compromised systems. According to Fortinet, this version of EncystPHP returns the webshell and includes these additional accounts, so FreePBX users should check for such accounts to ensure their systems aren’t compromised.