Hi
Thank you for your support.
The server is actually compromised, I discovered that after making a deep trace
using the audit daemon and looking for the kill signal (SIGKILL) that terminates
asterisk.
I discovered that there is an executable with a random name in the /boot folder
that is killing and deleting asterisk !!!
This executable is launched by a service in /etc/rc.d/ with the same random
name.
When I stopped this service, a new service was created with another different
random name and it too is killing and deleting asterisk.
This was the evidence i needed to be convinced that the server has a virus and
is compromised.
The good thing is that this is a fresh install and hence there are no sensitive
data or a lot of work done on it so i will reinstall the OS and start over. The
bad thing is that I spent more than 4 days trying to understand what was going
on.
Again, thank you for your support.
Regards,
Antoine Megalla
Sent from my iPhone
On Nov 27, 2014, at 8:00 PM, asterisk-users-request at lists.digium.com wrote:
> Send asterisk-users mailing list submissions to
> asterisk-users at lists.digium.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.digium.com/mailman/listinfo/asterisk-users
> or, via email, send a message with subject or body 'help' to
> asterisk-users-request at lists.digium.com
>
> You can reach the person managing the list at
> asterisk-users-owner at lists.digium.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of asterisk-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Strange Issue: asterisk deleted (Antoine Megalla)
> 2. Re: High resident memory with 11.14.0 ? (James Lamanna)
> 3. Re: Strange Issue: asterisk deleted (Chad Wallace)
> 4. Re: Strange Issue: asterisk deleted (Marie Fischer)
> 5. Re: SIP call drops after 32 seconds, but only when....
> (Marie Fischer)
> 6. Re: SIP call drops after 32 seconds, but only when....
> (Amit Patkar)
> 7. Re: Strange Issue: asterisk deleted (Thorsten G?llner)
> 8. Re: Strange Issue: asterisk deleted (Antoine Megalla)
> 9. Re: Strange Issue: asterisk deleted (A J Stiles)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 26 Nov 2014 22:08:05 +0200
> From: Antoine Megalla <aatef at rocketmail.com>
> To: Thorsten G?llner <tg at ovm-group.com>
> Cc: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <7D5A57FB-657C-439B-9DCB-2790AE9C920D at rocketmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I looked for asterisk in /usr/sbin using the commands ls and find and
whereis and it was not there.
>
> I know that the process is killed because when I start asterisk using the
command asterisk -vvvvc it starts and then it exits and the word killed is wrote
on the console.
>
> Ever time I copy a new executable to /usr/sbin either using cp command or
make install it gets deleted too.
>
> Now I used the strace command on asterisk and I can clearly see at the end
of the strace the line : killed by SIGKILL
> This means that something or someone is actually and purposely killing
asterisk but I do not know what or who is doing that also I know that I am the
only user on the system.
>
> Again any indicators to solve this very weird issue are welcomed.
>
> Regards,
> Antoine Megalla
>
> Sent from my iPhone
>
> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com>
wrote:
>
>>
>> Am 26.11.2014 11:37, schrieb Antoine Megalla:
>>> Hi,
>>>
>>> I am struggling with a very strange issue I have been facing for
the past week;
>>> I have a fresh install of CENTOS 5.11 and I have installed asterisk
1.8.32 form sources.
>>> The asterisk installation went fine but as soon as I start asterisk
executable it loads everything and then after the "Ready" line the
process gets killed and when I try to run it again i get: /usr/sbin/asterisk :
command not found
>>>
>>> I cleaned the source and re-installed asterisk and again the same
thing happened again !!!
>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them from
sources and installed them (make install) and amazingly, the same thing happened
to all of them: I do a "make" then "make install" and as
soon as I start asterisk the process is killed and the executable removed from
/usr/sbin.
>>>
>>> I tried to look a the asterisk log files but I cannot find a single
error in them.
>>> Also if it was really deleted how did bash know that asterisk is
supposed to be located in /usr/sbin/asterisk ?
>>>
>>> I tried to copy the executable myself after compilation (everything
done as root) to the /usr/sbin and again if it runs then it is deleted.
>>>
>>> If someone can explain to me this behavior or advise me on what to
check to resolve this issue, then I would be grateful.
>>
>> Hi,
>>
>> you write "Also if it was really deleted .." - did you looked
at it via "ls /usr/sbin/asterisk"?
>>
>> You compiled asterisk (make / make install) as root I think. Perhaps
access rights are not set properly? root is owner but you try to start the
daemon as "normal" user?
>>
>> You write "the process is killed". Where do you now? Did you
get a message on your terminal? Did you take a look at /var/log/syslog?
>>
>> Best regards
>> -Thorsten-
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/d64c9a5b/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 26 Nov 2014 15:20:06 -0500
> From: James Lamanna <jlamanna at gmail.com>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] High resident memory with 11.14.0 ?
> Message-ID:
> <CADScKLzHeEiZL51Oi=6bc6VCgOoqeRnuOiriw10SP+YC5vFFrw at
mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Tue, Nov 25, 2014 at 10:21 AM, James Lamanna <jlamanna at
gmail.com> wrote:
>
>>
>> On Tue, Nov 25, 2014 at 8:14 AM, Matthew Jordan <mjordan at
digium.com>
>> wrote:
>>
>>> On Mon, Nov 24, 2014 at 2:12 PM, James Lamanna <jlamanna at
gmail.com>
>>> wrote:
>>>> Also, how big does the cache in frame.c grow to?
>>>> I've recompiled with MALLOC_DEBUG on that server:
>>>>
>>>> asterisk -rx "memory show summary"
>>>>
>>>> ....
>>>> 1780466242 bytes (1780181594 cache) in 2352909 allocations
in file
>>>> frame.c
>>>> ...
>>>>
>>>> Seems like a ridiculous cache.
>>>
>>> I'm not going to respond to your new thread, since it is the
same
>>> discussion as this one.
>>>
>>> The frame cache is a per-thread local cache of frames that prevents
>>> having to re-allocate frames as they pass through Asterisk.
Clearly,
>>> something is abusing it.
>>>
>>> I think you'll need to provide some more information on how
you're
>>> producing this situation. Specifically:
>>> * Channel technologies involved, and the formats on the channels
>>> * Dialplan that reproduces the problem
>>>
>>> Are you using any non-core dialplan applications or channel
drivers?
>> This PBX has about 100 registered SIP clients, along with 23 PRI
channels,
>> 2 inbound/outbound SIP trunks and around 100 IAXModems registered to
it. It
>> primarily handles faxing.
>> I am not using any non-standard channel drivers. I am using the T.38
>> gateway funcionality.
>>
>> The jist of the dialplan is this: (example of the PRI and a SIP trunk,
>> inbound)
>>
>> [pri-in]
>> exten => _X.,1,Set(__FROM_DID=${EXTEN})
>> exten => _X.,n,Set(FAX_IDX=700)
>> exten => _X.,n,Set(MAX_IDX=719)
>> exten => _X.,n,Goto(dial-hylafax,s,1)
>>
>> [sip-trunk-in]
>> exten => _X.,1(normal),Set(__FROM_DID=${EXTEN})
>> exten => _X.,n,Set(FAX_IDX=950)
>> exten => _X.,n,Set(MAX_IDX=959)
>> exten => _X.,n,Set(FAXOPT(gateway)=yes)
>> exten => _X.,n,Goto(dial-hylafax,s,1)
>>
>> [dial-hylafax]
>> exten => s,1,GotoIf($["${FROM_DID:0:1}" =
"1"]?prune:cont)
>> exten => s,n(prune),Set(__FROM_DID=${FROM_DID:1})
>> exten => s,n(cont),GotoIf($[${FAX_IDX} <=
${MAX_IDX}]?tryfax:nofax)
>> exten =>
s,n(tryfax),Set(STATE=${DEVICE_STATE(Custom:iaxmodem${FAX_IDX})})
>> exten => s,n,NoOp(${STATE})
>> exten => s,n,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=INUSE)
>> exten => s,n,Dial(IAX2/iaxmodem${FAX_IDX}/${FROM_DID},60,g)
>> exten => s,n,Goto(s-${DIALSTATUS},1)
>> exten => s,n(nofax),Playtones(busy)
>> exten => s,n,NoOp(NO MODEMS AVAILABLE)
>> exten => s,n,Wait(20)
>> exten => s,n,Hangup()
>> exten => s-ANSWER,1,NoOp(IAXMODEM HANGUP)
>> exten =>
s-ANSWER,n,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=NOT_INUSE)
>> exten => s-ANSWER,n,Hangup()
>> exten => _s-.,1,Set(FAX_IDX=${MATH(1+${FAX_IDX},i)})
>> exten => _s-.,n,Goto(s,1)
>> exten => h,1,Set(DEVICE_STATE(Custom:iaxmodem${FAX_IDX})=NOT_INUSE)
>>
>> The current state requires me to restart Asterisk almost every day.
>> I'm also seeing this on a completely different machine after
upgrading
>> from Asterisk10 to 11.
> I'm wondering if this is a problem in the SLIN converter?
> I do use SLIN with iaxmodem.
>
> -- James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20141126/9deca244/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 26 Nov 2014 14:54:27 -0800
> From: Chad Wallace <cwallace at lodgingcompany.com>
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <20141126145427.4819c67b at ws78.int.tlc>
> Content-Type: text/plain; charset=US-ASCII
>
> On Wed, 26 Nov 2014 22:08:05 +0200
> Antoine Megalla <aatef at rocketmail.com> wrote:
>
>> I looked for asterisk in /usr/sbin using the commands ls and find and
>> whereis and it was not there.
>>
>> I know that the process is killed because when I start asterisk using
>> the command asterisk -vvvvc it starts and then it exits and the word
>> killed is wrote on the console.
>>
>> Ever time I copy a new executable to /usr/sbin either using cp
>> command or make install it gets deleted too.
>>
>> Now I used the strace command on asterisk and I can clearly see at
>> the end of the strace the line : killed by SIGKILL This means that
>> something or someone is actually and purposely killing asterisk but I
>> do not know what or who is doing that also I know that I am the only
>> user on the system.
>
> I don't know if there's any way to see where the signal comes from.
> But I think it would have to be another process. Is this a hosted
> machine? Could it be that your hosting provider doesn't allow
> asterisk? This would be a good way to enforce that rule. Otherwise,
> it could be a root kit or a virus.
>
> Or it could be that you (or someone else) wanted to make sure asterisk
> wasn't running at some point and left "while true; do killall -9
> asterisk; done" running in a shell, and forgot about it.
>
> You can list all the processes with the command "ps -ef"
>
> And to see if anyone else (or yourself) is logged in, run "w".
That
> will show every individual session and where they're connected from.
>
>
> --
>
> C. Chad Wallace, B.Sc.
> The Lodging Company
> http://www.lodgingcompany.com/
> OpenPGP Public Key ID: 0x262208A0
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 27 Nov 2014 06:18:19 +0200
> From: Marie Fischer <marie at vtl.ee>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <7442CB28-9F60-480D-9E8F-D139727DBF76 at vtl.ee>
> Content-Type: text/plain; charset=us-ascii
>
>
> On 26.11.2014, at 22:08, Antoine Megalla <aatef at rocketmail.com>
wrote:
>>> The asterisk installation went fine but as soon as I start asterisk
executable it loads everything and then after the "Ready" line the
process gets killed and when I try to run it again i get: /usr/sbin/asterisk :
command not found
>> I looked for asterisk in /usr/sbin using the commands ls and find and
whereis and it was not there.
>>
>> I know that the process is killed because when I start asterisk using
the command asterisk -vvvvc it starts and then it exits and the word killed is
wrote on the console.
>>
>> Ever time I copy a new executable to /usr/sbin either using cp command
or make install it gets deleted too.
>
> Interesting problem, I'm quite curious what the cause is.
>
> Are you 100% sure that the asterisk your are running is in /usr/sbin? Try
'which asterisk' to see what your shell is running and/or start asterisk
with a full path as /usr/sbin/asterisk -vvvvc.
>
> You could also try renaming the binary to find out if indeed something
kills Asterisk by name.
>
> There's a tool called SystemTap which could give you information which
process sent the SIGKILL:
> https://sourceware.org/systemtap/
>
http://www.percona.com/blog/2014/07/18/systemtap-solves-phantom-mysqld-sigterm-sigkill-issue/
>
> --
>
> marie
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 27 Nov 2014 06:31:37 +0200
> From: Marie Fischer <marie at vtl.ee>
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] SIP call drops after 32 seconds, but
> only when....
> Message-ID: <CF4F37ED-8DDF-43DC-9E9C-79A292E86FAE at vtl.ee>
> Content-Type: text/plain; charset=windows-1252
>
> On 22.11.2014, at 13:40, Yves A. <yves030 at gmx.de> wrote:
>> I have a really strange problem which is driving me crazy for days now.
>>
>> If I register my asterisk (tried all versions from 1.6 up to 13.x) with
one sip registrar,
>> everything works... calls go out and call come in... no 32 seconds
limit.
>>
>> but as soon as I configure another sip registration on another server,
outgoing
>> calls drop after 32 seconds.
>
> Do a 'sip set debug on' and see what they (Asterisk and the
registrar) are talking about just before the call drops.
>
> --
>
> marie
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 27 Nov 2014 10:49:23 +0530
> From: Amit Patkar <amit at avhan.com>
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] SIP call drops after 32 seconds, but
> only when....
> Message-ID: <5476B45B.4020400 at avhan.com>
> Content-Type: text/plain; charset="iso-8859-1";
Format="flowed"
>
> Call drop after 30+sec happens if RTP is not received by asterisk for 30
> seconds (RTP Timeout).
> You should look for media IP address in SDP. If there is firewall, apart
> from port UDP/5060, you also need to open port UDP/10000-UDP/20000
> (standard RTP ports)
> You should try with RTP debug. It should show bidirectional traffic. If
> not, you surely have an issue with media IP or ports.
>
> *Thanks & Regards,*
> Amit Patkar
>
>
> On 11/27/2014 10:01 AM, Marie Fischer wrote:
>> On 22.11.2014, at 13:40, Yves A. <yves030 at gmx.de> wrote:
>>> I have a really strange problem which is driving me crazy for days
now.
>>>
>>> If I register my asterisk (tried all versions from 1.6 up to 13.x)
with one sip registrar,
>>> everything works... calls go out and call come in... no 32 seconds
limit.
>>>
>>> but as soon as I configure another sip registration on another
server, outgoing
>>> calls drop after 32 seconds.
>> Do a 'sip set debug on' and see what they (Asterisk and the
registrar) are talking about just before the call drops.
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7b0ab3fa/attachment-0001.html>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 27 Nov 2014 10:09:23 +0100
> From: Thorsten G?llner <tg at ovm-group.com>
> To: Antoine Megalla <aatef at rocketmail.com>
> Cc: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <5476EA43.1090008 at ovm-group.com>
> Content-Type: text/plain; charset="utf-8"
>
> Did you take a look at /var/log/syslog?
>
> Am 26.11.2014 21:08, schrieb Antoine Megalla:
>> Hi,
>>
>> I looked for asterisk in /usr/sbin using the commands ls and find and
>> whereis and it was not there.
>>
>> I know that the process is killed because when I start asterisk using
>> the command asterisk -vvvvc it starts and then it exits and the word
>> killed is wrote on the console.
>>
>> Ever time I copy a new executable to /usr/sbin either using cp command
>> or make install it gets deleted too.
>>
>> Now I used the strace command on asterisk and I can clearly see at the
>> end of the strace the line : killed by SIGKILL
>> This means that something or someone is actually and purposely killing
>> asterisk but I do not know what or who is doing that also I know that
>> I am the only user on the system.
>>
>> Again any indicators to solve this very weird issue are welcomed.
>>
>> Regards,
>> Antoine Megalla
>>
>> Sent from my iPhone
>>
>> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at ovm-group.com
>> <mailto:tg at ovm-group.com>> wrote:
>>
>>>
>>> Am 26.11.2014 11:37, schrieb Antoine Megalla:
>>>> Hi,
>>>>
>>>> I am struggling with a very strange issue I have been facing
for
>>>> the past week;
>>>> I have a fresh install of CENTOS 5.11 and I have installed
asterisk
>>>> 1.8.32 form sources.
>>>> The asterisk installation went fine but as soon as I start
asterisk
>>>> executable it loads everything and then after the
"Ready" line the
>>>> process gets killed and when I try to run it again i get:
>>>> /usr/sbin/asterisk : command not found
>>>>
>>>> I cleaned the source and re-installed asterisk and again the
same
>>>> thing happened again !!!
>>>> I downloaded asterisk versions 1.4, 11, 12 and compiled them
from
>>>> sources and installed them (make install) and amazingly, the
same
>>>> thing happened to all of them: I do a "make" then
"make install" and
>>>> as soon as I start asterisk the process is killed and the
executable
>>>> removed from /usr/sbin.
>>>>
>>>> I tried to look a the asterisk log files but I cannot find a
single
>>>> error in them.
>>>> Also if it was really deleted how did bash know that asterisk
is
>>>> supposed to be located in /usr/sbin/asterisk ?
>>>>
>>>> I tried to copy the executable myself after compilation
(everything
>>>> done as root) to the /usr/sbin and again if it runs then it is
deleted.
>>>>
>>>> If someone can explain to me this behavior or advise me on what
to
>>>> check to resolve this issue, then I would be grateful.
>>>
>>> Hi,
>>>
>>> you write "Also if it was really deleted .." - did you
looked at it
>>> via "ls /usr/sbin/asterisk"?
>>>
>>> You compiled asterisk (make / make install) as root I think.
Perhaps
>>> access rights are not set properly? root is owner but you try to
>>> start the daemon as "normal" user?
>>>
>>> You write "the process is killed". Where do you now? Did
you get a
>>> message on your terminal? Did you take a look at /var/log/syslog?
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/ddec7744/attachment-0001.html>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 27 Nov 2014 11:11:36 +0200
> From: Antoine Megalla <aatef at rocketmail.com>
> To: Thorsten G?llner <tg at ovm-group.com>
> Cc: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <FF950549-B06C-4E2C-9413-AA8FAFFB2E6A at rocketmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Yes I did, and there is nothing about asterisk in the /var/log folder
>
> I am starting to think that the server on compromised.
>
>
> Sent from my iPhone
>
> On Nov 27, 2014, at 11:09 AM, Thorsten G?llner <tg at ovm-group.com>
wrote:
>
>> Did you take a look at /var/log/syslog?
>>
>> Am 26.11.2014 21:08, schrieb Antoine Megalla:
>>> Hi,
>>>
>>> I looked for asterisk in /usr/sbin using the commands ls and find
and whereis and it was not there.
>>>
>>> I know that the process is killed because when I start asterisk
using the command asterisk -vvvvc it starts and then it exits and the word
killed is wrote on the console.
>>>
>>> Ever time I copy a new executable to /usr/sbin either using cp
command or make install it gets deleted too.
>>>
>>> Now I used the strace command on asterisk and I can clearly see at
the end of the strace the line : killed by SIGKILL
>>> This means that something or someone is actually and purposely
killing asterisk but I do not know what or who is doing that also I know that I
am the only user on the system.
>>>
>>> Again any indicators to solve this very weird issue are welcomed.
>>>
>>> Regards,
>>> Antoine Megalla
>>>
>>> Sent from my iPhone
>>>
>>> On Nov 26, 2014, at 6:12 PM, Thorsten G?llner <tg at
ovm-group.com> wrote:
>>>
>>>>
>>>> Am 26.11.2014 11:37, schrieb Antoine Megalla:
>>>>> Hi,
>>>>>
>>>>> I am struggling with a very strange issue I have been
facing for the past week;
>>>>> I have a fresh install of CENTOS 5.11 and I have installed
asterisk 1.8.32 form sources.
>>>>> The asterisk installation went fine but as soon as I start
asterisk executable it loads everything and then after the "Ready"
line the process gets killed and when I try to run it again i get:
/usr/sbin/asterisk : command not found
>>>>>
>>>>> I cleaned the source and re-installed asterisk and again
the same thing happened again !!!
>>>>> I downloaded asterisk versions 1.4, 11, 12 and compiled
them from sources and installed them (make install) and amazingly, the same
thing happened to all of them: I do a "make" then "make
install" and as soon as I start asterisk the process is killed and the
executable removed from /usr/sbin.
>>>>>
>>>>> I tried to look a the asterisk log files but I cannot find
a single error in them.
>>>>> Also if it was really deleted how did bash know that
asterisk is supposed to be located in /usr/sbin/asterisk ?
>>>>>
>>>>> I tried to copy the executable myself after compilation
(everything done as root) to the /usr/sbin and again if it runs then it is
deleted.
>>>>>
>>>>> If someone can explain to me this behavior or advise me on
what to check to resolve this issue, then I would be grateful.
>>>>
>>>> Hi,
>>>>
>>>> you write "Also if it was really deleted .." - did
you looked at it via "ls /usr/sbin/asterisk"?
>>>>
>>>> You compiled asterisk (make / make install) as root I think.
Perhaps access rights are not set properly? root is owner but you try to start
the daemon as "normal" user?
>>>>
>>>> You write "the process is killed". Where do you now?
Did you get a message on your terminal? Did you take a look at /var/log/syslog?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7903c187/attachment-0001.html>
>
> ------------------------------
>
> Message: 9
> Date: Thu, 27 Nov 2014 10:05:44 +0000
> From: A J Stiles <asterisk_list at earthshod.co.uk>
> To: "Asterisk Users Mailing List - Non-Commercial Discussion"
> <asterisk-users at lists.digium.com>
> Subject: Re: [asterisk-users] Strange Issue: asterisk deleted
> Message-ID: <201411271005.44407.asterisk_list at earthshod.co.uk>
> Content-Type: Text/Plain; charset="iso-8859-6"
>
> On Wednesday 26 Nov 2014, Antoine Megalla wrote:
>> Hi,
>>
>> I looked for asterisk in /usr/sbin using the commands ls and find and
>> whereis and it was not there.
>>
>> I know that the process is killed because when I start asterisk using
the
>> command asterisk -vvvvc it starts and then it exits and the word killed
is
>> wrote on the console.
>>
>> Ever time I copy a new executable to /usr/sbin either using cp command
or
>> make install it gets deleted too.
>>
>> Now I used the strace command on asterisk and I can clearly see at the
end
>> of the strace the line : killed by SIGKILL This means that something or
>> someone is actually and purposely killing asterisk but I do not know
what
>> or who is doing that also I know that I am the only user on the system.
>>
>> Again any indicators to solve this very weird issue are welcomed.
>
> It sounds as though your server might have been compromised.
>
> Get another machine of the same bit architecture and perform a fresh
install
> of exactly the same OS as your Asterisk box on that. Install busybox too
> (it's usually there anyway, as it's required for building the
initial RAMdisks
> used by most distros for booting). Using a USB stick (preferrably one
that
> can be set read-only), copy at least the `ls`, `ps`, `netstat`, `w`,
> `lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over (to
somewhere
> that isn't /usr/bin/). Use both the existing installed and the
newly-copied
> md5sum and diff to check each system binary against the known-good ones.
You
> can use busybox to replicate commands you haven't copied (but note
that
> busybox versions are rather cut-down as compared to the GNU tools you know
and
> love. Come to think of it, they're cut-down as compared to the BSD
tools
> everyone replaces with GNU versions once they have a C compiler up and
> running).
>
> Compare /etc/inittab between the two machines.
>
> Many rootkits mess with ext[2-4]fs attributes, presumably to stop you
> overwriting their overwritten system binaries; so use a known good lsattr
to
> check the attributes of everything in /bin/, /sbin/, /usr/bin/ and
/usr/sbin/
> -- watch out for anything set immutable.
>
>
> Getting rid of the compromise fortunately is reasonably easy, especially if
> your /home folder is on its own partition. Just ignore that partition
during
> reinstallation, edit your /etc/fstab afterwards and reboot -- your original
> /home will be preserved intact. If not, use systemrescuecd or something
> similar to boot a known-good system. Use mv to rename /home to a new name.
> Shrink a disk partition and create a new small partition. Use that for
your
> /home during the reinstall. Then again edit /etc/fstab, unmount /home, mv
> your old /home back to /home and reboot.
>
> --
> AJS
>
> Note: Originating address only accepts e-mail from list! If replying off-
> list, change address to asterisk1list at earthshod dot co dot uk .
>
>
>
> ------------------------------
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> End of asterisk-users Digest, Vol 124, Issue 29
> ***********************************************