Please all keep in mind that there are plenty of additional configs possible to Iptables.
I should have restricted the originating IP address for TCP port 22 to come from at least my dhcp served address range. That would have blocked all hackers except those originating from within my specific ISP's dhcp served range. Not perfect but a good sight better that wide open! Karl Putz >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Christian >Moller >Sent: Thursday, February 10, 2005 11:03 AM >To: Asterisk Users Mailing List - Non-Commercial Discussion >Subject: Re: [Asterisk-Users] [EMAIL PROTECTED] scary log > > >Hi, >OK, well, I've disabled SSH/HTTP already so lets hope I will have >my system >working! >Best and thanks, >Christian > > >----- Original Message ----- >From: "Karl H. Putz" <[EMAIL PROTECTED]> >To: "Asterisk Users Mailing List - Non-Commercial Discussion" ><[email protected]> >Sent: Thursday, February 10, 2005 4:56 PM >Subject: RE: [Asterisk-Users] [EMAIL PROTECTED] scary log > > >>I had the system setup to allow http and ssh. >> >> The hack came in through ssh. >> >>>-----Original Message----- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] Behalf Of Christian >>>Moller >>>Sent: Thursday, February 10, 2005 10:39 AM >>>To: Asterisk Users Mailing List - Non-Commercial Discussion >>>Subject: Re: [Asterisk-Users] [EMAIL PROTECTED] scary log >>> >>> >>>Hi, >>>I've also been a little worried about the security. How did they >>>connect to >>>your system? Through telnet or what? >>>Since I've disabled all such services. >>>Best, >>>Christian >>> >>> >>>----- Original Message ----- >>>From: "Karl H. Putz" <[EMAIL PROTECTED]> >>>To: "Jean-Louis curty" <[EMAIL PROTECTED]>; "Asterisk Users >Mailing List - >>>Non-Commercial Discussion" <[email protected]> >>>Sent: Thursday, February 10, 2005 4:18 PM >>>Subject: RE: [Asterisk-Users] [EMAIL PROTECTED] scary log >>> >>> >>>> You've likely been hacked. >>>> >>>> I have recently had a similar incident where a hacker guessed my root >>>> password (MY BAD) and set up an ebay password skimming site. >>>> >>>> I noticed it when I got similar non-deliverable email messages. >>>> >>>> Obviously, first change your password and then look at the >/var/www/html >>>> directory and see if there are unwelcome pages there. Also be sure to >>>> check >>>> who is logged in currently. I caught the (*%#@ SOB logged in and >>>> bounced >>>> the bastard. >>>> >>>> For what it's worth, the hacker's IP address was: 81.12.141.150. >>>> >>>> >>>> Karl Putz >>>> >>>>>-----Original Message----- >>>>>From: [EMAIL PROTECTED] >>>>>[mailto:[EMAIL PROTECTED] Behalf Of Jean-Louis >>>>>curty >>>>>Sent: Thursday, February 10, 2005 9:10 AM >>>>>To: Asterisk Users Mailing List - Non-Commercial Discussion >>>>>Subject: [Asterisk-Users] [EMAIL PROTECTED] scary log >>>>> >>>>> >>>>>Hi everybody, >>>>> >>>>>I'm testing [EMAIL PROTECTED] 0.4, >>>>>looks great so far >>>>> >>>>>I was working when I have been alerted by a bip comming from >the * pc... >>>>> >>>>>I connected a screen to it and saw that there was a message which >>>>>looked like : >>>>> >>>>> >>>>>Message from [EMAIL PROTECTED] at Thu Feb 10 09:01:00 2005 ... >>>>>asterisk1 >>>>> >>>>> >>>>> >>>>>so I stopped asterisk, type mail and got a strange mail saying that >>>>>user [EMAIL PROTECTED] could not be reached and body was like if it was >>>>>the result of commands ifconfig etc >>>>> >>>>>unfortunally I don't have the message anymore but I went to the log >>>>> >>>>>and saw this >>>>>Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: >>>>>from=<[EMAIL PROTECTED]>, size=329, class=0, nrcpts=1, >>>>>msgid=<[EMAIL PROTECTED]>, proto=ESMTP, >>>>>daemon=MTA, relay=asterisk1.local [127.0.0.1] >>>>>Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: >>>>>[EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, >>>>>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] >>>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for >>>>>delivery) >>>>>Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: >>>>>[EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, >>>>>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] >>>>>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for >>>>>delivery) >>>>>Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: >>>>>to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), >>>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348, >>>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >>>>>1107998984) >>>>>Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: >>>>>to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), >>>>>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329, >>>>>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK >>>>>1107998984) >>>>> >>>>> >>>>>the thing is i did not send any message to [EMAIL PROTECTED] nor to >>>>>somebody at yahoo, >>>>> >>>>> >>>>>anybody got the same ? what can I do ?? >>>>> >>>>>thanks >>>>>jl >>>>>_______________________________________________ >>>>>Asterisk-Users mailing list >>>>>[email protected] >>>>>http://lists.digium.com/mailman/listinfo/asterisk-users >>>>>To UNSUBSCRIBE or update options visit: >>>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Asterisk-Users mailing list >>>> [email protected] >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >>>_______________________________________________ >>>Asterisk-Users mailing list >>>[email protected] >>>http://lists.digium.com/mailman/listinfo/asterisk-users >>>To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> _______________________________________________ >> Asterisk-Users mailing list >> [email protected] >> http://lists.digium.com/mailman/listinfo/asterisk-users >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > >_______________________________________________ >Asterisk-Users mailing list >[email protected] >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
