[Asterisk-Users] Re: asterisk@home scary log

Jason Stewart jstewart at rtl.org
Thu Feb 10 09:09:29 MST 2005


On 10/02/05 15:10 +0100, Jean-Louis curty wrote:
> so I stopped asterisk, type mail and got a strange mail saying that
> user xxxx at yahoo.com could not be reached and body was like if it was
> the result of commands ifconfig etc
> 
> unfortunally I don't have the message anymore but I went to the log
> 
> Feb  9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:
> to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
> delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
> relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
> 1107998984)
> 
> 
> the thing is i did not send any message to paym3now at gmail.com nor to
> somebody at yahoo,
> 
> 
> anybody got the same ? what can I do ??

There's a chance that you may have been hacked, but the logs you post
look more like your mailserver is an open relay. What OS/Distro are
you using, what version, and do you have the latest patches applied?
What services are you running? 

Look for strange entries with uid 0 in your passwd file. Also check
for root kits with a rootkit checker (chkrootkit.org).

If everything pans out security-wise then the only problem is that you
MTA is configured to be an open relay. If that's the case, then you
need to fix it right away before you get on umpteen million blackhole
lists. 

Consult the docs and/or community for the MTA that you're using to fix
that.

Jason



More information about the asterisk-users mailing list