Re: [asterisk-users] Strange Issue: asterisk deleted
Did you take a look at /var/log/syslog? Am 26.11.2014 21:08, schrieb Antoine Megalla: Hi, I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. I know that the process is killed because when I start asterisk using the command asterisk -c it starts and then it exits and the word killed is wrote on the console. Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system. Again any indicators to solve this very weird issue are welcomed. Regards, Antoine Megalla Sent from my iPhone On Nov 26, 2014, at 6:12 PM, Thorsten Göllner t...@ovm-group.com mailto:t...@ovm-group.com wrote: Am 26.11.2014 11:37, schrieb Antoine Megalla: Hi, I am struggling with a very strange issue I have been facing for the past week; I have a fresh install of CENTOS 5.11 and I have installed asterisk 1.8.32 form sources. The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the Ready line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found I cleaned the source and re-installed asterisk and again the same thing happened again !!! I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a make then make install and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin. I tried to look a the asterisk log files but I cannot find a single error in them. Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ? I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted. If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful. Hi, you write Also if it was really deleted .. - did you looked at it via ls /usr/sbin/asterisk? You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as normal user? You write the process is killed. Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Strange Issue: asterisk deleted
Yes I did, and there is nothing about asterisk in the /var/log folder I am starting to think that the server on compromised. Sent from my iPhone On Nov 27, 2014, at 11:09 AM, Thorsten Göllner t...@ovm-group.com wrote: Did you take a look at /var/log/syslog? Am 26.11.2014 21:08, schrieb Antoine Megalla: Hi, I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. I know that the process is killed because when I start asterisk using the command asterisk -c it starts and then it exits and the word killed is wrote on the console. Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system. Again any indicators to solve this very weird issue are welcomed. Regards, Antoine Megalla Sent from my iPhone On Nov 26, 2014, at 6:12 PM, Thorsten Göllner t...@ovm-group.com wrote: Am 26.11.2014 11:37, schrieb Antoine Megalla: Hi, I am struggling with a very strange issue I have been facing for the past week; I have a fresh install of CENTOS 5.11 and I have installed asterisk 1.8.32 form sources. The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the Ready line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found I cleaned the source and re-installed asterisk and again the same thing happened again !!! I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a make then make install and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin. I tried to look a the asterisk log files but I cannot find a single error in them. Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ? I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted. If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful. Hi, you write Also if it was really deleted .. - did you looked at it via ls /usr/sbin/asterisk? You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as normal user? You write the process is killed. Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Strange Issue: asterisk deleted
On Wednesday 26 Nov 2014, Antoine Megalla wrote: Hi, I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. I know that the process is killed because when I start asterisk using the command asterisk -c it starts and then it exits and the word killed is wrote on the console. Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system. Again any indicators to solve this very weird issue are welcomed. It sounds as though your server might have been compromised. Get another machine of the same bit architecture and perform a fresh install of exactly the same OS as your Asterisk box on that. Install busybox too (it's usually there anyway, as it's required for building the initial RAMdisks used by most distros for booting). Using a USB stick (preferrably one that can be set read-only), copy at least the `ls`, `ps`, `netstat`, `w`, `lsattr`, `md5sum`, `cat`, `diff` and `busybox` binaries over (to somewhere that isn't /usr/bin/). Use both the existing installed and the newly-copied md5sum and diff to check each system binary against the known-good ones. You can use busybox to replicate commands you haven't copied (but note that busybox versions are rather cut-down as compared to the GNU tools you know and love. Come to think of it, they're cut-down as compared to the BSD tools everyone replaces with GNU versions once they have a C compiler up and running). Compare /etc/inittab between the two machines. Many rootkits mess with ext[2-4]fs attributes, presumably to stop you overwriting their overwritten system binaries; so use a known good lsattr to check the attributes of everything in /bin/, /sbin/, /usr/bin/ and /usr/sbin/ -- watch out for anything set immutable. Getting rid of the compromise fortunately is reasonably easy, especially if your /home folder is on its own partition. Just ignore that partition during reinstallation, edit your /etc/fstab afterwards and reboot -- your original /home will be preserved intact. If not, use systemrescuecd or something similar to boot a known-good system. Use mv to rename /home to a new name. Shrink a disk partition and create a new small partition. Use that for your /home during the reinstall. Then again edit /etc/fstab, unmount /home, mv your old /home back to /home and reboot. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Strange Issue: asterisk deleted
before the call drops. -- next part -- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/7b0ab3fa/attachment-0001.html -- Message: 7 Date: Thu, 27 Nov 2014 10:09:23 +0100 From: Thorsten G?llner t...@ovm-group.com To: Antoine Megalla aa...@rocketmail.com Cc: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Strange Issue: asterisk deleted Message-ID: 5476ea43.1090...@ovm-group.com Content-Type: text/plain; charset=utf-8 Did you take a look at /var/log/syslog? Am 26.11.2014 21:08, schrieb Antoine Megalla: Hi, I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. I know that the process is killed because when I start asterisk using the command asterisk -c it starts and then it exits and the word killed is wrote on the console. Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know that I am the only user on the system. Again any indicators to solve this very weird issue are welcomed. Regards, Antoine Megalla Sent from my iPhone On Nov 26, 2014, at 6:12 PM, Thorsten G?llner t...@ovm-group.com mailto:t...@ovm-group.com wrote: Am 26.11.2014 11:37, schrieb Antoine Megalla: Hi, I am struggling with a very strange issue I have been facing for the past week; I have a fresh install of CENTOS 5.11 and I have installed asterisk 1.8.32 form sources. The asterisk installation went fine but as soon as I start asterisk executable it loads everything and then after the Ready line the process gets killed and when I try to run it again i get: /usr/sbin/asterisk : command not found I cleaned the source and re-installed asterisk and again the same thing happened again !!! I downloaded asterisk versions 1.4, 11, 12 and compiled them from sources and installed them (make install) and amazingly, the same thing happened to all of them: I do a make then make install and as soon as I start asterisk the process is killed and the executable removed from /usr/sbin. I tried to look a the asterisk log files but I cannot find a single error in them. Also if it was really deleted how did bash know that asterisk is supposed to be located in /usr/sbin/asterisk ? I tried to copy the executable myself after compilation (everything done as root) to the /usr/sbin and again if it runs then it is deleted. If someone can explain to me this behavior or advise me on what to check to resolve this issue, then I would be grateful. Hi, you write Also if it was really deleted .. - did you looked at it via ls /usr/sbin/asterisk? You compiled asterisk (make / make install) as root I think. Perhaps access rights are not set properly? root is owner but you try to start the daemon as normal user? You write the process is killed. Where do you now? Did you get a message on your terminal? Did you take a look at /var/log/syslog? -- next part -- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20141127/ddec7744/attachment-0001.html -- Message: 8 Date: Thu, 27 Nov 2014 11:11:36 +0200 From: Antoine Megalla aa...@rocketmail.com To: Thorsten G?llner t...@ovm-group.com Cc: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Strange Issue: asterisk deleted Message-ID: ff950549-b06c-4e2c-9413-aa8faffb2...@rocketmail.com Content-Type: text/plain; charset=utf-8 Yes I did, and there is nothing about asterisk in the /var/log folder I am starting to think that the server on compromised. Sent from my iPhone On Nov 27, 2014, at 11:09 AM, Thorsten G?llner t...@ovm-group.com wrote: Did you take a look at /var/log/syslog? Am 26.11.2014 21:08, schrieb Antoine Megalla: Hi, I looked for asterisk in /usr/sbin using the commands ls and find and whereis and it was not there. I know that the process is killed because when I start asterisk using the command asterisk -c it starts and then it exits and the word killed is wrote on the console. Ever time I copy a new executable to /usr/sbin either using cp command or make install it gets deleted too. Now I used the strace command on asterisk and I can clearly see at the end of the strace the line : killed by SIGKILL This means that something or someone is actually and purposely killing asterisk but I do not know what or who is doing that also I know
Re: [asterisk-users] Strange Issue: asterisk deleted
Question remains, how was it compromised? In the original install ? A fresh install perhaps from another source? Best you determine HOW before spending more time going down another rabbit hole! John Novack Antoine Megalla wrote: Hi Thank you for your support. The server is actually compromised, I discovered that after making a deep trace using the audit daemon and looking for the kill signal (SIGKILL) that terminates asterisk. snipped to please the mailing list -- Dog is my Co-pilot -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] day night service toggle
Hi, I need dialplan to set INCOMING call forwarding during lunch break to my secretary. I want that I can set call forwarding by dialing an extension number to turn it ON or OFF. I am using asterisk 11. Thanks Abdullah Faheem-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk consuming high cpu usage
Hi, I have been using asterisk 10.0.1 for 8 months and now I have updated it to 12.6.0. I have not made much changes in conf files. I am seeing continues warnings saying Can't send 10 type frames with SIP/Gtalk write on console. Which I had never seen in the previous version. I have seen compared chan_sip.c from both versions and It seems 12.6.0 is also made to support all the frame types supported by v10.0.1. Then why am I getting these warnings on some specific calls? and what is the solution to avoid such warnings. Regards Mayank -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk consuming high cpu usage
Sorry , Subject got wrong. Regards Mayank Kumar Gour On Fri, Nov 28, 2014 at 10:27 AM, Mayank Kumar Gour may...@hostnsoft.com wrote: Hi, I have been using asterisk 10.0.1 for 8 months and now I have updated it to 12.6.0. I have not made much changes in conf files. I am seeing continues warnings saying Can't send 10 type frames with SIP/Gtalk write on console. Which I had never seen in the previous version. I have seen compared chan_sip.c from both versions and It seems 12.6.0 is also made to support all the frame types supported by v10.0.1. Then why am I getting these warnings on some specific calls? and what is the solution to avoid such warnings. Regards Mayank -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users