----- Original Message ----- > Hi > > Thank you for your support. > The server is actually compromised, I discovered that after making a > deep trace using the audit daemon and looking for the kill signal > (SIGKILL) that terminates asterisk. > I discovered that there is an executable with a random name in the > /boot folder that is killing and deleting asterisk !!! > > This executable is launched by a service in /etc/rc.d/ with the same > random name. > When I stopped this service, a new service was created with another > different random name and it too is killing and deleting asterisk. > This was the evidence i needed to be convinced that the server has a > virus and is compromised. > > The good thing is that this is a fresh install and hence there are no > sensitive data or a lot of work done on it so i will reinstall the > OS and start over. The bad thing is that I spent more than 4 days > trying to understand what was going on. >
Very interesting. Any ideas on how the system was compromised? Are any other daemons being actively replaced, or just Asterisk? I did hear of a similar issue to the one you describe (also on an Asterisk box) via a third party recently, but don't have any real specifics other than it being Asterisk 1.4.x on Debian (5 or 6), running on a local LAN, no outside access. Curious if there are any commonalities to the two compromised systems. --Tim -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users