[Asterisk-Users] asterisk@home scary log

Jean-Louis curty jlcurty at gmail.com
Thu Feb 10 09:07:37 MST 2005


ok ssh now disabled....
root password changed...


where can I catch the message that are supposely sent by syslogd at asterisk1 ?




On Thu, 10 Feb 2005 10:56:53 -0500, Karl H. Putz <kputz at columbus.rr.com> wrote:
> I had the system setup to allow http and ssh.
> 
> The hack came in through ssh.
> 
> >-----Original Message-----
> >From: asterisk-users-bounces at lists.digium.com
> >[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Christian
> >Moller
> >Sent: Thursday, February 10, 2005 10:39 AM
> >To: Asterisk Users Mailing List - Non-Commercial Discussion
> >Subject: Re: [Asterisk-Users] asterisk at home scary log
> >
> >
> >Hi,
> >I've also been a little worried about the security. How did they
> >connect to
> >your system? Through telnet or what?
> >Since I've disabled all such services.
> >Best,
> >Christian
> >
> >
> >----- Original Message -----
> >From: "Karl H. Putz" <kputz at columbus.rr.com>
> >To: "Jean-Louis curty" <jlcurty at gmail.com>; "Asterisk Users Mailing List -
> >Non-Commercial Discussion" <asterisk-users at lists.digium.com>
> >Sent: Thursday, February 10, 2005 4:18 PM
> >Subject: RE: [Asterisk-Users] asterisk at home scary log
> >
> >
> >> You've likely been hacked.
> >>
> >> I have recently had a similar incident where a hacker guessed my root
> >> password (MY BAD) and set up an ebay password skimming site.
> >>
> >> I noticed it when I got similar non-deliverable email messages.
> >>
> >> Obviously, first change your password and then look at the /var/www/html
> >> directory and see if there are unwelcome pages there.  Also be sure to
> >> check
> >> who is logged in currently.  I caught the (*%#@ SOB logged in and bounced
> >> the bastard.
> >>
> >> For what it's worth, the hacker's IP address was: 81.12.141.150.
> >>
> >>
> >> Karl Putz
> >>
> >>>-----Original Message-----
> >>>From: asterisk-users-bounces at lists.digium.com
> >>>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Jean-Louis
> >>>curty
> >>>Sent: Thursday, February 10, 2005 9:10 AM
> >>>To: Asterisk Users Mailing List - Non-Commercial Discussion
> >>>Subject: [Asterisk-Users] asterisk at home scary log
> >>>
> >>>
> >>>Hi everybody,
> >>>
> >>>I'm testing asterisk at home 0.4,
> >>>looks great so far
> >>>
> >>>I was working when I have been alerted by a bip comming from the * pc...
> >>>
> >>>I connected a screen to it and saw that there was a message which
> >>>looked like :
> >>>
> >>>
> >>>Message from syslogd at asterisk1 at Thu Feb 10 09:01:00 2005 ...
> >>>asterisk1
> >>>
> >>>
> >>>
> >>>so I stopped asterisk, type mail and got a strange mail saying that
> >>>user xxxx at yahoo.com could not be reached and body was like if it was
> >>>the result of commands ifconfig etc
> >>>
> >>>unfortunally I don't have the message anymore but I went to the log
> >>>
> >>>and saw this
> >>>Feb  9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088:
> >>>from=<root at asterisk1.local>, size=329, class=0, nrcpts=1,
> >>>msgid=<200502100130.j1A1U7Q1010071 at asterisk1.local>, proto=ESMTP,
> >>>daemon=MTA, relay=asterisk1.local [127.0.0.1]
> >>>Feb  9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071:
> >>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
> >>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]
> >>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for
> >>>delivery)
> >>>Feb  9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077:
> >>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
> >>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]
> >>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for
> >>>delivery)
> >>>Feb  9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089:
> >>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
> >>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,
> >>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
> >>>1107998984)
> >>>Feb  9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:
> >>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
> >>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
> >>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
> >>>1107998984)
> >>>
> >>>
> >>>the thing is i did not send any message to paym3now at gmail.com nor to
> >>>somebody at yahoo,
> >>>
> >>>
> >>>anybody got the same ? what can I do ??
> >>>
> >>>thanks
> >>>jl
> >>>_______________________________________________
> >>>Asterisk-Users mailing list
> >>>Asterisk-Users at lists.digium.com
> >>>http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>To UNSUBSCRIBE or update options visit:
> >>>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>
> >>
> >>
> >> _______________________________________________
> >> Asterisk-Users mailing list
> >> Asterisk-Users at lists.digium.com
> >> http://lists.digium.com/mailman/listinfo/asterisk-users
> >> To UNSUBSCRIBE or update options visit:
> >>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> >_______________________________________________
> >Asterisk-Users mailing list
> >Asterisk-Users at lists.digium.com
> >http://lists.digium.com/mailman/listinfo/asterisk-users
> >To UNSUBSCRIBE or update options visit:
> >   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list