I had the system setup to allow http and ssh. The hack came in through ssh.
>-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Christian >Moller >Sent: Thursday, February 10, 2005 10:39 AM >To: Asterisk Users Mailing List - Non-Commercial Discussion >Subject: Re: [Asterisk-Users] [EMAIL PROTECTED] scary log > > >Hi, >I've also been a little worried about the security. How did they >connect to >your system? Through telnet or what? >Since I've disabled all such services. >Best, >Christian > > >----- Original Message ----- >From: "Karl H. Putz" <[EMAIL PROTECTED]> >To: "Jean-Louis curty" <[EMAIL PROTECTED]>; "Asterisk Users Mailing List - >Non-Commercial Discussion" <[email protected]> >Sent: Thursday, February 10, 2005 4:18 PM >Subject: RE: [Asterisk-Users] [EMAIL PROTECTED] scary log > > >> You've likely been hacked. >> >> I have recently had a similar incident where a hacker guessed my root >> password (MY BAD) and set up an ebay password skimming site. >> >> I noticed it when I got similar non-deliverable email messages. >> >> Obviously, first change your password and then look at the /var/www/html >> directory and see if there are unwelcome pages there. Also be sure to >> check >> who is logged in currently. I caught the (*%#@ SOB logged in and bounced >> the bastard. >> >> For what it's worth, the hacker's IP address was: 81.12.141.150. >> >> >> Karl Putz >> >>>-----Original Message----- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] Behalf Of Jean-Louis >>>curty >>>Sent: Thursday, February 10, 2005 9:10 AM >>>To: Asterisk Users Mailing List - Non-Commercial Discussion >>>Subject: [Asterisk-Users] [EMAIL PROTECTED] scary log >>> >>> >>>Hi everybody, >>> >>>I'm testing [EMAIL PROTECTED] 0.4, >>>looks great so far >>> >>>I was working when I have been alerted by a bip comming from the * pc... >>> >>>I connected a screen to it and saw that there was a message which >>>looked like : >>> >>> >>>Message from [EMAIL PROTECTED] at Thu Feb 10 09:01:00 2005 ... >>>asterisk1 >>> >>> >>> >>>so I stopped asterisk, type mail and got a strange mail saying that >>>user [EMAIL PROTECTED] could not be reached and body was like if it was >>>the result of commands ifconfig etc >>> >>>unfortunally I don't have the message anymore but I went to the log >>> >>>and saw this >>>Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: >>>from=<[EMAIL PROTECTED]>, size=329, class=0, nrcpts=1, >>>msgid=<[EMAIL PROTECTED]>, proto=ESMTP, >>>daemon=MTA, relay=asterisk1.local [127.0.0.1] >>>Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: >>>[EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, >>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] >>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for >>>delivery) >>>Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: >>>[EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, >>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] >>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for >>>delivery) >>>Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: >>>to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), >>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348, >>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >>>1107998984) >>>Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: >>>to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), >>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, >>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >>>1107998984) >>> >>> >>>the thing is i did not send any message to [EMAIL PROTECTED] nor to >>>somebody at yahoo, >>> >>> >>>anybody got the same ? what can I do ?? >>> >>>thanks >>>jl >>>_______________________________________________ >>>Asterisk-Users mailing list >>>[email protected] >>>http://lists.digium.com/mailman/listinfo/asterisk-users >>>To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> _______________________________________________ >> Asterisk-Users mailing list >> [email protected] >> http://lists.digium.com/mailman/listinfo/asterisk-users >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > >_______________________________________________ >Asterisk-Users mailing list >[email protected] >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
