Hi everybody, I'm testing asterisk@home 0.4, looks great so far I was working when I have been alerted by a bip comming from the * pc... I connected a screen to it and saw that there was a message which looked like : Message from syslogd@asterisk1 at Thu Feb 10 09:01:00 2005 ... asterisk1 so I stopped asterisk, type mail and got a strange mail saying that user xxxx@yahoo.com could not be reached and body was like if it was the result of commands ifconfig etc unfortunally I don't have the message anymore but I went to the log and saw this Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: from=<root@asterisk1.local>, size=329, class=0, nrcpts=1, msgid=<200502100130.j1A1U7Q1010071@asterisk1.local>, proto=ESMTP, daemon=MTA, relay=asterisk1.local [127.0.0.1] Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: to=paym3now@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for delivery) Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: to=paym3now@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for delivery) Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348, relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK 1107998984) Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK 1107998984) the thing is i did not send any message to paym3now@gmail.com nor to somebody at yahoo, anybody got the same ? what can I do ?? thanks jl
You've likely been hacked. I have recently had a similar incident where a hacker guessed my root password (MY BAD) and set up an ebay password skimming site. I noticed it when I got similar non-deliverable email messages. Obviously, first change your password and then look at the /var/www/html directory and see if there are unwelcome pages there. Also be sure to check who is logged in currently. I caught the (*%#@ SOB logged in and bounced the bastard. For what it's worth, the hacker's IP address was: 81.12.141.150. Karl Putz>-----Original Message----- >From: asterisk-users-bounces@lists.digium.com >[mailto:asterisk-users-bounces@lists.digium.com]On Behalf Of Jean-Louis >curty >Sent: Thursday, February 10, 2005 9:10 AM >To: Asterisk Users Mailing List - Non-Commercial Discussion >Subject: [Asterisk-Users] asterisk@home scary log > > >Hi everybody, > >I'm testing asterisk@home 0.4, >looks great so far > >I was working when I have been alerted by a bip comming from the * pc... > >I connected a screen to it and saw that there was a message which >looked like : > > >Message from syslogd@asterisk1 at Thu Feb 10 09:01:00 2005 ... >asterisk1 > > > >so I stopped asterisk, type mail and got a strange mail saying that >user xxxx@yahoo.com could not be reached and body was like if it was >the result of commands ifconfig etc > >unfortunally I don't have the message anymore but I went to the log > >and saw this >Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: >from=<root@asterisk1.local>, size=329, class=0, nrcpts=1, >msgid=<200502100130.j1A1U7Q1010071@asterisk1.local>, proto=ESMTP, >daemon=MTA, relay=asterisk1.local [127.0.0.1] >Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: >to=paym3now@gmail.com, ctladdr=root (0/0), delay=00:00:00, >xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] >[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for >delivery) >Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: >to=paym3now@gmail.com, ctladdr=root (0/0), delay=00:00:00, >xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] >[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for >delivery) >Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: >to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), >delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348, >relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >1107998984) >Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: >to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), >delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, >relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >1107998984) > > >the thing is i did not send any message to paym3now@gmail.com nor to >somebody at yahoo, > > >anybody got the same ? what can I do ?? > >thanks >jl >_______________________________________________ >Asterisk-Users mailing list >Asterisk-Users@lists.digium.com >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Wow that's scary, how did they gain access? I'm sitting behind a firewall (MS SBS 2003) with restricted ports but would like to check this cant happen to me. These are the files I have in the /var/www/html file addressbook amp.png cisco files index.html maint nwebmail admin _asterisk directory images mainstyle.css meetme panel is this all good? Cheers, Dean -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Karl H. Putz Sent: Thursday, February 10, 2005 10:19 AM To: Jean-Louis curty; Asterisk Users Mailing List - Non-Commercial Discussion Subject: RE: [Asterisk-Users] asterisk@home scary log You've likely been hacked. I have recently had a similar incident where a hacker guessed my root password (MY BAD) and set up an ebay password skimming site. I noticed it when I got similar non-deliverable email messages. Obviously, first change your password and then look at the /var/www/html directory and see if there are unwelcome pages there. Also be sure to check who is logged in currently. I caught the (*%#@ SOB logged in and bounced the bastard. For what it's worth, the hacker's IP address was: 81.12.141.150. Karl Putz>-----Original Message----- >From: asterisk-users-bounces@lists.digium.com >[mailto:asterisk-users-bounces@lists.digium.com]On Behalf Of Jean-Louis >curty >Sent: Thursday, February 10, 2005 9:10 AM >To: Asterisk Users Mailing List - Non-Commercial Discussion >Subject: [Asterisk-Users] asterisk@home scary log > > >Hi everybody, > >I'm testing asterisk@home 0.4, >looks great so far > >I was working when I have been alerted by a bip comming from the *pc...> >I connected a screen to it and saw that there was a message which >looked like : > > >Message from syslogd@asterisk1 at Thu Feb 10 09:01:00 2005 ... >asterisk1 > > > >so I stopped asterisk, type mail and got a strange mail saying that >user xxxx@yahoo.com could not be reached and body was like if it was >the result of commands ifconfig etc > >unfortunally I don't have the message anymore but I went to the log > >and saw this >Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: >from=<root@asterisk1.local>, size=329, class=0, nrcpts=1, >msgid=<200502100130.j1A1U7Q1010071@asterisk1.local>, proto=ESMTP, >daemon=MTA, relay=asterisk1.local [127.0.0.1] >Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: >to=paym3now@gmail.com, ctladdr=root (0/0), delay=00:00:00, >xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] >[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for >delivery) >Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: >to=paym3now@gmail.com, ctladdr=root (0/0), delay=00:00:00, >xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] >[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for >delivery) >Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: >to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), >delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348, >relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >1107998984) >Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: >to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), >delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, >relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >1107998984) > > >the thing is i did not send any message to paym3now@gmail.com nor to >somebody at yahoo, > > >anybody got the same ? what can I do ?? > >thanks >jl >_______________________________________________ >Asterisk-Users mailing list >Asterisk-Users@lists.digium.com >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >_______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
>The hack came in through ssh.IMO, your best defence is an extremely strong root password; I am often mortified by looking at my logs and seeing all of the login attempts through SSH. OT: I am not up on Linux script-kiddie type tools, but I assume that there is a script of some sort that automates SSH probes. Can anyone suggest a good counter i.e. honeypot or throttling logon attempts. Yes, I know I can google it, but I'd rather hear the opinion of real Linux experts rather than the "experts" at About.com.
On 10/02/05 15:10 +0100, Jean-Louis curty wrote:> so I stopped asterisk, type mail and got a strange mail saying that > user xxxx@yahoo.com could not be reached and body was like if it was > the result of commands ifconfig etc > > unfortunally I don't have the message anymore but I went to the log > > Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: > to=<paym3now@gmail.com>, ctladdr=<root@asterisk1.local> (0/0), > delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, > relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK > 1107998984) > > > the thing is i did not send any message to paym3now@gmail.com nor to > somebody at yahoo, > > > anybody got the same ? what can I do ??There's a chance that you may have been hacked, but the logs you post look more like your mailserver is an open relay. What OS/Distro are you using, what version, and do you have the latest patches applied? What services are you running? Look for strange entries with uid 0 in your passwd file. Also check for root kits with a rootkit checker (chkrootkit.org). If everything pans out security-wise then the only problem is that you MTA is configured to be an open relay. If that's the case, then you need to fix it right away before you get on umpteen million blackhole lists. Consult the docs and/or community for the MTA that you're using to fix that. Jason
> IMO, your best defence is leaving ssh's default setting > which disallows root logins entirely. There's no reason > for a remote user to ever have to log in as root. Root > access should be obtained by a logged-in normal user > using sudo, or su.I'm not sure what happens when you do a fresh compile and install of OpenSSH, but every distro I've ever worked with (Red Hat, Gentoo, Slackware, Vector, Tao, Yellow Dog, Debian, Knoppix, SuSe, Linspire, FreeBSD, OpenBSD, Darwin, OS X) has allowed root logins via SSH by default. Maybe they're changing that on newer versions of some distros. I dunno. But yes, make a strong password, and only login as a normal user. Do sudo's or su's to root once logged in. I can't imagine totally disabling SSH on an Asterisk machine!
Thanks, everyone, for the excellent suggestions. For posterity and for future reference when this thread comes up again, summarizing the best way(s) to defend against SSH logon attempts: 1. Don't allow root thru SSH or Telnet, force logon as regular user and sudo 2. If you must run SSH or Telnet, run it on a non-obvious port > 1024 3. Change all default passwords in the system. For example, I run Cyrus-IMAPD on another server and the default password in the install of Cyrus is "CYRUS" user and "CYRUS" password - I get at least 5 password attempts per day with that same user/pass combination. (yes, I changed it!) 4. Restrict originating IP's to SSH to only accept your local subnet or a range of trusted IP's 5. Use key-based auth mechanism rather than password. It's my understanding that the key is never sent, only a hash of the key. The target system compares the hash against it's hash of the key, and if it matches, cool. 6. IPSec, (or some other VPN) which is quite problematic cross-platform. Dave McNett wrote:>IMO, your best defence is leaving ssh's default setting which disallows >root logins entirely. There's no reason for a remote user to ever have >to log in as root. Root access should be obtained by a logged-in normal >user using sudo, or su.Weird thing is, I never touched the default SSH setting and I log in as root just fine. FC2. Is this documented?? dean collins wrote:>Colin, how do I find these logs on the asterisk@home install?Dunno about asterisk@home, on Fedora/RH, you want to examine the file /var/log/secure. Also, a telltale sign of trouble is when you log on as you in SSH, the console will say the last sucessful logon. If that's not you, or shomeone you know, then you are in trouble.
>>I'm not sure what happens when you do a fresh compile and >> install of OpenSSH, but every distro I've ever worked with >> (Red Hat, Gentoo, Slackware, Vector, Tao, Yellow Dog, >> Debian, Knoppix, SuSe, Linspire, FreeBSD, OpenBSD, Darwin, >> OS X) has allowed root logins via SSH by default. Maybe >> they're changing that on newer versions of some distros. >> I dunno.>I'll call bullshit on that. I know for a fact that Debian does NOT allow >root logins except from console. Hell Debian isn't allowing root logins >from X anymore due to the likely hood for you to try and use root for >more than administration.I hesitated before sending this, as I have been flamed before for being a beginner. but I am newish to linux/asterisk, and I am running an ssh server. It is still running with default settings, (I dont know yet how/where to change it), and I CAN logon remotely as root. (Haven't figured out how to 'su' yet !) This is using the Rapid Xorcomm v 1.0 cd, which I believe (may be wrong) is based on a very recent version of Debian ? Perhaps xorcom have changed the default setting ? -- Clive Email : clive.carter@sbcs.co.uk Tel : 08444844790 Alt : 08450043366 Fax : 08444844813 SIP : 84416002@voiptalk.org Mobile : 07031945504
> I'll call bullshit on that. I know for a fact that > Debian does NOT allow root logins except from > console. Hell Debian isn't allowing root logins > from X anymore due to the likely hood for you to > try and use root for more than administration.I'm sure that's true nowadays. I haven't played with Debian in years, or slackware, or FreeBSD. All the others on the list I have messed around with (fairly) recently, and they allow root logins via ssh by default.
Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20050210/a53f892d/attachment.pgp
>I hesitated before sending this, as I have been flamed before for being abeginner. but>I am newish to linux/asterisk, and I am running an ssh server. It is stillrunning with default >settings, (I dont know yet how/where to change it), and I CAN logon remotely as root. Debian: Yes, root login by default: http://lists.debian.org/debian-ssh/2004/08/msg00043.html OSX: No, root login is disabled by default: http://aplawrence.com/Bofcusm/2122.html Fedora: Yes, SSH, No, Telnet: http://www.fedoraforum.org/forum/archive/index.php/t-16689.html https://www.redhat.com/archives/fedora-list/2004-October/msg02866.html SuSE: Yes, but may be fixed in default distro: (old message) http://www.linuxsecurity.com/content/view/102955/112/
On Thu, 10 Feb 2005 17:49:23 +0000, Clive Carter <clive.carter@sbcs.co.uk> wrote:>> I hesitated before sending this, as I have been flamed before for being a beginner. but >> I am newish to linux/asterisk, and I am running an ssh server. It is still running with default settings, (I dont know yet how/where to change it), and I CAN logon remotely as root. >> (Haven't figured out how to 'su' yet !) >> >> This is using the Rapid Xorcomm v 1.0 cd, which I believe (may be wrong) is based on a very recent version of Debian ? >> Perhaps xorcom have changed the default setting ? >> > >> Hey Clive. I thought it was mentioned earlier before in the thread, >> but if not, all you need to do is edit your sshd_config file. In >> Debian, this is located at /etc/ssh/sshd_config, but it could be >> different for other distros. Open that up in a text editor and then >> locate the line that says PermitRootLogin yes, and change that to >> PermitRootLogin no. Save it, and then restart SSH. On Debian, you type >> in /etc/init.d/ssh restart, but on other distros it might be >> different. Note that you'll have to be root to edit that file and >> restart that service. >> -- >> DanaThanks for that. I did not see it before, and I was afraid to ask in case I got jumped on again ! Thanks again ------------------------------ -- Clive Email : clive.carter@sbcs.co.uk Tel : 08444844790 Alt : 08450043366 Fax : 08444844813 SIP : 84416002@voiptalk.org Mobile : 07031945504
Sorry about this. The new verison of Asterisk@Home has a message in the install docs warning users to set thier root passwords. --- Jean-Louis curty <jlcurty@gmail.com> wrote:> Hi everybody, > > I'm testing asterisk@home 0.4, > looks great so far > > I was working when I have been alerted by a bip > comming from the * pc... > > I connected a screen to it and saw that there was a > message which looked like : > > > Message from syslogd@asterisk1 at Thu Feb 10 > 09:01:00 2005 ... > asterisk1 > > > > so I stopped asterisk, type mail and got a strange > mail saying that > user xxxx@yahoo.com could not be reached and body > was like if it was > the result of commands ifconfig etc > > unfortunally I don't have the message anymore but I > went to the log > > and saw this > Feb 9 20:30:07 asterisk1 sendmail[10088]: > j1A1U7mf010088: > from=<root@asterisk1.local>, size=329, class=0, > nrcpts=1, > msgid=<200502100130.j1A1U7Q1010071@asterisk1.local>, > proto=ESMTP, > daemon=MTA, relay=asterisk1.local [127.0.0.1] > Feb 9 20:30:07 asterisk1 sendmail[10071]: > j1A1U7Q1010071: > to=paym3now@gmail.com, ctladdr=root (0/0), > delay=00:00:00, > xdelay=00:00:00, mailer=relay, pri=30049, > relay=[127.0.0.1] > [127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 > Message accepted for > delivery) > Feb 9 20:30:07 asterisk1 sendmail[10077]: > j1A1U7CY010077: > to=paym3now@gmail.com, ctladdr=root (0/0), > delay=00:00:00, > xdelay=00:00:00, mailer=relay, pri=30068, > relay=[127.0.0.1] > [127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 > Message accepted for > delivery) > Feb 9 20:30:17 asterisk1 sendmail[10094]: > j1A1U7Ns010089: > to=<paym3now@gmail.com>, > ctladdr=<root@asterisk1.local> (0/0), > delay=00:00:10, xdelay=00:00:10, mailer=esmtp, > pri=30348, > relay=gsmtp171.google.com. [64.233.171.27], > dsn=2.0.0, stat=Sent (OK > 1107998984) > Feb 9 20:30:17 asterisk1 sendmail[10093]: > j1A1U7mf010088: > to=<paym3now@gmail.com>, > ctladdr=<root@asterisk1.local> (0/0), > delay=00:00:10, xdelay=00:00:10, mailer=esmtp, > pri=30329, > relay=gsmtp171.google.com. [64.233.171.27], > dsn=2.0.0, stat=Sent (OK > 1107998984) > > > the thing is i did not send any message to > paym3now@gmail.com nor to > somebody at yahoo, > > > anybody got the same ? what can I do ?? > > thanks > jl > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com >http://lists.digium.com/mailman/listinfo/asterisk-users> To UNSUBSCRIBE or update options visit: > >http://lists.digium.com/mailman/listinfo/asterisk-users>__________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Apparently Analagous Threads
- [ win32utils-Support Requests-1813 ] Merely a test
- Setup ReceiveFax(), fax2mail, mime-construct - but now Sendmail :(
- Apparent bug in logwatch's reporting of number of email by sendmail
- Problems sending voicemail emails
- Apparent bug in logwatch's reporting of number of email by sendmail