Sounds like your box has been compromised. Check the running processes and lock down remote ssh access to your server.
Thanks, --Warren Selby, dCAP On Nov 17, 2010, at 12:53 AM, Patrick <asterisk-us...@ict-synergy.be> wrote: > I also forgot to add that my bandwidth is highly used (mostly out > traffic) since I've detected the "attack" > > > > On Wed, Nov 17, 2010 at 06:46, Patrick <asterisk-us...@ict-synergy.be> wrote: >> Dear asterisk users, >> >> A few weeks ago I've been attacked by a DOS on REGISTER that I've >> solved with a fail2ban script. >> Now, since a few hours, I have my asterisk 1.4.21.2 running at 100% CPU >> again. >> >> I've checked the log and it shows nothing related to failed register >> or whatever. It just tells me that some of my peers are lagged, even >> with a verbosity of 10000 >> >> I've made a "SIP SHOW CHANNELS" and I've a very strange thing, I got >> between 4000 and 5000 active channels from peer 127.0.0.1. I have no >> sip phone on localhost. Here is an excerpt of my command >> >> Peer User/ANR Call ID Seq (Tx/Rx) Format >> Hold Last Message >> 127.0.0.1 (None) 385677377 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 1623666249 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 1478349241 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 1830524844 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 1688182896 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 1391124899 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 2692644729 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 2043438815 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 3226298375 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> 127.0.0.1 (None) 170429466 00101/00001 0x0 (nothing) >> No Rx: REGISTER >> >> It is not a configuration issue causing loops because my config has >> not changed since months. >> >> Any help is appreciated >> >> Best regards, >> Patrick >> > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users