ok ssh now disabled.... root password changed...
where can I catch the message that are supposely sent by [EMAIL PROTECTED] ? On Thu, 10 Feb 2005 10:56:53 -0500, Karl H. Putz <[EMAIL PROTECTED]> wrote: > I had the system setup to allow http and ssh. > > The hack came in through ssh. > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] Behalf Of Christian > >Moller > >Sent: Thursday, February 10, 2005 10:39 AM > >To: Asterisk Users Mailing List - Non-Commercial Discussion > >Subject: Re: [Asterisk-Users] [EMAIL PROTECTED] scary log > > > > > >Hi, > >I've also been a little worried about the security. How did they > >connect to > >your system? Through telnet or what? > >Since I've disabled all such services. > >Best, > >Christian > > > > > >----- Original Message ----- > >From: "Karl H. Putz" <[EMAIL PROTECTED]> > >To: "Jean-Louis curty" <[EMAIL PROTECTED]>; "Asterisk Users Mailing List - > >Non-Commercial Discussion" <[email protected]> > >Sent: Thursday, February 10, 2005 4:18 PM > >Subject: RE: [Asterisk-Users] [EMAIL PROTECTED] scary log > > > > > >> You've likely been hacked. > >> > >> I have recently had a similar incident where a hacker guessed my root > >> password (MY BAD) and set up an ebay password skimming site. > >> > >> I noticed it when I got similar non-deliverable email messages. > >> > >> Obviously, first change your password and then look at the /var/www/html > >> directory and see if there are unwelcome pages there. Also be sure to > >> check > >> who is logged in currently. I caught the (*%#@ SOB logged in and bounced > >> the bastard. > >> > >> For what it's worth, the hacker's IP address was: 81.12.141.150. > >> > >> > >> Karl Putz > >> > >>>-----Original Message----- > >>>From: [EMAIL PROTECTED] > >>>[mailto:[EMAIL PROTECTED] Behalf Of Jean-Louis > >>>curty > >>>Sent: Thursday, February 10, 2005 9:10 AM > >>>To: Asterisk Users Mailing List - Non-Commercial Discussion > >>>Subject: [Asterisk-Users] [EMAIL PROTECTED] scary log > >>> > >>> > >>>Hi everybody, > >>> > >>>I'm testing [EMAIL PROTECTED] 0.4, > >>>looks great so far > >>> > >>>I was working when I have been alerted by a bip comming from the * pc... > >>> > >>>I connected a screen to it and saw that there was a message which > >>>looked like : > >>> > >>> > >>>Message from [EMAIL PROTECTED] at Thu Feb 10 09:01:00 2005 ... > >>>asterisk1 > >>> > >>> > >>> > >>>so I stopped asterisk, type mail and got a strange mail saying that > >>>user [EMAIL PROTECTED] could not be reached and body was like if it was > >>>the result of commands ifconfig etc > >>> > >>>unfortunally I don't have the message anymore but I went to the log > >>> > >>>and saw this > >>>Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: > >>>from=<[EMAIL PROTECTED]>, size=329, class=0, nrcpts=1, > >>>msgid=<[EMAIL PROTECTED]>, proto=ESMTP, > >>>daemon=MTA, relay=asterisk1.local [127.0.0.1] > >>>Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: > >>>[EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, > >>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] > >>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for > >>>delivery) > >>>Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: > >>>[EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, > >>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] > >>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for > >>>delivery) > >>>Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: > >>>to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), > >>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348, > >>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK > >>>1107998984) > >>>Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: > >>>to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), > >>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, > >>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK > >>>1107998984) > >>> > >>> > >>>the thing is i did not send any message to [EMAIL PROTECTED] nor to > >>>somebody at yahoo, > >>> > >>> > >>>anybody got the same ? what can I do ?? > >>> > >>>thanks > >>>jl > >>>_______________________________________________ > >>>Asterisk-Users mailing list > >>>[email protected] > >>>http://lists.digium.com/mailman/listinfo/asterisk-users > >>>To UNSUBSCRIBE or update options visit: > >>> http://lists.digium.com/mailman/listinfo/asterisk-users > >>> > >> > >> > >> _______________________________________________ > >> Asterisk-Users mailing list > >> [email protected] > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > > > >_______________________________________________ > >Asterisk-Users mailing list > >[email protected] > >http://lists.digium.com/mailman/listinfo/asterisk-users > >To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > _______________________________________________ > Asterisk-Users mailing list > [email protected] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
