[Asterisk-Users] asterisk@home scary log

Tzafrir Cohen tzafrir at cohens.org.il
Thu Feb 10 09:37:49 MST 2005 

On Thu, Feb 10, 2005 at 10:18:49AM -0500, Karl H. Putz wrote:
> You've likely been hacked.

Don't make such hasty conclusions. I've seen too many strange messages
explained as "the machine is rooted".

First of all: does your computer listen on port 25 (on all interfaces,
not just localhost)

  netstat -lnt | grep :25

If so, it may simply be someone who sends you messages like:

 From: paym3now at gmail.com
  To: bogus-user at yourdoma.in

Assuming that your server is configured to accept mail for yourdoma.in ,
it will simply bounce the message "back" to the MX server for
gmail.com.

If that is the case you can:

1. don't listen on port 25 unless you really need to
2. don't accept mail for domains you don't have to
3. more aggressive spam filterring, e.g., RBL black-listing .
   - Unlike content filtering and virus checking, RBL black-lists take
    very little CPU, so they won't take precious system resources your *
    needs.
  - allowing only mail for existing users is also very effective. But
    exposes you to faster dictionary attacks to get the full list of your 
    users

> 
> I have recently had a similar incident where a hacker guessed my root
> password (MY BAD) and set up an ebay password skimming site.

If someone had root on your machine and that guy was the least competent
you shouldn't assume you managed to clean your machine from all the
things he put.

If this is a production system you want to trust, you should reinstall
it from a clean copy or from a backup you can trust.

> 
> I noticed it when I got similar non-deliverable email messages.
> 
> Obviously, first change your password and then look at the /var/www/html
> directory and see if there are unwelcome pages there.  Also be sure to check
> who is logged in currently.  I caught the (*%#@ SOB logged in and bounced
> the bastard.

Those are nice workarounds. But you cannot be really sure that those are
the only trapdors he left behind. There are simply too many places to
put hooks in.

-- 
Tzafrir Cohen         | New signature for new address and  |  VIM is
http://tzafrir.org.il | new homepage                       | a Mutt's  
tzafrir at cohens.org.il |                                    |  best
ICQ# 16849755         | Space reserved for other protocols | friend

More information about the asterisk-users mailing list