asterisk users - Dec 2010 - Attack problem

HI,

 

My system been attacked from someone I guess, kindly check the link below

How can I stop the ircd attack 

http://pastebin.com/tbjh5qzP

 

regards

 

 



*********************************************
No employee or agent is authorized to conclude any binding agreement on behalf
of Xplorium with another party by e-mail without express written confirmation by
an officer of Xplorium. Any views expressed by an individual in this electronic
message do not necessarily reflect views of Xplorium or its subsidiaries and
associates.

This electronic message and its attachments are solely addressed to the
addressee(s), and contain confidential information protected from disclosure
belonging to Xplorium.

If you are not the intended addressee of this electronic message and its
attachments, kindly delete it immediately from your system and notify the sender
by electronic mail. You must not copy this message or attachment or disclose its
content to any other person.

Xplorium does not guarantee the integrity of this electronic message and any of
its attachments, or that they are free from computer viruses or other defects.
*********************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20101217/2e7ebf57/attachment.htm>

----- Original Message -----





HI, 



My system been attacked from someone I guess, kindly check the link below 

How can I stop the ircd attack 

http://pastebin.com/tbjh5qzP 



regards 






********************************************* 
No employee or agent is authorized to conclude any binding agreement on behalf
of Xplorium with another party by e-mail without express written confirmation by
an officer of Xplorium. Any views expressed by an individual in this electronic
message do not necessarily reflect views of Xplorium or its subsidiaries and
associates.

This electronic message and its attachments are solely addressed to the
addressee(s), and contain confidential information protected from disclosure
belonging to Xplorium.

If you are not the intended addressee of this electronic message and its
attachments, kindly delete it immediately from your system and notify the sender
by electronic mail. You must not copy this message or attachment or disclose its
content to any other person.

Xplorium does not guarantee the integrity of this electronic message and any of
its attachments, or that they are free from computer viruses or other defects.
********************************************* 


-- 
_____________________________________________________________________ 
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- 
New to Asterisk? Join us for a live introductory webinar every Thurs: 
http://www.asterisk.org/hello 

asterisk-users mailing list 
To UNSUBSCRIBE or update options visit: 
http://lists.digium.com/mailman/listinfo/asterisk-users Ask on an IRCD list ? 
-- 
Thanks, Phil 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20101217/cb6a12e0/attachment.htm>

On Friday 17 Dec 2010, Khaled W. Chehab wrote:
> HI,
>
> My system been attacked from someone I guess, kindly check the link below
>
> How can I stop the ircd attack
# /etc/init.d/ircd stop
# chmod -x  /etc/init.d/ircd

Should do the business  :)

-- 
AJS

On Fri, 17 Dec 2010, Khaled W. Chehab wrote:
> How can I stop the ircd attack
This isn't an Asterisk issue.

0) Turn off your IRC service.

1) Add some rules to iptables.

2) Investigate fail2ban and see if it is an appropriate response.

-- 
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                              Fax: +1-760-731-3000

Ircd  is not installed and cant be located in all system ,any one know or
have an idea how do they infect my system,
Any bug in asterisknow?
How to find the script that initiates this invites ?
135.307281 192.168.138.56 -> 218.75.79.17 TCP 36578 > ircd [ACK] Seq=36
Ack=111 Win=5840 Len=0
135.307434 192.168.138.56 -> 218.75.79.17 TCP 36578 > ircd [FIN, ACK]
Seq=36
Ack=111 Win=5840 Len=0
135.309188 218.75.79.17 -> 192.168.138.56 TCP ircd > 36578 [FIN, ACK]
Seq=111 Ack=1 Win=4096 Len=0
135.309211 192.168.138.56 -> 218.75.79.17 TCP 36578 > ircd [ACK] Seq=37
Ack=112 Win=5840 Len=0
135.334037 192.168.138.56 -> 192.168.5.2  DNS Standard query A
irc3.mysteryaddict.com
135.334496  192.168.5.2 -> 192.168.138.56 DNS Standard query response A
87.229.45.226
135.334657 192.168.138.56 -> 87.229.45.226 TCP 53718 > ircd [SYN] Seq=0
Win=5840 Len=0 MSS=1460 TSV=1532274 TSER=0 WS=7
135.342359 218.75.79.17 -> 192.168.138.56 TCP ircd > 42802 [SYN, ACK]
Seq=0
Ack=1 Win=1460 Len=0 MSS=1380
135.342399 192.168.138.56 -> 218.75.79.17 TCP 42802 > ircd [ACK] Seq=1
Ack=1
Win=5840 Len=0
135.342554 192.168.138.56 -> 218.75.79.17 IRC Request

Regards


-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of A J Stiles
Sent: Friday, December 17, 2010 6:20 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Attack problem

On Friday 17 Dec 2010, Khaled W. Chehab wrote:
> HI,
>
> My system been attacked from someone I guess, kindly check the link 
> below
>
> How can I stop the ircd attack
# /etc/init.d/ircd stop
# chmod -x  /etc/init.d/ircd

Should do the business  :)

--
AJS

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users



*********************************************
No employee or agent is authorized to conclude any binding agreement on behalf
of Xplorium with another party by e-mail without express written confirmation by
an officer of Xplorium. Any views expressed by an individual in this electronic
message do not necessarily reflect views of Xplorium or its subsidiaries and
associates.

This electronic message and its attachments are solely addressed to the
addressee(s), and contain confidential information protected from disclosure
belonging to Xplorium.

If you are not the intended addressee of this electronic message and its
attachments, kindly delete it immediately from your system and notify the sender
by electronic mail. You must not copy this message or attachment or disclose its
content to any other person.

Xplorium does not guarantee the integrity of this electronic message and any of
its attachments, or that they are free from computer viruses or other defects.
*********************************************

netstat -anp |grep 6667

Best Regards,
Muhammad Nuzaihan Kamal
Network Consultant
Mobile: +65 97473874

Asfa Systems Pte Ltd
91, Alps Avenue. #03-10. Singapore 498787

Tel:  +65 62538211
Fax: +65 62504814
www.asfasystems.com.sg

pub   4096R/36630777 2010-07-10
      Key fingerprint = 670A 4D60 0A2D 43A1 2FE0  DFDA D3A9 3F32 3663 0777
uid                  Muhammad Nuzaihan Kamalluddin (Asfa Systems Pte. Ltd.)
<muhammad at asfasystems.com>
sub   4096R/97E5CBBD 2010-07-10



On 20-Dec-2010, at 5:40 PM, Khaled W. Chehab wrote:
> Ircd  is not installed and cant be located in all system ,any one know or
> have an idea how do they infect my system,
> Any bug in asterisknow?
> How to find the script that initiates this invites ?
> 135.307281 192.168.138.56 -> 218.75.79.17 TCP 36578 > ircd [ACK]
Seq=36
> Ack=111 Win=5840 Len=0
> 135.307434 192.168.138.56 -> 218.75.79.17 TCP 36578 > ircd [FIN, ACK]
Seq=36
> Ack=111 Win=5840 Len=0
> 135.309188 218.75.79.17 -> 192.168.138.56 TCP ircd > 36578 [FIN, ACK]
> Seq=111 Ack=1 Win=4096 Len=0
> 135.309211 192.168.138.56 -> 218.75.79.17 TCP 36578 > ircd [ACK]
Seq=37
> Ack=112 Win=5840 Len=0
> 135.334037 192.168.138.56 -> 192.168.5.2  DNS Standard query A
> irc3.mysteryaddict.com
> 135.334496  192.168.5.2 -> 192.168.138.56 DNS Standard query response A
> 87.229.45.226
> 135.334657 192.168.138.56 -> 87.229.45.226 TCP 53718 > ircd [SYN]
Seq=0
> Win=5840 Len=0 MSS=1460 TSV=1532274 TSER=0 WS=7
> 135.342359 218.75.79.17 -> 192.168.138.56 TCP ircd > 42802 [SYN, ACK]
Seq=0
> Ack=1 Win=1460 Len=0 MSS=1380
> 135.342399 192.168.138.56 -> 218.75.79.17 TCP 42802 > ircd [ACK]
Seq=1 Ack=1
> Win=5840 Len=0
> 135.342554 192.168.138.56 -> 218.75.79.17 IRC Request
> 
> Regards
> 
> 
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of A J Stiles
> Sent: Friday, December 17, 2010 6:20 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] Attack problem
> 
> On Friday 17 Dec 2010, Khaled W. Chehab wrote:
>> HI,
>> 
>> My system been attacked from someone I guess, kindly check the link 
>> below
>> 
>> How can I stop the ircd attack
> 
> # /etc/init.d/ircd stop
> # chmod -x  /etc/init.d/ircd
> 
> Should do the business  :)
> 
> --
> AJS
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New
to
> Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
> 
> *********************************************
> No employee or agent is authorized to conclude any binding agreement on
behalf of Xplorium with another party by e-mail without express written
confirmation by an officer of Xplorium. Any views expressed by an individual in
this electronic message do not necessarily reflect views of Xplorium or its
subsidiaries and associates.
> 
> This electronic message and its attachments are solely addressed to the
addressee(s), and contain confidential information protected from disclosure
belonging to Xplorium.
> 
> If you are not the intended addressee of this electronic message and its
attachments, kindly delete it immediately from your system and notify the sender
by electronic mail. You must not copy this message or attachment or disclose its
content to any other person.
> 
> Xplorium does not guarantee the integrity of this electronic message and
any of its attachments, or that they are free from computer viruses or other
defects.
> *********************************************
> 
> 
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20101220/ffadb671/attachment.htm>