Hi Thank you for your support. The server is actually compromised, I discovered that after making a deep trace using the audit daemon and looking for the kill signal (SIGKILL) that terminates asterisk. I discovered that there is an executable with a random name in the /boot folder that is killing and deleting asterisk !!!
This executable is launched by a service in /etc/rc.d/ with the same random name. When I stopped this service, a new service was created with another different random name and it too is killing and deleting asterisk. This was the evidence i needed to be convinced that the server has a virus and is compromised. The good thing is that this is a fresh install and hence there are no sensitive data or a lot of work done on it so i will reinstall the OS and start over. The bad thing is that I spent more than 4 days trying to understand what was going on. Again, thank you for your support. Regards, Antoine Megalla Sent from my iPhone On Nov 27, 2014, at 8:00 PM, asterisk-users-requ...@lists.digium.com wrote: > Send asterisk-users mailing list submissions to > asterisk-users@lists.digium.com > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.digium.com/mailman/listinfo/asterisk-users > or, via email, send a message with subject or body 'help' to > asterisk-users-requ...@lists.digium.com > > You can reach the person managing the list at > asterisk-users-ow...@lists.digium.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of asterisk-users digest..." > > > Today's Topics: > > 1. Re: Strange Issue: asterisk deleted (Antoine Megalla) > 2. Re: High resident memory with 11.14.0 ? (James Lamanna) > 3. Re: Strange Issue: asterisk deleted (Chad Wallace) > 4. Re: Strange Issue: asterisk deleted (Marie Fischer) > 5. Re: SIP call drops after 32 seconds, but only when.... > (Marie Fischer) > 6. Re: SIP call drops after 32 seconds, but only when.... > (Amit Patkar) > 7. Re: Strange Issue: asterisk deleted (Thorsten G?llner) > 8. Re: Strange Issue: asterisk deleted (Antoine Megalla) > 9. Re: Strange Issue: asterisk deleted (A J Stiles) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 26 Nov 2014 22:08:05 +0200 > From: Antoine Megalla <aa...@rocketmail.com> > To: Thorsten G?llner <t...@ovm-group.com> > Cc: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] Strange Issue: asterisk deleted > Message-ID: <7d5a57fb-657c-439b-9dcb-2790ae9c9...@rocketmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, > > I looked for asterisk in /usr/sbin using the commands ls and find and whereis > and it was not there. > > I know that the process is killed because when I start asterisk using the > command asterisk -vvvvc it starts and then it exits and the word killed is > wrote on the console. > > Ever time I copy a new executable to /usr/sbin either using cp command or > make install it gets deleted too. > > Now I used the strace command on asterisk and I can clearly see at the end of > the strace the line : killed by SIGKILL > This means that something or someone is actually and purposely killing > asterisk but I do not know what or who is doing that also I know that I am > the only user on the system. > > Again any indicators to solve this very weird issue are welcomed. > > Regards, > Antoine Megalla > > Sent from my iPhone > > On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <t...@ovm-group.com> wrote: > >> >> Am 26.11.2014 11:37, schrieb Antoine Megalla: >>> Hi, >>> >>> I am struggling with a very strange issue I have been facing for the past >>> week; >>> I have a fresh install of CENTOS 5.11 and I have installed asterisk >>> 1.8.32 form sources. >>> The asterisk installation went fine but as soon as I start asterisk >>> executable it loads everything and then after the "Ready" line the process >>> gets killed and when I try to run it again i get: /usr/sbin/asterisk : >>> command not found >>> >>> I cleaned the source and re-installed asterisk and again the same thing >>> happened again !!! >>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources >>> and installed them (make install) and amazingly, the same thing happened to >>> all of them: I do a "make" then "make install" and as soon as I start >>> asterisk the process is killed and the executable removed from /usr/sbin. >>> >>> I tried to look a the asterisk log files but I cannot find a single error >>> in them. >>> Also if it was really deleted how did bash know that asterisk is supposed >>> to be located in /usr/sbin/asterisk ? >>> >>> I tried to copy the executable myself after compilation (everything done as >>> root) to the /usr/sbin and again if it runs then it is deleted. >>> >>> If someone can explain to me this behavior or advise me on what to check to >>> resolve this issue, then I would be grateful. >> >> Hi, >> >> you write "Also if it was really deleted .." - did you looked at it via "ls >> /usr/sbin/asterisk"? >> >> You compiled asterisk (make / make install) as root I think. Perhaps access >> rights are not set properly? root is owner but you try to start the daemon >> as "normal" user? >> >> You write "the process is killed". Where do you now? Did you get a message >> on your terminal? Did you take a look at /var/log/syslog? >> >> Best regards >> -Thorsten- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/d64c9a5b/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Wed, 26 Nov 2014 15:20:06 -0500 > From: James Lamanna <jlama...@gmail.com> > To: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] High resident memory with 11.14.0 ? > Message-ID: > <CADScKLzHeEiZL51Oi=6bc6vcgooqernuoiriw10sp+yc5vf...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > On Tue, Nov 25, 2014 at 10:21 AM, James Lamanna <jlama...@gmail.com> wrote: > >> >> On Tue, Nov 25, 2014 at 8:14 AM, Matthew Jordan <mjor...@digium.com> >> wrote: >> >>> On Mon, Nov 24, 2014 at 2:12 PM, James Lamanna <jlama...@gmail.com> >>> wrote: >>>> Also, how big does the cache in frame.c grow to? >>>> I've recompiled with MALLOC_DEBUG on that server: >>>> >>>> asterisk -rx "memory show summary" >>>> >>>> .... >>>> 1780466242 bytes (1780181594 cache) in 2352909 allocations in file >>>> frame.c >>>> ... >>>> >>>> Seems like a ridiculous cache. >>> >>> I'm not going to respond to your new thread, since it is the same >>> discussion as this one. >>> >>> The frame cache is a per-thread local cache of frames that prevents >>> having to re-allocate frames as they pass through Asterisk. Clearly, >>> something is abusing it. >>> >>> I think you'll need to provide some more information on how you're >>> producing this situation. Specifically: >>> * Channel technologies involved, and the formats on the channels >>> * Dialplan that reproduces the problem >>> >>> Are you using any non-core dialplan applications or channel drivers? >> This PBX has about 100 registered SIP clients, along with 23 PRI channels, >> 2 inbound/outbound SIP trunks and around 100 IAXModems registered to it. It >> primarily handles faxing. >> I am not using any non-standard channel drivers. I am using the T.38 >> gateway funcionality. >> >> The jist of the dialplan is this: (example of the PRI and a SIP trunk, >> inbound) >> >> [pri-in] >> exten => _X.,1,Set(__FROM_DID=${EXTEN}) >> exten => _X.,n,Set(FAX_IDX=700) >> exten => _X.,n,Set(MAX_IDX=719) >> exten => _X.,n,Goto(dial-hylafax,s,1) >> >> [sip-trunk-in] >> exten => _X.,1(normal),Set(__FROM_DID=${EXTEN}) >> exten => _X.,n,Set(FAX_IDX=950) >> exten => _X.,n,Set(MAX_IDX=959) >> exten => _X.,n,Set(FAXOPT(gateway)=yes) >> exten => _X.,n,Goto(dial-hylafax,s,1) >> >> [dial-hylafax] >> exten => s,1,GotoIf($["${FROM_DID:0:1}" = "1"]?prune:cont) >> exten => s,n(prune),Set(__FROM_DID=${FROM_DID:1}) >> exten => s,n(cont),GotoIf($[${FAX_IDX} <= ${MAX_IDX}]?tryfax:nofax) >> exten => s,n(tryfax),Set(STATE=${DEVICE_STATE(Custom:iaxmodem${FAX_IDX})}) >> exten => s,n,NoOp(${STATE}) >> exten => s,n,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=INUSE) >> exten => s,n,Dial(IAX2/iaxmodem${FAX_IDX}/${FROM_DID},60,g) >> exten => s,n,Goto(s-${DIALSTATUS},1) >> exten => s,n(nofax),Playtones(busy) >> exten => s,n,NoOp(NO MODEMS AVAILABLE) >> exten => s,n,Wait(20) >> exten => s,n,Hangup() >> exten => s-ANSWER,1,NoOp(IAXMODEM HANGUP) >> exten => s-ANSWER,n,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=NOT_INUSE) >> exten => s-ANSWER,n,Hangup() >> exten => _s-.,1,Set(FAX_IDX=${MATH(1+${FAX_IDX},i)}) >> exten => _s-.,n,Goto(s,1) >> exten => h,1,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=NOT_INUSE) >> >> The current state requires me to restart Asterisk almost every day. >> I'm also seeing this on a completely different machine after upgrading >> from Asterisk10 to 11. > I'm wondering if this is a problem in the SLIN converter? > I do use SLIN with iaxmodem. > > -- James > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/9deca244/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Wed, 26 Nov 2014 14:54:27 -0800 > From: Chad Wallace <cwall...@lodgingcompany.com> > To: asterisk-users@lists.digium.com > Subject: Re: [asterisk-users] Strange Issue: asterisk deleted > Message-ID: <20141126145427.4819c...@ws78.int.tlc> > Content-Type: text/plain; charset=US-ASCII > > On Wed, 26 Nov 2014 22:08:05 +0200 > Antoine Megalla <aa...@rocketmail.com> wrote: > >> I looked for asterisk in /usr/sbin using the commands ls and find and >> whereis and it was not there. >> >> I know that the process is killed because when I start asterisk using >> the command asterisk -vvvvc it starts and then it exits and the word >> killed is wrote on the console. >> >> Ever time I copy a new executable to /usr/sbin either using cp >> command or make install it gets deleted too. >> >> Now I used the strace command on asterisk and I can clearly see at >> the end of the strace the line : killed by SIGKILL This means that >> something or someone is actually and purposely killing asterisk but I >> do not know what or who is doing that also I know that I am the only >> user on the system. > > I don't know if there's any way to see where the signal comes from. > But I think it would have to be another process. Is this a hosted > machine? Could it be that your hosting provider doesn't allow > asterisk? This would be a good way to enforce that rule. Otherwise, > it could be a root kit or a virus. > > Or it could be that you (or someone else) wanted to make sure asterisk > wasn't running at some point and left "while true; do killall -9 > asterisk; done" running in a shell, and forgot about it. > > You can list all the processes with the command "ps -ef" > > And to see if anyone else (or yourself) is logged in, run "w". That > will show every individual session and where they're connected from. > > > -- > > C. Chad Wallace, B.Sc. > The Lodging Company > http://www.lodgingcompany.com/ > OpenPGP Public Key ID: 0x262208A0 > > > > > ------------------------------ > > Message: 4 > Date: Thu, 27 Nov 2014 06:18:19 +0200 > From: Marie Fischer <ma...@vtl.ee> > To: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] Strange Issue: asterisk deleted > Message-ID: <7442cb28-9f60-480d-9e8f-d139727db...@vtl.ee> > Content-Type: text/plain; charset=us-ascii > > > On 26.11.2014, at 22:08, Antoine Megalla <aa...@rocketmail.com> wrote: >>> The asterisk installation went fine but as soon as I start asterisk >>> executable it loads everything and then after the "Ready" line the process >>> gets killed and when I try to run it again i get: /usr/sbin/asterisk : >>> command not found >> I looked for asterisk in /usr/sbin using the commands ls and find and >> whereis and it was not there. >> >> I know that the process is killed because when I start asterisk using the >> command asterisk -vvvvc it starts and then it exits and the word killed is >> wrote on the console. >> >> Ever time I copy a new executable to /usr/sbin either using cp command or >> make install it gets deleted too. > > Interesting problem, I'm quite curious what the cause is. > > Are you 100% sure that the asterisk your are running is in /usr/sbin? Try > 'which asterisk' to see what your shell is running and/or start asterisk with > a full path as /usr/sbin/asterisk -vvvvc. > > You could also try renaming the binary to find out if indeed something kills > Asterisk by name. > > There's a tool called SystemTap which could give you information which > process sent the SIGKILL: > https://sourceware.org/systemtap/ > http://www.percona.com/blog/2014/07/18/systemtap-solves-phantom-mysqld-sigterm-sigkill-issue/ > > -- > > marie > > > > > ------------------------------ > > Message: 5 > Date: Thu, 27 Nov 2014 06:31:37 +0200 > From: Marie Fischer <ma...@vtl.ee> > To: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] SIP call drops after 32 seconds, but > only when.... > Message-ID: <cf4f37ed-8ddf-43dc-9e9c-79a292e86...@vtl.ee> > Content-Type: text/plain; charset=windows-1252 > > On 22.11.2014, at 13:40, Yves A. <yves...@gmx.de> wrote: >> I have a really strange problem which is driving me crazy for days now. >> >> If I register my asterisk (tried all versions from 1.6 up to 13.x) with one >> sip registrar, >> everything works... calls go out and call come in... no 32 seconds limit. >> >> but as soon as I configure another sip registration on another server, >> outgoing >> calls drop after 32 seconds. > > Do a 'sip set debug on' and see what they (Asterisk and the registrar) are > talking about just before the call drops. > > -- > > marie > > > > > ------------------------------ > > Message: 6 > Date: Thu, 27 Nov 2014 10:49:23 +0530 > From: Amit Patkar <a...@avhan.com> > To: asterisk-users@lists.digium.com > Subject: Re: [asterisk-users] SIP call drops after 32 seconds, but > only when.... > Message-ID: <5476b45b.4020...@avhan.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > Call drop after 30+sec happens if RTP is not received by asterisk for 30 > seconds (RTP Timeout). > You should look for media IP address in SDP. If there is firewall, apart > from port UDP/5060, you also need to open port UDP/10000-UDP/20000 > (standard RTP ports) > You should try with RTP debug. It should show bidirectional traffic. If > not, you surely have an issue with media IP or ports. > > *Thanks & Regards,* > Amit Patkar > > > On 11/27/2014 10:01 AM, Marie Fischer wrote: >> On 22.11.2014, at 13:40, Yves A. <yves...@gmx.de> wrote: >>> I have a really strange problem which is driving me crazy for days now. >>> >>> If I register my asterisk (tried all versions from 1.6 up to 13.x) with one >>> sip registrar, >>> everything works... calls go out and call come in... no 32 seconds limit. >>> >>> but as soon as I configure another sip registration on another server, >>> outgoing >>> calls drop after 32 seconds. >> Do a 'sip set debug on' and see what they (Asterisk and the registrar) are >> talking about just before the call drops. > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7b0ab3fa/attachment-0001.html> > > ------------------------------ > > Message: 7 > Date: Thu, 27 Nov 2014 10:09:23 +0100 > From: Thorsten G?llner <t...@ovm-group.com> > To: Antoine Megalla <aa...@rocketmail.com> > Cc: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] Strange Issue: asterisk deleted > Message-ID: <5476ea43.1090...@ovm-group.com> > Content-Type: text/plain; charset="utf-8" > > Did you take a look at /var/log/syslog? > > Am 26.11.2014 21:08, schrieb Antoine Megalla: >> Hi, >> >> I looked for asterisk in /usr/sbin using the commands ls and find and >> whereis and it was not there. >> >> I know that the process is killed because when I start asterisk using >> the command asterisk -vvvvc it starts and then it exits and the word >> killed is wrote on the console. >> >> Ever time I copy a new executable to /usr/sbin either using cp command >> or make install it gets deleted too. >> >> Now I used the strace command on asterisk and I can clearly see at the >> end of the strace the line : killed by SIGKILL >> This means that something or someone is actually and purposely killing >> asterisk but I do not know what or who is doing that also I know that >> I am the only user on the system. >> >> Again any indicators to solve this very weird issue are welcomed. >> >> Regards, >> Antoine Megalla >> >> Sent from my iPhone >> >> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <t...@ovm-group.com >> <mailto:t...@ovm-group.com>> wrote: >> >>> >>> Am 26.11.2014 11:37, schrieb Antoine Megalla: >>>> Hi, >>>> >>>> I am struggling with a very strange issue I have been facing for >>>> the past week; >>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk >>>> 1.8.32 form sources. >>>> The asterisk installation went fine but as soon as I start asterisk >>>> executable it loads everything and then after the "Ready" line the >>>> process gets killed and when I try to run it again i get: >>>> /usr/sbin/asterisk : command not found >>>> >>>> I cleaned the source and re-installed asterisk and again the same >>>> thing happened again !!! >>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from >>>> sources and installed them (make install) and amazingly, the same >>>> thing happened to all of them: I do a "make" then "make install" and >>>> as soon as I start asterisk the process is killed and the executable >>>> removed from /usr/sbin. >>>> >>>> I tried to look a the asterisk log files but I cannot find a single >>>> error in them. >>>> Also if it was really deleted how did bash know that asterisk is >>>> supposed to be located in /usr/sbin/asterisk ? >>>> >>>> I tried to copy the executable myself after compilation (everything >>>> done as root) to the /usr/sbin and again if it runs then it is deleted. >>>> >>>> If someone can explain to me this behavior or advise me on what to >>>> check to resolve this issue, then I would be grateful. >>> >>> Hi, >>> >>> you write "Also if it was really deleted .." - did you looked at it >>> via "ls /usr/sbin/asterisk"? >>> >>> You compiled asterisk (make / make install) as root I think. Perhaps >>> access rights are not set properly? root is owner but you try to >>> start the daemon as "normal" user? >>> >>> You write "the process is killed". Where do you now? Did you get a >>> message on your terminal? Did you take a look at /var/log/syslog? > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/ddec7744/attachment-0001.html> > > ------------------------------ > > Message: 8 > Date: Thu, 27 Nov 2014 11:11:36 +0200 > From: Antoine Megalla <aa...@rocketmail.com> > To: Thorsten G?llner <t...@ovm-group.com> > Cc: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] Strange Issue: asterisk deleted > Message-ID: <ff950549-b06c-4e2c-9413-aa8faffb2...@rocketmail.com> > Content-Type: text/plain; charset="utf-8" > > Yes I did, and there is nothing about asterisk in the /var/log folder > > I am starting to think that the server on compromised. > > > Sent from my iPhone > > On Nov 27, 2014, at 11:09 AM, Thorsten G?llner <t...@ovm-group.com> wrote: > >> Did you take a look at /var/log/syslog? >> >> Am 26.11.2014 21:08, schrieb Antoine Megalla: >>> Hi, >>> >>> I looked for asterisk in /usr/sbin using the commands ls and find and >>> whereis and it was not there. >>> >>> I know that the process is killed because when I start asterisk using the >>> command asterisk -vvvvc it starts and then it exits and the word killed is >>> wrote on the console. >>> >>> Ever time I copy a new executable to /usr/sbin either using cp command or >>> make install it gets deleted too. >>> >>> Now I used the strace command on asterisk and I can clearly see at the end >>> of the strace the line : killed by SIGKILL >>> This means that something or someone is actually and purposely killing >>> asterisk but I do not know what or who is doing that also I know that I am >>> the only user on the system. >>> >>> Again any indicators to solve this very weird issue are welcomed. >>> >>> Regards, >>> Antoine Megalla >>> >>> Sent from my iPhone >>> >>> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <t...@ovm-group.com> wrote: >>> >>>> >>>> Am 26.11.2014 11:37, schrieb Antoine Megalla: >>>>> Hi, >>>>> >>>>> I am struggling with a very strange issue I have been facing for the >>>>> past week; >>>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk >>>>> 1.8.32 form sources. >>>>> The asterisk installation went fine but as soon as I start asterisk >>>>> executable it loads everything and then after the "Ready" line the >>>>> process gets killed and when I try to run it again i get: >>>>> /usr/sbin/asterisk : command not found >>>>> >>>>> I cleaned the source and re-installed asterisk and again the same thing >>>>> happened again !!! >>>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources >>>>> and installed them (make install) and amazingly, the same thing happened >>>>> to all of them: I do a "make" then "make install" and as soon as I start >>>>> asterisk the process is killed and the executable removed from /usr/sbin. >>>>> >>>>> I tried to look a the asterisk log files but I cannot find a single error >>>>> in them. >>>>> Also if it was really deleted how did bash know that asterisk is supposed >>>>> to be located in /usr/sbin/asterisk ? >>>>> >>>>> I tried to copy the executable myself after compilation (everything done >>>>> as root) to the /usr/sbin and again if it runs then it is deleted. >>>>> >>>>> If someone can explain to me this behavior or advise me on what to check >>>>> to resolve this issue, then I would be grateful. >>>> >>>> Hi, >>>> >>>> you write "Also if it was really deleted .." - did you looked at it via >>>> "ls /usr/sbin/asterisk"? >>>> >>>> You compiled asterisk (make / make install) as root I think. Perhaps >>>> access rights are not set properly? root is owner but you try to start the >>>> daemon as "normal" user? >>>> >>>> You write "the process is killed". Where do you now? Did you get a message >>>> on your terminal? Did you take a look at /var/log/syslog? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7903c187/attachment-0001.html> > > ------------------------------ > > Message: 9 > Date: Thu, 27 Nov 2014 10:05:44 +0000 > From: A J Stiles <asterisk_l...@earthshod.co.uk> > To: "Asterisk Users Mailing List - Non-Commercial Discussion" > <asterisk-users@lists.digium.com> > Subject: Re: [asterisk-users] Strange Issue: asterisk deleted > Message-ID: <201411271005.44407.asterisk_l...@earthshod.co.uk> > Content-Type: Text/Plain; charset="iso-8859-6" > > On Wednesday 26 Nov 2014, Antoine Megalla wrote: >> Hi, >> >> I looked for asterisk in /usr/sbin using the commands ls and find and >> whereis and it was not there. >> >> I know that the process is killed because when I start asterisk using the >> command asterisk -vvvvc it starts and then it exits and the word killed is >> wrote on the console. >> >> Ever time I copy a new executable to /usr/sbin either using cp command or >> make install it gets deleted too. >> >> Now I used the strace command on asterisk and I can clearly see at the end >> of the strace the line : killed by SIGKILL This means that something or >> someone is actually and purposely killing asterisk but I do not know what >> or who is doing that also I know that I am the only user on the system. >> >> Again any indicators to solve this very weird issue are welcomed. > > It sounds as though your server might have been compromised. > > Get another machine of the same bit architecture and perform a fresh install > of exactly the same OS as your Asterisk box on that. Install busybox too > (it's usually there anyway, as it's required for building the initial > RAMdisks > used by most distros for booting). Using a USB stick (preferrably one that > can be set read-only), copy at least the `ls`, `ps`, `netstat`, `w`, > `lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over (to somewhere > that isn't /usr/bin/). Use both the existing installed and the newly-copied > md5sum and diff to check each system binary against the known-good ones. You > can use busybox to replicate commands you haven't copied (but note that > busybox versions are rather cut-down as compared to the GNU tools you know > and > love. Come to think of it, they're cut-down as compared to the BSD tools > everyone replaces with GNU versions once they have a C compiler up and > running). > > Compare /etc/inittab between the two machines. > > Many rootkits mess with ext[2-4]fs attributes, presumably to stop you > overwriting their overwritten system binaries; so use a known good lsattr to > check the attributes of everything in /bin/, /sbin/, /usr/bin/ and /usr/sbin/ > -- watch out for anything set immutable. > > > Getting rid of the compromise fortunately is reasonably easy, especially if > your /home folder is on its own partition. Just ignore that partition during > reinstallation, edit your /etc/fstab afterwards and reboot -- your original > /home will be preserved intact. If not, use systemrescuecd or something > similar to boot a known-good system. Use mv to rename /home to a new name. > Shrink a disk partition and create a new small partition. Use that for your > /home during the reinstall. Then again edit /etc/fstab, unmount /home, mv > your old /home back to /home and reboot. > > -- > AJS > > Note: Originating address only accepts e-mail from list! If replying off- > list, change address to asterisk1list at earthshod dot co dot uk . > > > > ------------------------------ > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > End of asterisk-users Digest, Vol 124, Issue 29 > *********************************************** -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users