[asterisk-users] Strange Issue: asterisk deleted

[A J Stiles]

On Wednesday 26 Nov 2014, Antoine Megalla wrote:
> Hi,
> 
> I looked for asterisk in /usr/sbin using the commands ls and find and
> whereis and it was not there.
> 
> I know that the process is killed because when I start asterisk using the
> command asterisk -vvvvc it starts and then it exits and the word killed is
> wrote on the console.
> 
> Ever time I copy a new executable to /usr/sbin either using cp command or
> make install it gets deleted too.
> 
> Now I used the strace command on asterisk and I can clearly see at the end
> of the strace the line : killed by SIGKILL This means that something or
> someone is actually and purposely killing asterisk but I do not know what
> or who is doing that also I know that I am the only user on the system.
> 
> Again any indicators to solve this very weird issue are welcomed.

It sounds as though your server might have been compromised.

Get another machine of the same bit architecture and perform a fresh install 
of exactly the same OS as your Asterisk box on that.  Install busybox too  
(it's usually there anyway, as it's required for building the initial RAMdisks 
used by most distros for booting).  Using a USB stick  (preferrably one that 
can be set read-only),  copy at least the `ls`, `ps`, `netstat`, `w`, 
`lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over  (to somewhere 
that isn't /usr/bin/).  Use both the existing installed and the newly-copied 
md5sum and diff to check each system binary against the known-good ones.  You 
can use busybox to replicate commands you haven't copied  (but note that 
busybox versions are rather cut-down as compared to the GNU tools you know and 
love.  Come to think of it, they're cut-down as compared to the BSD tools 
everyone replaces with GNU versions once they have a C compiler up and 
running).

Compare /etc/inittab between the two machines.

Many rootkits mess with ext[2-4]fs attributes, presumably to stop you 
overwriting their overwritten system binaries; so use a known good lsattr to 
check the attributes of everything in /bin/, /sbin/, /usr/bin/ and /usr/sbin/ 
-- watch out for anything set immutable.  


Getting rid of the compromise fortunately is reasonably easy, especially if 
your /home folder is on its own partition.  Just ignore that partition during 
reinstallation, edit your /etc/fstab afterwards and reboot -- your original 
/home will be preserved intact.  If not, use systemrescuecd or something 
similar to boot a known-good system.  Use mv to rename /home to a new name. 
Shrink a disk partition and create a new small partition.  Use that for your 
/home during the reinstall.  Then again edit /etc/fstab, unmount /home, mv 
your old /home back to /home and reboot.

-- 
AJS

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .