Hi, I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. I know that the process is killed because when I start asterisk using the command asterisk -vvvvc it starts and then it exits and the word killed is wrote on the console. Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system. Again any indicators to solve this very weird issue are welcomed. Regards, Antoine Megalla Sent from my iPhone On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com> wrote:> > Am 26.11.2014 11:37, schrieb Antoine Megalla: >> Hi, >> >> I am struggling with a very strange issue I have been facing for the past week; >> I have a fresh install of CENTOS 5.11 and I have installed asterisk 1.8.32 form sources. >> The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the "Ready" line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found >> >> I cleaned the source and re-installed asterisk and again the same thing happened again !!! >> I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a "make" then "make install" and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin. >> >> I tried to look a the asterisk log files but I cannot find a single error in them. >> Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ? >> >> I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted. >> >> If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful. > > Hi, > > you write "Also if it was really deleted .." - did you looked at it via "ls /usr/sbin/asterisk"? > > You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as "normal" user? > > You write "the process is killed". Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog? > > Best regards > -Thorsten--------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/d64c9a5b/attachment.html>
On Wed, 26 Nov 2014 22:08:05 +0200 Antoine Megalla <aatef at rocketmail.com> wrote:> I looked for asterisk in /usr/sbin using the commands ls and find and > whereis and it was not there. > > I know that the process is killed because when I start asterisk using > the command asterisk -vvvvc it starts and then it exits and the word > killed is wrote on the console. > > Ever time I copy a new executable to /usr/sbin either using cp > command or make install it gets deleted too. > > Now I used the strace command on asterisk and I can clearly see at > the end of the strace the line : killed by SIGKILL This means that > something or someone is actually and purposely killing asterisk but I > do not know what or who is doing that also I know that I am the only > user on the system.I don't know if there's any way to see where the signal comes from. But I think it would have to be another process. Is this a hosted machine? Could it be that your hosting provider doesn't allow asterisk? This would be a good way to enforce that rule. Otherwise, it could be a root kit or a virus. Or it could be that you (or someone else) wanted to make sure asterisk wasn't running at some point and left "while true; do killall -9 asterisk; done" running in a shell, and forgot about it. You can list all the processes with the command "ps -ef" And to see if anyone else (or yourself) is logged in, run "w". That will show every individual session and where they're connected from. -- C. Chad Wallace, B.Sc. The Lodging Company http://www.lodgingcompany.com/ OpenPGP Public Key ID: 0x262208A0
On 26.11.2014, at 22:08, Antoine Megalla <aatef at rocketmail.com> wrote:>> The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the "Ready" line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found >> > I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. > > I know that the process is killed because when I start asterisk using the command asterisk -vvvvc it starts and then it exits and the word killed is wrote on the console. > > Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too.Interesting problem, I'm quite curious what the cause is. Are you 100% sure that the asterisk your are running is in /usr/sbin? Try 'which asterisk' to see what your shell is running and/or start asterisk with a full path as /usr/sbin/asterisk -vvvvc. You could also try renaming the binary to find out if indeed something kills Asterisk by name. There's a tool called SystemTap which could give you information which process sent the SIGKILL: https://sourceware.org/systemtap/ http://www.percona.com/blog/2014/07/18/systemtap-solves-phantom-mysqld-sigterm-sigkill-issue/ -- marie
Did you take a look at /var/log/syslog? Am 26.11.2014 21:08, schrieb Antoine Megalla:> Hi, > > I looked for asterisk in /usr/sbin using the commands ls and find and > whereis and it was not there. > > I know that the process is killed because when I start asterisk using > the command asterisk -vvvvc it starts and then it exits and the word > killed is wrote on the console. > > Ever time I copy a new executable to /usr/sbin either using cp command > or make install it gets deleted too. > > Now I used the strace command on asterisk and I can clearly see at the > end of the strace the line : killed by SIGKILL > This means that something or someone is actually and purposely killing > asterisk but I do not know what or who is doing that also I know that > I am the only user on the system. > > Again any indicators to solve this very weird issue are welcomed. > > Regards, > Antoine Megalla > > Sent from my iPhone > > On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com > <mailto:tg at ovm-group.com>> wrote: > >> >> Am 26.11.2014 11:37, schrieb Antoine Megalla: >>> Hi, >>> >>> I am struggling with a very strange issue I have been facing for >>> the past week; >>> I have a fresh install of CENTOS 5.11 and I have installed asterisk >>> 1.8.32 form sources. >>> The asterisk installation went fine but as soon as I start asterisk >>> executable it loads everything and then after the "Ready" line the >>> process gets killed and when I try to run it again i get: >>> /usr/sbin/asterisk : command not found >>> >>> I cleaned the source and re-installed asterisk and again the same >>> thing happened again !!! >>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from >>> sources and installed them (make install) and amazingly, the same >>> thing happened to all of them: I do a "make" then "make install" and >>> as soon as I start asterisk the process is killed and the executable >>> removed from /usr/sbin. >>> >>> I tried to look a the asterisk log files but I cannot find a single >>> error in them. >>> Also if it was really deleted how did bash know that asterisk is >>> supposed to be located in /usr/sbin/asterisk ? >>> >>> I tried to copy the executable myself after compilation (everything >>> done as root) to the /usr/sbin and again if it runs then it is deleted. >>> >>> If someone can explain to me this behavior or advise me on what to >>> check to resolve this issue, then I would be grateful. >>> >> >> Hi, >> >> you write "Also if it was really deleted .." - did you looked at it >> via "ls /usr/sbin/asterisk"? >> >> You compiled asterisk (make / make install) as root I think. Perhaps >> access rights are not set properly? root is owner but you try to >> start the daemon as "normal" user? >> >> You write "the process is killed". Where do you now? Did you get a >> message on your terminal? Did you take a look at /var/log/syslog?-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/ddec7744/attachment.html>
Yes I did, and there is nothing about asterisk in the /var/log folder I am starting to think that the server on compromised. Sent from my iPhone On Nov 27, 2014, at 11:09 AM, Thorsten G?llner <tg at ovm-group.com> wrote:> Did you take a look at /var/log/syslog? > > Am 26.11.2014 21:08, schrieb Antoine Megalla: >> Hi, >> >> I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. >> >> I know that the process is killed because when I start asterisk using the command asterisk -vvvvc it starts and then it exits and the word killed is wrote on the console. >> >> Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. >> >> Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL >> This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system. >> >> Again any indicators to solve this very weird issue are welcomed. >> >> Regards, >> Antoine Megalla >> >> Sent from my iPhone >> >> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com> wrote: >> >>> >>> Am 26.11.2014 11:37, schrieb Antoine Megalla: >>>> Hi, >>>> >>>> I am struggling with a very strange issue I have been facing for the past week; >>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk 1.8.32 form sources. >>>> The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the "Ready" line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found >>>> >>>> I cleaned the source and re-installed asterisk and again the same thing happened again !!! >>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a "make" then "make install" and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin. >>>> >>>> I tried to look a the asterisk log files but I cannot find a single error in them. >>>> Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ? >>>> >>>> I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted. >>>> >>>> If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful. >>> >>> Hi, >>> >>> you write "Also if it was really deleted .." - did you looked at it via "ls /usr/sbin/asterisk"? >>> >>> You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as "normal" user? >>> >>> You write "the process is killed". Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog? >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7903c187/attachment.html>
On Wednesday 26 Nov 2014, Antoine Megalla wrote:> Hi, > > I looked for asterisk in /usr/sbin using the commands ls and find and > whereis and it was not there. > > I know that the process is killed because when I start asterisk using the > command asterisk -vvvvc it starts and then it exits and the word killed is > wrote on the console. > > Ever time I copy a new executable to /usr/sbin either using cp command or > make install it gets deleted too. > > Now I used the strace command on asterisk and I can clearly see at the end > of the strace the line : killed by SIGKILL This means that something or > someone is actually and purposely killing asterisk but I do not know what > or who is doing that also I know that I am the only user on the system. > > Again any indicators to solve this very weird issue are welcomed.It sounds as though your server might have been compromised. Get another machine of the same bit architecture and perform a fresh install of exactly the same OS as your Asterisk box on that. Install busybox too (it's usually there anyway, as it's required for building the initial RAMdisks used by most distros for booting). Using a USB stick (preferrably one that can be set read-only), copy at least the `ls`, `ps`, `netstat`, `w`, `lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over (to somewhere that isn't /usr/bin/). Use both the existing installed and the newly-copied md5sum and diff to check each system binary against the known-good ones. You can use busybox to replicate commands you haven't copied (but note that busybox versions are rather cut-down as compared to the GNU tools you know and love. Come to think of it, they're cut-down as compared to the BSD tools everyone replaces with GNU versions once they have a C compiler up and running). Compare /etc/inittab between the two machines. Many rootkits mess with ext[2-4]fs attributes, presumably to stop you overwriting their overwritten system binaries; so use a known good lsattr to check the attributes of everything in /bin/, /sbin/, /usr/bin/ and /usr/sbin/ -- watch out for anything set immutable. Getting rid of the compromise fortunately is reasonably easy, especially if your /home folder is on its own partition. Just ignore that partition during reinstallation, edit your /etc/fstab afterwards and reboot -- your original /home will be preserved intact. If not, use systemrescuecd or something similar to boot a known-good system. Use mv to rename /home to a new name. Shrink a disk partition and create a new small partition. Use that for your /home during the reinstall. Then again edit /etc/fstab, unmount /home, mv your old /home back to /home and reboot. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk .