[Asterisk-Users] asterisk@home scary log

Karl H. Putz kputz at columbus.rr.com
Thu Feb 10 08:18:49 MST 2005 

You've likely been hacked.

I have recently had a similar incident where a hacker guessed my root
password (MY BAD) and set up an ebay password skimming site.

I noticed it when I got similar non-deliverable email messages.

Obviously, first change your password and then look at the /var/www/html
directory and see if there are unwelcome pages there.  Also be sure to check
who is logged in currently.  I caught the (*%#@ SOB logged in and bounced
the bastard.

For what it's worth, the hacker's IP address was: 81.12.141.150.


Karl Putz

>-----Original Message-----
>From: asterisk-users-bounces at lists.digium.com
>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Jean-Louis
>curty
>Sent: Thursday, February 10, 2005 9:10 AM
>To: Asterisk Users Mailing List - Non-Commercial Discussion
>Subject: [Asterisk-Users] asterisk at home scary log
>
>
>Hi everybody,
>
>I'm testing asterisk at home 0.4,
>looks great so far
>
>I was working when I have been alerted by a bip comming from the * pc...
>
>I connected a screen to it and saw that there was a message which
>looked like :
>
>
>Message from syslogd at asterisk1 at Thu Feb 10 09:01:00 2005 ...
>asterisk1
>
>
>
>so I stopped asterisk, type mail and got a strange mail saying that
>user xxxx at yahoo.com could not be reached and body was like if it was
>the result of commands ifconfig etc
>
>unfortunally I don't have the message anymore but I went to the log
>
>and saw this
>Feb  9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088:
>from=<root at asterisk1.local>, size=329, class=0, nrcpts=1,
>msgid=<200502100130.j1A1U7Q1010071 at asterisk1.local>, proto=ESMTP,
>daemon=MTA, relay=asterisk1.local [127.0.0.1]
>Feb  9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071:
>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]
>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for
>delivery)
>Feb  9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077:
>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]
>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for
>delivery)
>Feb  9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089:
>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,
>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>1107998984)
>Feb  9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:
>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>1107998984)
>
>
>the thing is i did not send any message to paym3now at gmail.com nor to
>somebody at yahoo,
>
>
>anybody got the same ? what can I do ??
>
>thanks
>jl
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list