We noticed the following on two of our sipx servers; unknown 27735071970269 10/30/11 11:04 AM 00:00:00 Failed unknown 00442032987264 10/30/11 11:04 AM 00:00:00 Failed unknown 000442032987263 10/30/11 11:04 AM 00:00:00 Failed unknown 0000442032987265 10/30/11 11:04 AM 00:00:00 Failed unknown 0442032987262 10/30/11 11:04 AM 00:00:00 Failed unknown +00442032987263 10/30/11 11:04 AM 00:00:00 Failed unknown +000442032987262 10/30/11 11:04 AM 00:00:00 Failed unknown 900442032987265 10/30/11 11:04 AM 00:00:00 Failed unknown 800442032987263 10/30/11 11:04 AM 00:00:00 Failed unknown 9000442032987264 10/30/11 11:04 AM 00:00:00 Failed unknown *442032987263 10/30/11 11:04 AM 00:00:00 Failed unknown +442032987266 10/30/11 11:04 AM 00:00:00 Failed unknown 011442032987265 10/30/11 11:04 AM 00:00:00 Failed unknown +011442032987263 10/30/11 11:04 AM 00:00:00 Failed unknown +9011442032987263 10/30/11 11:04 AM 00:00:00 Failed unknown 00011442032987266 10/30/11 11:04 AM 00:00:00 Failed unknown 1011442032987264 10/30/11 11:04 AM 00:00:00 Failed unknown 2011442032987262 10/30/11 11:05 AM 00:00:00 Failed unknown 5011442032987265 10/30/11 11:05 AM 00:00:00 Failed unknown 6011442032987263 10/30/11 11:05 AM 00:00:00 Failed
The first thing I did was to go look to see which user this is coming from but none of these numbers show up in the logs. In fact, the logs are not normal either. Notice how all of the gzipped logs are the same size. It appears someone is able to restart the services or something and it seems to be from remote. I use a non standard port for ssh and it certainly isn't in any of the firewalls. Checked the usual, lastlog, .bash_history, netstat, no one seems to be or have been on the server. It happened a few hours ago so wireshark isn't showing me anything which I am running now. The system has a pri gateway and flowroute as gateways. We don't allow out of country calls on these servers which is why they failed. We checked on flowroute and it doesn't seem to have any records of these calls being made. That seems to leave a user account being compromized but it doesn't answer why I can't find any of those numbers in the logs. Kind of stumped on what else to look for, for leads so thought I better ask. drwxr-xr-x 8 root root 4096 Oct 30 04:02 . drwxr-xr-x 22 root root 4096 Oct 12 16:36 .. -rw------- 1 root root 135470 Aug 15 13:23 anaconda.log -rw------- 1 root root 25236 Aug 15 13:23 anaconda.syslog -rw------- 1 root root 0 Oct 30 04:02 boot.log -rw------- 1 root root 0 Oct 29 04:02 boot.log.1 -rw------- 1 root root 20 Oct 22 04:02 boot.log.10.gz -rw------- 1 root root 20 Oct 21 04:02 boot.log.11.gz -rw------- 1 root root 20 Oct 20 04:02 boot.log.12.gz -rw------- 1 root root 20 Oct 19 04:02 boot.log.13.gz -rw------- 1 root root 20 Oct 18 04:02 boot.log.14.gz -rw------- 1 root root 20 Oct 30 04:02 boot.log.2.gz -rw------- 1 root root 20 Oct 29 04:02 boot.log.3.gz -rw------- 1 root root 20 Oct 28 04:02 boot.log.4.gz -rw------- 1 root root 20 Oct 27 04:02 boot.log.5.gz -rw------- 1 root root 20 Oct 26 04:02 boot.log.6.gz -rw------- 1 root root 20 Oct 25 04:02 boot.log.7.gz -rw------- 1 root root 20 Oct 24 04:02 boot.log.8.gz -rw------- 1 root root 20 Oct 23 04:02 boot.log.9.gz -rw-r--r-- 1 root root 3561 Oct 5 21:22 brcm-iscsi.log -rw------- 1 root utmp 5376 Sep 22 16:38 btmp -rw------- 1 root root 23882 Oct 30 14:30 cron -rw------- 1 root root 54566 Oct 30 04:02 cron.1 -rw------- 1 root root 2761 Oct 22 04:02 cron.10.gz -rw------- 1 root root 2737 Oct 21 04:02 cron.11.gz -rw------- 1 root root 2774 Oct 20 04:02 cron.12.gz -rw------- 1 root root 2706 Oct 19 04:02 cron.13.gz -rw------- 1 root root 2731 Oct 18 04:02 cron.14.gz -rw------- 1 root root 2678 Oct 30 04:02 cron.2.gz -rw------- 1 root root 2705 Oct 29 04:02 cron.3.gz -rw------- 1 root root 2751 Oct 28 04:02 cron.4.gz -rw------- 1 root root 2720 Oct 27 04:02 cron.5.gz -rw------- 1 root root 2689 Oct 26 04:02 cron.6.gz -rw------- 1 root root 2753 Oct 25 04:02 cron.7.gz -rw------- 1 root root 2687 Oct 24 04:02 cron.8.gz -rw------- 1 root root 2690 Oct 23 04:02 cron.9.gz -rw-r--r-- 1 root root 18520 Oct 5 21:22 dmesg drwxr-x--- 2 exim exim 4096 Oct 30 04:02 exim -rw------- 1 root root 16064 Aug 16 12:10 faillog drwxr-x--- 2 freeswitch daemon 4096 Mar 27 2011 freeswitch drwx------ 2 root root 4096 Aug 31 19:23 httpd -rw-r--r-- 1 root root 146584 Oct 30 14:19 lastlog -rw------- 1 root root 0 Oct 30 04:02 maillog -rw------- 1 root root 0 Oct 29 04:02 maillog.1 -rw------- 1 root root 20 Oct 22 04:02 maillog.10.gz -rw------- 1 root root 20 Oct 21 04:02 maillog.11.gz -rw------- 1 root root 20 Oct 20 04:02 maillog.12.gz -rw------- 1 root root 20 Oct 19 04:02 maillog.13.gz -rw------- 1 root root 20 Oct 18 04:02 maillog.14.gz -rw------- 1 root root 20 Oct 30 04:02 maillog.2.gz -rw------- 1 root root 20 Oct 29 04:02 maillog.3.gz -rw------- 1 root root 20 Oct 28 04:02 maillog.4.gz -rw------- 1 root root 20 Oct 27 04:02 maillog.5.gz -rw------- 1 root root 20 Oct 26 04:02 maillog.6.gz -rw------- 1 root root 20 Oct 25 04:02 maillog.7.gz -rw------- 1 root root 20 Oct 24 04:02 maillog.8.gz -rw------- 1 root root 20 Oct 23 04:02 maillog.9.gz -rw------- 1 root root 43 Oct 30 04:02 messages -rw------- 1 root root 43 Oct 29 04:02 messages.1 -rw------- 1 root root 165 Oct 22 04:02 messages.10.gz -rw------- 1 root root 142 Oct 21 04:02 messages.11.gz -rw------- 1 root root 63 Oct 20 04:02 messages.12.gz -rw------- 1 root root 61 Oct 19 04:02 messages.13.gz -rw------- 1 root root 142 Oct 18 04:02 messages.14.gz -rw------- 1 root root 142 Oct 30 04:02 messages.2.gz -rw------- 1 root root 165 Oct 29 04:02 messages.3.gz -rw------- 1 root root 151 Oct 28 04:02 messages.4.gz -rw------- 1 root root 143 Oct 27 04:02 messages.5.gz -rw------- 1 root root 141 Oct 26 04:02 messages.6.gz -rw------- 1 root root 142 Oct 25 04:02 messages.7.gz -rw------- 1 root root 150 Oct 24 04:02 messages.8.gz -rw------- 1 root root 142 Oct 23 04:02 messages.9.gz drwxr-xr-x 2 root root 4096 Aug 15 13:23 pm drwxr-xr-x 2 root root 4096 Aug 17 04:02 prelink -rw-r--r-- 1 root root 12392 Oct 30 04:02 rpmpkgs -rw-r--r-- 1 root root 12392 Oct 29 04:02 rpmpkgs.1 -rw-r--r-- 1 root root 12392 Oct 22 04:02 rpmpkgs.2 -rw-r--r-- 1 root root 12392 Oct 15 04:02 rpmpkgs.3 -rw------- 1 root root 189 Oct 30 14:19 secure -rw------- 1 root root 0 Oct 29 04:02 secure.1 -rw------- 1 root root 152 Oct 22 04:02 secure.10.gz -rw------- 1 root root 20 Oct 21 04:02 secure.11.gz -rw------- 1 root root 20 Oct 20 04:02 secure.12.gz -rw------- 1 root root 20 Oct 19 04:02 secure.13.gz -rw------- 1 root root 170 Oct 18 04:02 secure.14.gz -rw------- 1 root root 20 Oct 30 04:02 secure.2.gz -rw------- 1 root root 20 Oct 29 04:02 secure.3.gz -rw------- 1 root root 20 Oct 28 04:02 secure.4.gz -rw------- 1 root root 97 Oct 27 04:02 secure.5.gz -rw------- 1 root root 97 Oct 26 04:02 secure.6.gz -rw------- 1 root root 303 Oct 25 04:02 secure.7.gz -rw------- 1 root root 20 Oct 24 04:02 secure.8.gz -rw------- 1 root root 20 Oct 23 04:02 secure.9.gz drwxr-xr-x 4 sipxchange sipxchange 24576 Oct 30 12:06 sipxpbx -rw------- 1 root root 0 Oct 30 04:02 spooler -rw------- 1 root root 0 Oct 29 04:02 spooler.1 -rw------- 1 root root 20 Oct 22 04:02 spooler.10.gz -rw------- 1 root root 20 Oct 21 04:02 spooler.11.gz -rw------- 1 root root 20 Oct 20 04:02 spooler.12.gz -rw------- 1 root root 20 Oct 19 04:02 spooler.13.gz -rw------- 1 root root 20 Oct 18 04:02 spooler.14.gz -rw------- 1 root root 20 Oct 30 04:02 spooler.2.gz -rw------- 1 root root 20 Oct 29 04:02 spooler.3.gz -rw------- 1 root root 20 Oct 28 04:02 spooler.4.gz -rw------- 1 root root 20 Oct 27 04:02 spooler.5.gz -rw------- 1 root root 20 Oct 26 04:02 spooler.6.gz -rw------- 1 root root 20 Oct 25 04:02 spooler.7.gz -rw------- 1 root root 20 Oct 24 04:02 spooler.8.gz -rw------- 1 root root 20 Oct 23 04:02 spooler.9.gz -rw------- 1 root root 0 Aug 16 11:20 tallylog -rw-rw-r-- 1 root utmp 124800 Oct 30 14:19 wtmp -rw------- 1 root root 0 Oct 30 04:02 xferlog -rw------- 1 root root 0 Oct 29 04:02 xferlog.1 -rw------- 1 root root 0 Oct 20 04:02 xferlog.10 -rw------- 1 root root 0 Oct 19 04:02 xferlog.11 -rw------- 1 root root 0 Oct 18 04:02 xferlog.12 -rw------- 1 root root 0 Oct 17 04:02 xferlog.13 -rw------- 1 root root 0 Oct 16 04:02 xferlog.14 -rw------- 1 root root 0 Oct 28 04:02 xferlog.2 -rw------- 1 root root 0 Oct 27 04:02 xferlog.3 -rw------- 1 root root 0 Oct 26 04:02 xferlog.4 -rw------- 1 root root 0 Oct 25 04:02 xferlog.5 -rw------- 1 root root 0 Oct 24 04:02 xferlog.6 -rw------- 1 root root 0 Oct 23 04:02 xferlog.7 -rw------- 1 root root 0 Oct 22 04:02 xferlog.8 -rw------- 1 root root 0 Oct 21 04:02 xferlog.9 -rw-r--r-- 1 root root 25478 Oct 15 12:31 yum.log _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
