[asterisk-users] Asterisk executable suddenly about 40KB larger - modules not working
A J Stiles
asterisk_list at earthshod.co.uk
Wed Jan 7 07:02:14 CST 2015
On Wednesday 07 Jan 2015, Stefan Viljoen wrote:
> Hi all
>
> I have a strange issue with 1.8.11.0 on a production Asterisk machine at
> our head office, and the same issue with a production machine at a branch
> office.
>
> Every now and then, on the head office machine, ODBC CEL and CDR logging
> will stop working. On examination in the CLI, Asterisk behaves as if the
> config files for ODBC in the /etc directory are just gone.
>
> Repeated tests have then proved that the config files
> (/etc/asterisk/res_odbc.conf, /etc/asterisk/res_pgsql.conf, etc.) ARE in
> /etc/asterisk folder and are readable and have the correct contents, and
> are NOT gone.
>
> Checking further, I discovered that in both situations, the asterisk
> executable in /usr/sbin grew by about 40KB compared to its size just after
> being compiled...
This sounds suspiciously as though you have some kind of rootkit-like
infection. Which probably is trying to make calls at your expense, and
without even doing you the courtesy of recording the fact of them being made
in the usual database.
You are going to need to get your hands dirty, tracing system operations .....
You want to look for a write to /usr/sbin/asterisk .
--
AJS
Note: Originating address only accepts e-mail from list! If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
More information about the asterisk-users
mailing list