[asterisk-users] Strange Issue: asterisk deleted

Antoine Megalla aatef at rocketmail.com
Thu Nov 27 12:30:07 CST 2014


Hi

Thank you for your support.
The server is actually compromised, I discovered that after making a deep trace using the audit daemon and looking for the kill signal (SIGKILL) that terminates asterisk.
I discovered that there is an  executable with a random name in the /boot folder that is killing and deleting asterisk !!!

This executable is launched by a service in /etc/rc.d/ with the same random name.
When I stopped this service, a new service was created with another different random name and it too is killing and deleting asterisk.
This was the evidence i needed to be convinced that the server has a virus and is compromised.

The good thing is that this is a fresh install and hence there are no sensitive data or a lot of work done on it so i will reinstall the OS and start over. The bad thing is that I spent more than 4 days trying to understand what was going on.

Again, thank you for your support.

Regards,
Antoine Megalla

Sent from my iPhone

On Nov 27, 2014, at 8:00 PM, asterisk-users-request at lists.digium.com wrote:

> Send asterisk-users mailing list submissions to
>    asterisk-users at lists.digium.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> or, via email, send a message with subject or body 'help' to
>    asterisk-users-request at lists.digium.com
> 
> You can reach the person managing the list at
>    asterisk-users-owner at lists.digium.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of asterisk-users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Strange Issue: asterisk deleted (Antoine Megalla)
>   2. Re: High resident memory with 11.14.0 ? (James Lamanna)
>   3. Re: Strange Issue: asterisk deleted (Chad Wallace)
>   4. Re: Strange Issue: asterisk deleted (Marie Fischer)
>   5. Re: SIP call drops after 32 seconds,    but only when....
>      (Marie Fischer)
>   6. Re: SIP call drops after 32 seconds,    but only when....
>      (Amit Patkar)
>   7. Re: Strange Issue: asterisk deleted (Thorsten G?llner)
>   8. Re: Strange Issue: asterisk deleted (Antoine Megalla)
>   9. Re: Strange Issue: asterisk deleted (A J Stiles)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 26 Nov 2014 22:08:05 +0200
> From: Antoine Megalla <aatef at rocketmail.com>
> To: Thorsten G?llner <tg at ovm-group.com>
> Cc: Asterisk Users Mailing List - Non-Commercial Discussion
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <7D5A57FB-657C-439B-9DCB-2790AE9C920D at rocketmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there.
> 
> I know that the process is killed because when I start asterisk using the command asterisk -vvvvc it starts and then it exits and the word killed is wrote on the console.
> 
> Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too.
> 
> Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL 
> This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system.
> 
> Again any indicators to solve this very weird issue are welcomed.
> 
> Regards,
> Antoine Megalla
> 
> Sent from my iPhone
> 
> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com> wrote:
> 
>> 
>> Am 26.11.2014 11:37, schrieb Antoine Megalla:
>>> Hi,
>>> 
>>> I am struggling with  a very strange issue I have been facing for the past week;
>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk           1.8.32 form sources.
>>> The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the "Ready" line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found
>>> 
>>> I cleaned the source and re-installed asterisk and again the same thing happened again !!!
>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a "make" then "make install" and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin.
>>> 
>>> I tried to look a the asterisk log files but I cannot find a single error in them.
>>> Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ?
>>> 
>>> I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted.
>>> 
>>> If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful.
>> 
>> Hi,
>> 
>> you write "Also if it was really deleted .." - did you looked at it via "ls /usr/sbin/asterisk"?
>> 
>> You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as "normal" user?
>> 
>> You write "the process is killed". Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog?
>> 
>> Best regards
>> -Thorsten-
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/d64c9a5b/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 26 Nov 2014 15:20:06 -0500
> From: James Lamanna <jlamanna at gmail.com>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] High resident memory with 11.14.0 ?
> Message-ID:
>    <CADScKLzHeEiZL51Oi=6bc6VCgOoqeRnuOiriw10SP+YC5vFFrw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> On Tue, Nov 25, 2014 at 10:21 AM, James Lamanna <jlamanna at gmail.com> wrote:
> 
>> 
>> On Tue, Nov 25, 2014 at 8:14 AM, Matthew Jordan <mjordan at digium.com>
>> wrote:
>> 
>>> On Mon, Nov 24, 2014 at 2:12 PM, James Lamanna <jlamanna at gmail.com>
>>> wrote:
>>>> Also, how big does the cache in frame.c grow to?
>>>> I've recompiled with MALLOC_DEBUG on that server:
>>>> 
>>>> asterisk -rx "memory show summary"
>>>> 
>>>> ....
>>>> 1780466242 bytes (1780181594 cache) in    2352909 allocations in file
>>>> frame.c
>>>> ...
>>>> 
>>>> Seems like a ridiculous cache.
>>> 
>>> I'm not going to respond to your new thread, since it is the same
>>> discussion as this one.
>>> 
>>> The frame cache is a per-thread local cache of frames that prevents
>>> having to re-allocate frames as they pass through Asterisk. Clearly,
>>> something is abusing it.
>>> 
>>> I think you'll need to provide some more information on how you're
>>> producing this situation. Specifically:
>>> * Channel technologies involved, and the formats on the channels
>>> * Dialplan that reproduces the problem
>>> 
>>> Are you using any non-core dialplan applications or channel drivers?
>> This PBX has about 100 registered SIP clients, along with 23 PRI channels,
>> 2 inbound/outbound SIP trunks and around 100 IAXModems registered to it. It
>> primarily handles faxing.
>> I am not using any non-standard channel drivers. I am using the T.38
>> gateway funcionality.
>> 
>> The jist of the dialplan is this: (example of the PRI and a SIP trunk,
>> inbound)
>> 
>> [pri-in]
>> exten => _X.,1,Set(__FROM_DID=${EXTEN})
>> exten => _X.,n,Set(FAX_IDX=700)
>> exten => _X.,n,Set(MAX_IDX=719)
>> exten => _X.,n,Goto(dial-hylafax,s,1)
>> 
>> [sip-trunk-in]
>> exten => _X.,1(normal),Set(__FROM_DID=${EXTEN})
>> exten => _X.,n,Set(FAX_IDX=950)
>> exten => _X.,n,Set(MAX_IDX=959)
>> exten => _X.,n,Set(FAXOPT(gateway)=yes)
>> exten => _X.,n,Goto(dial-hylafax,s,1)
>> 
>> [dial-hylafax]
>> exten => s,1,GotoIf($["${FROM_DID:0:1}" = "1"]?prune:cont)
>> exten => s,n(prune),Set(__FROM_DID=${FROM_DID:1})
>> exten => s,n(cont),GotoIf($[${FAX_IDX} <= ${MAX_IDX}]?tryfax:nofax)
>> exten => s,n(tryfax),Set(STATE=${DEVICE_STATE(Custom:iaxmodem${FAX_IDX})})
>> exten => s,n,NoOp(${STATE})
>> exten => s,n,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=INUSE)
>> exten => s,n,Dial(IAX2/iaxmodem${FAX_IDX}/${FROM_DID},60,g)
>> exten => s,n,Goto(s-${DIALSTATUS},1)
>> exten => s,n(nofax),Playtones(busy)
>> exten => s,n,NoOp(NO MODEMS AVAILABLE)
>> exten => s,n,Wait(20)
>> exten => s,n,Hangup()
>> exten => s-ANSWER,1,NoOp(IAXMODEM HANGUP)
>> exten => s-ANSWER,n,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=NOT_INUSE)
>> exten => s-ANSWER,n,Hangup()
>> exten => _s-.,1,Set(FAX_IDX=${MATH(1+${FAX_IDX},i)})
>> exten => _s-.,n,Goto(s,1)
>> exten => h,1,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=NOT_INUSE)
>> 
>> The current state requires me to restart Asterisk almost every day.
>> I'm also seeing this on a completely different machine after upgrading
>> from Asterisk10 to 11.
> I'm wondering if this is a problem in the SLIN converter?
> I do use SLIN with iaxmodem.
> 
> -- James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/9deca244/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 26 Nov 2014 14:54:27 -0800
> From: Chad Wallace <cwallace at lodgingcompany.com>
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <20141126145427.4819c67b at ws78.int.tlc>
> Content-Type: text/plain; charset=US-ASCII
> 
> On Wed, 26 Nov 2014 22:08:05 +0200
> Antoine Megalla <aatef at rocketmail.com> wrote:
> 
>> I looked for asterisk in /usr/sbin using the commands ls and find and
>> whereis and it was not there.
>> 
>> I know that the process is killed because when I start asterisk using
>> the command asterisk -vvvvc it starts and then it exits and the word
>> killed is wrote on the console.
>> 
>> Ever time I copy a new executable to /usr/sbin either using cp
>> command or make install it gets deleted too.
>> 
>> Now I used the strace command on asterisk and I can clearly see at
>> the end of the strace the line : killed by SIGKILL This means that
>> something or someone is actually and purposely killing asterisk but I
>> do not know what or who is doing that also I know that I am the only
>> user on the system.
> 
> I don't know if there's any way to see where the signal comes from.
> But I think it would have to be another process.  Is this a hosted
> machine?  Could it be that your hosting provider doesn't allow
> asterisk?  This would be a good way to enforce that rule.  Otherwise,
> it could be a root kit or a virus.
> 
> Or it could be that you (or someone else) wanted to make sure asterisk
> wasn't running at some point and left "while true; do killall -9
> asterisk; done" running in a shell, and forgot about it.
> 
> You can list all the processes with the command "ps -ef"
> 
> And to see if anyone else (or yourself) is logged in, run "w".  That
> will show every individual session and where they're connected from.
> 
> 
> -- 
> 
> C. Chad Wallace, B.Sc.
> The Lodging Company
> http://www.lodgingcompany.com/
> OpenPGP Public Key ID: 0x262208A0
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 27 Nov 2014 06:18:19 +0200
> From: Marie Fischer <marie at vtl.ee>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <7442CB28-9F60-480D-9E8F-D139727DBF76 at vtl.ee>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> On 26.11.2014, at 22:08, Antoine Megalla <aatef at rocketmail.com> wrote:
>>> The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the "Ready" line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found
>> I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there.
>> 
>> I know that the process is killed because when I start asterisk using the command asterisk -vvvvc it starts and then it exits and the word killed is wrote on the console.
>> 
>> Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too.
> 
> Interesting problem, I'm quite curious what the cause is.
> 
> Are you 100% sure that the asterisk your are running is in /usr/sbin? Try 'which asterisk' to see what your shell is running and/or start asterisk with a full path as /usr/sbin/asterisk -vvvvc.
> 
> You could also try renaming the binary to find out if indeed something kills Asterisk by name.
> 
> There's a tool called SystemTap which could give you information which process sent the SIGKILL:
> https://sourceware.org/systemtap/
> http://www.percona.com/blog/2014/07/18/systemtap-solves-phantom-mysqld-sigterm-sigkill-issue/
> 
> -- 
> 
> marie
> 
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 27 Nov 2014 06:31:37 +0200
> From: Marie Fischer <marie at vtl.ee>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] SIP call drops after 32 seconds,    but
>    only when....
> Message-ID: <CF4F37ED-8DDF-43DC-9E9C-79A292E86FAE at vtl.ee>
> Content-Type: text/plain; charset=windows-1252
> 
> On 22.11.2014, at 13:40, Yves A. <yves030 at gmx.de> wrote:
>> I have a really strange problem which is driving me crazy for days now.
>> 
>> If I register my asterisk (tried all versions from 1.6 up to 13.x) with one sip registrar,
>> everything works... calls go out and call come in... no 32 seconds limit.
>> 
>> but as soon as I configure another sip registration on another server, outgoing
>> calls  drop after 32 seconds.
> 
> Do a 'sip set debug on' and see what they (Asterisk and the registrar) are talking about just before the call drops.
> 
> -- 
> 
> marie
> 
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 27 Nov 2014 10:49:23 +0530
> From: Amit Patkar <amit at avhan.com>
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] SIP call drops after 32 seconds,    but
>    only when....
> Message-ID: <5476B45B.4020400 at avhan.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> 
> Call drop after 30+sec happens if RTP is not received by asterisk for 30 
> seconds (RTP Timeout).
> You should look for media IP address in SDP. If there is firewall, apart 
> from port UDP/5060, you also need to open port UDP/10000-UDP/20000 
> (standard RTP ports)
> You should try with RTP debug. It should show bidirectional traffic. If 
> not, you surely have an issue with media IP or ports.
> 
> *Thanks & Regards,*
> Amit Patkar
> 
> 
> On 11/27/2014 10:01 AM, Marie Fischer wrote:
>> On 22.11.2014, at 13:40, Yves A. <yves030 at gmx.de> wrote:
>>> I have a really strange problem which is driving me crazy for days now.
>>> 
>>> If I register my asterisk (tried all versions from 1.6 up to 13.x) with one sip registrar,
>>> everything works... calls go out and call come in... no 32 seconds limit.
>>> 
>>> but as soon as I configure another sip registration on another server, outgoing
>>> calls  drop after 32 seconds.
>> Do a 'sip set debug on' and see what they (Asterisk and the registrar) are talking about just before the call drops.
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7b0ab3fa/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 7
> Date: Thu, 27 Nov 2014 10:09:23 +0100
> From: Thorsten G?llner <tg at ovm-group.com>
> To: Antoine Megalla <aatef at rocketmail.com>
> Cc: Asterisk Users Mailing List - Non-Commercial Discussion
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <5476EA43.1090008 at ovm-group.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Did you take a look at /var/log/syslog?
> 
> Am 26.11.2014 21:08, schrieb Antoine Megalla:
>> Hi,
>> 
>> I looked for asterisk in /usr/sbin using the commands ls and find and
>> whereis and it was not there.
>> 
>> I know that the process is killed because when I start asterisk using
>> the command asterisk -vvvvc it starts and then it exits and the word
>> killed is wrote on the console.
>> 
>> Ever time I copy a new executable to /usr/sbin either using cp command
>> or make install it gets deleted too.
>> 
>> Now I used the strace command on asterisk and I can clearly see at the
>> end of the strace the line : killed by SIGKILL 
>> This means that something or someone is actually and purposely killing
>> asterisk but I do not know what or who is doing that also I know that
>> I am the only user on the system.
>> 
>> Again any indicators to solve this very weird issue are welcomed.
>> 
>> Regards,
>> Antoine Megalla
>> 
>> Sent from my iPhone
>> 
>> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com
>> <mailto:tg at ovm-group.com>> wrote:
>> 
>>> 
>>> Am 26.11.2014 11:37, schrieb Antoine Megalla:
>>>> Hi,
>>>> 
>>>> I am struggling with  a very strange issue I have been facing for
>>>> the past week;
>>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk
>>>> 1.8.32 form sources.
>>>> The asterisk installation went fine but as soon as I start asterisk
>>>> executable it loads everything and then after the "Ready" line the
>>>> process gets killed and when I try to run it again i get:
>>>> /usr/sbin/asterisk : command not found
>>>> 
>>>> I cleaned the source and re-installed asterisk and again the same
>>>> thing happened again !!!
>>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from
>>>> sources and installed them (make install) and amazingly, the same
>>>> thing happened to all of them: I do a "make" then "make install" and
>>>> as soon as I start asterisk the process is killed and the executable
>>>> removed from /usr/sbin.
>>>> 
>>>> I tried to look a the asterisk log files but I cannot find a single
>>>> error in them.
>>>> Also if it was really deleted how did bash know that asterisk is
>>>> supposed to be located in /usr/sbin/asterisk ?
>>>> 
>>>> I tried to copy the executable myself after compilation (everything
>>>> done as root) to the /usr/sbin and again if it runs then it is deleted.
>>>> 
>>>> If someone can explain to me this behavior or advise me on what to
>>>> check to resolve this issue, then I would be grateful.
>>> 
>>> Hi,
>>> 
>>> you write "Also if it was really deleted .." - did you looked at it
>>> via "ls /usr/sbin/asterisk"?
>>> 
>>> You compiled asterisk (make / make install) as root I think. Perhaps
>>> access rights are not set properly? root is owner but you try to
>>> start the daemon as "normal" user?
>>> 
>>> You write "the process is killed". Where do you now? Did you get a
>>> message on your terminal? Did you take a look at /var/log/syslog?
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/ddec7744/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 8
> Date: Thu, 27 Nov 2014 11:11:36 +0200
> From: Antoine Megalla <aatef at rocketmail.com>
> To: Thorsten G?llner <tg at ovm-group.com>
> Cc: Asterisk Users Mailing List - Non-Commercial Discussion
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <FF950549-B06C-4E2C-9413-AA8FAFFB2E6A at rocketmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Yes I did, and there is nothing about asterisk in the /var/log folder
> 
> I am starting to think that the server on compromised.
> 
> 
> Sent from my iPhone
> 
> On Nov 27, 2014, at 11:09 AM, Thorsten G?llner <tg at ovm-group.com> wrote:
> 
>> Did you take a look at /var/log/syslog?
>> 
>> Am 26.11.2014 21:08, schrieb Antoine       Megalla:
>>> Hi,
>>> 
>>> I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there.
>>> 
>>> I know that the process is killed because when I start asterisk using the command asterisk -vvvvc it starts and then it exits and the word killed is wrote on the console.
>>> 
>>> Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too.
>>> 
>>> Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL 
>>> This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system.
>>> 
>>> Again any indicators to solve this very weird issue are welcomed.
>>> 
>>> Regards,
>>> Antoine Megalla
>>> 
>>> Sent from my iPhone
>>> 
>>> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com> wrote:
>>> 
>>>> 
>>>> Am 26.11.2014 11:37, schrieb Antoine Megalla:
>>>>> Hi,
>>>>> 
>>>>> I am struggling with  a very strange issue I have been facing for the past week;
>>>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk 1.8.32 form sources.
>>>>> The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the "Ready" line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found
>>>>> 
>>>>> I cleaned the source and re-installed asterisk and again the same thing happened again !!!
>>>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a "make" then "make install" and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin.
>>>>> 
>>>>> I tried to look a the asterisk log files but I cannot find a single error in them.
>>>>> Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ?
>>>>> 
>>>>> I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted.
>>>>> 
>>>>> If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful.
>>>> 
>>>> Hi,
>>>> 
>>>> you write "Also if it was really deleted .." - did you looked at it via "ls /usr/sbin/asterisk"?
>>>> 
>>>> You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as "normal" user?
>>>> 
>>>> You write "the process is killed". Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7903c187/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 9
> Date: Thu, 27 Nov 2014 10:05:44 +0000
> From: A J Stiles <asterisk_list at earthshod.co.uk>
> To: "Asterisk Users Mailing List - Non-Commercial Discussion"
>    <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <201411271005.44407.asterisk_list at earthshod.co.uk>
> Content-Type: Text/Plain;  charset="iso-8859-6"
> 
> On Wednesday 26 Nov 2014, Antoine Megalla wrote:
>> Hi,
>> 
>> I looked for asterisk in /usr/sbin using the commands ls and find and
>> whereis and it was not there.
>> 
>> I know that the process is killed because when I start asterisk using the
>> command asterisk -vvvvc it starts and then it exits and the word killed is
>> wrote on the console.
>> 
>> Ever time I copy a new executable to /usr/sbin either using cp command or
>> make install it gets deleted too.
>> 
>> Now I used the strace command on asterisk and I can clearly see at the end
>> of the strace the line : killed by SIGKILL This means that something or
>> someone is actually and purposely killing asterisk but I do not know what
>> or who is doing that also I know that I am the only user on the system.
>> 
>> Again any indicators to solve this very weird issue are welcomed.
> 
> It sounds as though your server might have been compromised.
> 
> Get another machine of the same bit architecture and perform a fresh install 
> of exactly the same OS as your Asterisk box on that.  Install busybox too  
> (it's usually there anyway, as it's required for building the initial RAMdisks 
> used by most distros for booting).  Using a USB stick  (preferrably one that 
> can be set read-only),  copy at least the `ls`, `ps`, `netstat`, `w`, 
> `lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over  (to somewhere 
> that isn't /usr/bin/).  Use both the existing installed and the newly-copied 
> md5sum and diff to check each system binary against the known-good ones.  You 
> can use busybox to replicate commands you haven't copied  (but note that 
> busybox versions are rather cut-down as compared to the GNU tools you know and 
> love.  Come to think of it, they're cut-down as compared to the BSD tools 
> everyone replaces with GNU versions once they have a C compiler up and 
> running).
> 
> Compare /etc/inittab between the two machines.
> 
> Many rootkits mess with ext[2-4]fs attributes, presumably to stop you 
> overwriting their overwritten system binaries; so use a known good lsattr to 
> check the attributes of everything in /bin/, /sbin/, /usr/bin/ and /usr/sbin/ 
> -- watch out for anything set immutable.  
> 
> 
> Getting rid of the compromise fortunately is reasonably easy, especially if 
> your /home folder is on its own partition.  Just ignore that partition during 
> reinstallation, edit your /etc/fstab afterwards and reboot -- your original 
> /home will be preserved intact.  If not, use systemrescuecd or something 
> similar to boot a known-good system.  Use mv to rename /home to a new name. 
> Shrink a disk partition and create a new small partition.  Use that for your 
> /home during the reinstall.  Then again edit /etc/fstab, unmount /home, mv 
> your old /home back to /home and reboot.
> 
> -- 
> AJS
> 
> Note:  Originating address only accepts e-mail from list!  If replying off-
> list, change address to asterisk1list at earthshod dot co dot uk .
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> End of asterisk-users Digest, Vol 124, Issue 29
> ***********************************************



More information about the asterisk-users mailing list