[asterisk-users] Strange Issue: asterisk deleted
Tim Nelson
tnelson at rockbochs.com
Tue Dec 2 00:07:59 CST 2014
----- Original Message -----
> Hi
>
> Thank you for your support.
> The server is actually compromised, I discovered that after making a
> deep trace using the audit daemon and looking for the kill signal
> (SIGKILL) that terminates asterisk.
> I discovered that there is an executable with a random name in the
> /boot folder that is killing and deleting asterisk !!!
>
> This executable is launched by a service in /etc/rc.d/ with the same
> random name.
> When I stopped this service, a new service was created with another
> different random name and it too is killing and deleting asterisk.
> This was the evidence i needed to be convinced that the server has a
> virus and is compromised.
>
> The good thing is that this is a fresh install and hence there are no
> sensitive data or a lot of work done on it so i will reinstall the
> OS and start over. The bad thing is that I spent more than 4 days
> trying to understand what was going on.
>
Very interesting. Any ideas on how the system was compromised? Are any other daemons being actively replaced, or just Asterisk? I did hear of a similar issue to the one you describe (also on an Asterisk box) via a third party recently, but don't have any real specifics other than it being Asterisk 1.4.x on Debian (5 or 6), running on a local LAN, no outside access. Curious if there are any commonalities to the two compromised systems.
--Tim
More information about the asterisk-users
mailing list