[asterisk-users] Strange Issue: asterisk deleted
A J Stiles
asterisk_list at earthshod.co.uk
Thu Nov 27 04:05:44 CST 2014
On Wednesday 26 Nov 2014, Antoine Megalla wrote:
> I looked for asterisk in /usr/sbin using the commands ls and find and
> whereis and it was not there.
> I know that the process is killed because when I start asterisk using the
> command asterisk -vvvvc it starts and then it exits and the word killed is
> wrote on the console.
> Ever time I copy a new executable to /usr/sbin either using cp command or
> make install it gets deleted too.
> Now I used the strace command on asterisk and I can clearly see at the end
> of the strace the line : killed by SIGKILL This means that something or
> someone is actually and purposely killing asterisk but I do not know what
> or who is doing that also I know that I am the only user on the system.
> Again any indicators to solve this very weird issue are welcomed.
It sounds as though your server might have been compromised.
Get another machine of the same bit architecture and perform a fresh install
of exactly the same OS as your Asterisk box on that. Install busybox too
(it's usually there anyway, as it's required for building the initial RAMdisks
used by most distros for booting). Using a USB stick (preferrably one that
can be set read-only), copy at least the `ls`, `ps`, `netstat`, `w`,
`lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over (to somewhere
that isn't /usr/bin/). Use both the existing installed and the newly-copied
md5sum and diff to check each system binary against the known-good ones. You
can use busybox to replicate commands you haven't copied (but note that
busybox versions are rather cut-down as compared to the GNU tools you know and
love. Come to think of it, they're cut-down as compared to the BSD tools
everyone replaces with GNU versions once they have a C compiler up and
Compare /etc/inittab between the two machines.
Many rootkits mess with ext[2-4]fs attributes, presumably to stop you
overwriting their overwritten system binaries; so use a known good lsattr to
check the attributes of everything in /bin/, /sbin/, /usr/bin/ and /usr/sbin/
-- watch out for anything set immutable.
Getting rid of the compromise fortunately is reasonably easy, especially if
your /home folder is on its own partition. Just ignore that partition during
reinstallation, edit your /etc/fstab afterwards and reboot -- your original
/home will be preserved intact. If not, use systemrescuecd or something
similar to boot a known-good system. Use mv to rename /home to a new name.
Shrink a disk partition and create a new small partition. Use that for your
/home during the reinstall. Then again edit /etc/fstab, unmount /home, mv
your old /home back to /home and reboot.
Note: Originating address only accepts e-mail from list! If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
More information about the asterisk-users