[Asterisk-Users] asterisk@home scary log

Christian Moller uwv at mailsnare.net
Thu Feb 10 09:02:51 MST 2005


Hi,
OK, well, I've disabled SSH/HTTP already so lets hope I will have my system 
working!
Best and thanks,
Christian


----- Original Message ----- 
From: "Karl H. Putz" <kputz at columbus.rr.com>
To: "Asterisk Users Mailing List - Non-Commercial Discussion" 
<asterisk-users at lists.digium.com>
Sent: Thursday, February 10, 2005 4:56 PM
Subject: RE: [Asterisk-Users] asterisk at home scary log


>I had the system setup to allow http and ssh.
>
> The hack came in through ssh.
>
>>-----Original Message-----
>>From: asterisk-users-bounces at lists.digium.com
>>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Christian
>>Moller
>>Sent: Thursday, February 10, 2005 10:39 AM
>>To: Asterisk Users Mailing List - Non-Commercial Discussion
>>Subject: Re: [Asterisk-Users] asterisk at home scary log
>>
>>
>>Hi,
>>I've also been a little worried about the security. How did they
>>connect to
>>your system? Through telnet or what?
>>Since I've disabled all such services.
>>Best,
>>Christian
>>
>>
>>----- Original Message -----
>>From: "Karl H. Putz" <kputz at columbus.rr.com>
>>To: "Jean-Louis curty" <jlcurty at gmail.com>; "Asterisk Users Mailing List -
>>Non-Commercial Discussion" <asterisk-users at lists.digium.com>
>>Sent: Thursday, February 10, 2005 4:18 PM
>>Subject: RE: [Asterisk-Users] asterisk at home scary log
>>
>>
>>> You've likely been hacked.
>>>
>>> I have recently had a similar incident where a hacker guessed my root
>>> password (MY BAD) and set up an ebay password skimming site.
>>>
>>> I noticed it when I got similar non-deliverable email messages.
>>>
>>> Obviously, first change your password and then look at the /var/www/html
>>> directory and see if there are unwelcome pages there.  Also be sure to
>>> check
>>> who is logged in currently.  I caught the (*%#@ SOB logged in and 
>>> bounced
>>> the bastard.
>>>
>>> For what it's worth, the hacker's IP address was: 81.12.141.150.
>>>
>>>
>>> Karl Putz
>>>
>>>>-----Original Message-----
>>>>From: asterisk-users-bounces at lists.digium.com
>>>>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Jean-Louis
>>>>curty
>>>>Sent: Thursday, February 10, 2005 9:10 AM
>>>>To: Asterisk Users Mailing List - Non-Commercial Discussion
>>>>Subject: [Asterisk-Users] asterisk at home scary log
>>>>
>>>>
>>>>Hi everybody,
>>>>
>>>>I'm testing asterisk at home 0.4,
>>>>looks great so far
>>>>
>>>>I was working when I have been alerted by a bip comming from the * pc...
>>>>
>>>>I connected a screen to it and saw that there was a message which
>>>>looked like :
>>>>
>>>>
>>>>Message from syslogd at asterisk1 at Thu Feb 10 09:01:00 2005 ...
>>>>asterisk1
>>>>
>>>>
>>>>
>>>>so I stopped asterisk, type mail and got a strange mail saying that
>>>>user xxxx at yahoo.com could not be reached and body was like if it was
>>>>the result of commands ifconfig etc
>>>>
>>>>unfortunally I don't have the message anymore but I went to the log
>>>>
>>>>and saw this
>>>>Feb  9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088:
>>>>from=<root at asterisk1.local>, size=329, class=0, nrcpts=1,
>>>>msgid=<200502100130.j1A1U7Q1010071 at asterisk1.local>, proto=ESMTP,
>>>>daemon=MTA, relay=asterisk1.local [127.0.0.1]
>>>>Feb  9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071:
>>>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>>>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]
>>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for
>>>>delivery)
>>>>Feb  9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077:
>>>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>>>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]
>>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for
>>>>delivery)
>>>>Feb  9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089:
>>>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,
>>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>>>>1107998984)
>>>>Feb  9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:
>>>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
>>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>>>>1107998984)
>>>>
>>>>
>>>>the thing is i did not send any message to paym3now at gmail.com nor to
>>>>somebody at yahoo,
>>>>
>>>>
>>>>anybody got the same ? what can I do ??
>>>>
>>>>thanks
>>>>jl
>>>>_______________________________________________
>>>>Asterisk-Users mailing list
>>>>Asterisk-Users at lists.digium.com
>>>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>To UNSUBSCRIBE or update options visit:
>>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Asterisk-Users mailing list
>>> Asterisk-Users at lists.digium.com
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>_______________________________________________
>>Asterisk-Users mailing list
>>Asterisk-Users at lists.digium.com
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users 




More information about the asterisk-users mailing list