[Asterisk-Users] asterisk@home scary log

Karl H. Putz kputz at columbus.rr.com
Thu Feb 10 09:15:37 MST 2005 

Please all keep in mind that there are plenty of additional configs possible
to Iptables.

I should have restricted the originating IP address for TCP port 22 to come
from at least my dhcp served address range.  That would have blocked all
hackers except those originating from within my specific ISP's dhcp served
range.  Not perfect but a good sight better that wide open!


Karl Putz

>-----Original Message-----
>From: asterisk-users-bounces at lists.digium.com
>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Christian
>Moller
>Sent: Thursday, February 10, 2005 11:03 AM
>To: Asterisk Users Mailing List - Non-Commercial Discussion
>Subject: Re: [Asterisk-Users] asterisk at home scary log
>
>
>Hi,
>OK, well, I've disabled SSH/HTTP already so lets hope I will have
>my system
>working!
>Best and thanks,
>Christian
>
>
>----- Original Message -----
>From: "Karl H. Putz" <kputz at columbus.rr.com>
>To: "Asterisk Users Mailing List - Non-Commercial Discussion"
><asterisk-users at lists.digium.com>
>Sent: Thursday, February 10, 2005 4:56 PM
>Subject: RE: [Asterisk-Users] asterisk at home scary log
>
>
>>I had the system setup to allow http and ssh.
>>
>> The hack came in through ssh.
>>
>>>-----Original Message-----
>>>From: asterisk-users-bounces at lists.digium.com
>>>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Christian
>>>Moller
>>>Sent: Thursday, February 10, 2005 10:39 AM
>>>To: Asterisk Users Mailing List - Non-Commercial Discussion
>>>Subject: Re: [Asterisk-Users] asterisk at home scary log
>>>
>>>
>>>Hi,
>>>I've also been a little worried about the security. How did they
>>>connect to
>>>your system? Through telnet or what?
>>>Since I've disabled all such services.
>>>Best,
>>>Christian
>>>
>>>
>>>----- Original Message -----
>>>From: "Karl H. Putz" <kputz at columbus.rr.com>
>>>To: "Jean-Louis curty" <jlcurty at gmail.com>; "Asterisk Users
>Mailing List -
>>>Non-Commercial Discussion" <asterisk-users at lists.digium.com>
>>>Sent: Thursday, February 10, 2005 4:18 PM
>>>Subject: RE: [Asterisk-Users] asterisk at home scary log
>>>
>>>
>>>> You've likely been hacked.
>>>>
>>>> I have recently had a similar incident where a hacker guessed my root
>>>> password (MY BAD) and set up an ebay password skimming site.
>>>>
>>>> I noticed it when I got similar non-deliverable email messages.
>>>>
>>>> Obviously, first change your password and then look at the
>/var/www/html
>>>> directory and see if there are unwelcome pages there.  Also be sure to
>>>> check
>>>> who is logged in currently.  I caught the (*%#@ SOB logged in and
>>>> bounced
>>>> the bastard.
>>>>
>>>> For what it's worth, the hacker's IP address was: 81.12.141.150.
>>>>
>>>>
>>>> Karl Putz
>>>>
>>>>>-----Original Message-----
>>>>>From: asterisk-users-bounces at lists.digium.com
>>>>>[mailto:asterisk-users-bounces at lists.digium.com]On Behalf Of Jean-Louis
>>>>>curty
>>>>>Sent: Thursday, February 10, 2005 9:10 AM
>>>>>To: Asterisk Users Mailing List - Non-Commercial Discussion
>>>>>Subject: [Asterisk-Users] asterisk at home scary log
>>>>>
>>>>>
>>>>>Hi everybody,
>>>>>
>>>>>I'm testing asterisk at home 0.4,
>>>>>looks great so far
>>>>>
>>>>>I was working when I have been alerted by a bip comming from
>the * pc...
>>>>>
>>>>>I connected a screen to it and saw that there was a message which
>>>>>looked like :
>>>>>
>>>>>
>>>>>Message from syslogd at asterisk1 at Thu Feb 10 09:01:00 2005 ...
>>>>>asterisk1
>>>>>
>>>>>
>>>>>
>>>>>so I stopped asterisk, type mail and got a strange mail saying that
>>>>>user xxxx at yahoo.com could not be reached and body was like if it was
>>>>>the result of commands ifconfig etc
>>>>>
>>>>>unfortunally I don't have the message anymore but I went to the log
>>>>>
>>>>>and saw this
>>>>>Feb  9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088:
>>>>>from=<root at asterisk1.local>, size=329, class=0, nrcpts=1,
>>>>>msgid=<200502100130.j1A1U7Q1010071 at asterisk1.local>, proto=ESMTP,
>>>>>daemon=MTA, relay=asterisk1.local [127.0.0.1]
>>>>>Feb  9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071:
>>>>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>>>>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]
>>>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for
>>>>>delivery)
>>>>>Feb  9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077:
>>>>>to=paym3now at gmail.com, ctladdr=root (0/0), delay=00:00:00,
>>>>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]
>>>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for
>>>>>delivery)
>>>>>Feb  9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089:
>>>>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>>>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,
>>>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>>>>>1107998984)
>>>>>Feb  9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:
>>>>>to=<paym3now at gmail.com>, ctladdr=<root at asterisk1.local> (0/0),
>>>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
>>>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK
>>>>>1107998984)
>>>>>
>>>>>
>>>>>the thing is i did not send any message to paym3now at gmail.com nor to
>>>>>somebody at yahoo,
>>>>>
>>>>>
>>>>>anybody got the same ? what can I do ??
>>>>>
>>>>>thanks
>>>>>jl
>>>>>_______________________________________________
>>>>>Asterisk-Users mailing list
>>>>>Asterisk-Users at lists.digium.com
>>>>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>To UNSUBSCRIBE or update options visit:
>>>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Asterisk-Users mailing list
>>>> Asterisk-Users at lists.digium.com
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>> To UNSUBSCRIBE or update options visit:
>>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>>_______________________________________________
>>>Asterisk-Users mailing list
>>>Asterisk-Users at lists.digium.com
>>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>>To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>>
>> _______________________________________________
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list