Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. You MUST attend SIPNOC. You SHOULD propose a presentation.
(Mark R Lindsey)
2. Re: You MUST attend SIPNOC. You SHOULD propose a
presentation. (Brooks Bridges)
3. Fwd: [Sheflug] Zero-day rootkit? (Gavin Henry)
4. Re: Fwd: [Sheflug] Zero-day rootkit? (Matt Yaklin)
5. Re: PROBLEM: Yate-Status CICs-Yate.Mx is CRITICAL on host
ELP-SOT-DC1.Yate.Mx (Manuel Mar?n)
6. Re: Fwd: [Sheflug] Zero-day rootkit? (Paul Cupis)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 14:58:08 -0500
From: Mark R Lindsey <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [VoiceOps] You MUST attend SIPNOC. You SHOULD propose a
presentation.
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
You are REQUIRED to attend SIPNOC 2013, April 22-25, 2013 in Herndon,
VA. It's a lot like voiceops, but with colocated participants. If
an asteroid were to hit SIPNOC, the WebRTC Apocalypse would immediately
ensue.
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted
as described in BCP 14, RFC 2119 and indicate requirement levels
for compliant SIPNOC attendees.
You MAY send a delegate to represent you at other technical conferences
(or user group meetings) scheduled to occur at the same time.
Watching a live stream of other concurrent events is OPTIONAL.
You SHOULD propose a talk to present at SIPNOC to explain some
interesting topic or challenge you've overcome. The talk MUST NOT
be a marketing talk (except to brag on your own superpower VoIP
skills.) It is RECOMMENDED that the talk include in-depth technical
content.
Acting in a effortlessly nerdy manner while at SIPNOC is RECOMMENDED;
fortunately, 98% of attendees have accomplished this in past years.
2% had to apply effort to fit in.
Talking smack about products and vendors or is OPTIONAL. It is
RECOMMENDED that some technical representatives from vendors be
sent to participate. The following vendors MUST send representatives
to appear in person, because their products will surely be discussed:
Sonus Snom Sansay Sangoma Polycom Metaswitch Grandstream EdgeWater
Digium Cisco BroadSoft Adtran Acme Packet Aastra
This email MUST NOT be construed as authorized communication of SIP
Forum, the SIPNOC Program Committee, Marc Robins, or any of his
cohorts or colleagues. This email does not express the opinions of
my clients or my employer (unless they want correct opinions).
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 14:03:22 -0600
From: Brooks Bridges <[email protected]>
To: [email protected]
Subject: Re: [VoiceOps] You MUST attend SIPNOC. You SHOULD propose a
presentation.
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
How much is this asteroid going to cost me?
(I kid, I kid...)
Brooks Bridges
On 2/21/2013 1:58 PM, Mark R Lindsey wrote:
> If
> an asteroid were to hit SIPNOC, the WebRTC Apocalypse would immediately
> ensue.
------------------------------
Message: 3
Date: Thu, 21 Feb 2013 21:46:25 +0000
From: Gavin Henry <[email protected]>
To: [email protected]
Subject: [VoiceOps] Fwd: [Sheflug] Zero-day rootkit?
Message-ID:
<capcb_glng1fswuernnxrvfbbsztzcjfmt9unnbfpxlzgexb...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi all,
Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that
are built on Linux kernels?
Thanks.
---------- Forwarded message ----------
From: Chris J <[email protected]>
Date: 21 February 2013 19:25
Subject: [Sheflug] Zero-day rootkit?
To: [email protected]
Just a heads-up in case it's not been seen. The last couple of days I've
seen blogs and forums light up with news of an active zero-day attack - the
actual attack vector is currently not known, which makes this more worrying
than most. Some folk are placing the blame on SSH, others on cPanel, but
really, no-one currently knows.
Typically it's been Redhat or CentOS machines affected, although I've seen
(unconfirmed) anecdotes on forums that Debian has also been affected.
You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on
your box, most likely under /lib (but could be elsewhere). The latest
"good" version of this file is 1.3...
It's also curious that most of the talk is on forums. I haven't seen
anything from the distributions about this.
Relevent links and more info:
http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
http://blog.configserver.com/index.php?itemid=716
http://www.webhostingtalk.com/showthread.php?t=1235797
A google for libkeyutils.so.1.9 brings back other various forums, etc...
Don't know if anyone's got more solid information on this?
Cheers,
Chris
--
Chris Johnson :: [email protected] :: PGP 0xBC618B81
:: http://cej.nightwolf.org.uk/
_______________________________________________
Sheffield Linux User's Group
http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
FAQ at: http://www.sheflug.org.uk/mailfaq.html
GNU - The Choice of a Complete Generation
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E [email protected]
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
------------------------------
Message: 4
Date: Thu, 21 Feb 2013 18:01:24 -0500 (EST)
From: Matt Yaklin <[email protected]>
To: Gavin Henry <[email protected]>
Cc: [email protected]
Subject: Re: [VoiceOps] Fwd: [Sheflug] Zero-day rootkit?
Message-ID: <[email protected]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Since it mentions control panels wouldn't this more then likely
be a local root exploit that one can use once you have a sliver
of access via the control panel user interface?
I highly doubt the folks who can audit sshd to find a remote
root would send spam. By the time spammers get a hold of such
an exploit the guys who release such exploits already made
it publically known. (After they had their fun of rooting
openbsd.org or what have you ;-) ).
Not bashing linux here.. but there has to be dozens of people
around who make it a hobby to find local root exploits. I imagine
one decided to sell the exploit instead of emailing full disclosure
mailing list to get many kudos and "street" cred.
m
On Thu, 21 Feb 2013, Gavin Henry wrote:
> Hi all,
>
> Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that
> are built on Linux kernels?
>
> Thanks.
>
>
> ---------- Forwarded message ----------
> From: Chris J <[email protected]>
> Date: 21 February 2013 19:25
> Subject: [Sheflug] Zero-day rootkit?
> To: [email protected]
>
>
>
> Just a heads-up in case it's not been seen. The last couple of days I've
> seen blogs and forums light up with news of an active zero-day attack - the
> actual attack vector is currently not known, which makes this more worrying
> than most. Some folk are placing the blame on SSH, others on cPanel, but
> really, no-one currently knows.
>
> Typically it's been Redhat or CentOS machines affected, although I've seen
> (unconfirmed) anecdotes on forums that Debian has also been affected.
>
> You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on
> your box, most likely under /lib (but could be elsewhere). The latest
> "good" version of this file is 1.3...
>
> It's also curious that most of the talk is on forums. I haven't seen
> anything from the distributions about this.
>
> Relevent links and more info:
> http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
> http://blog.configserver.com/index.php?itemid=716
> http://www.webhostingtalk.com/showthread.php?t=1235797
>
> A google for libkeyutils.so.1.9 brings back other various forums, etc...
>
> Don't know if anyone's got more solid information on this?
>
> Cheers,
>
> Chris
>
>
> --
> Chris Johnson :: [email protected] :: PGP 0xBC618B81
> :: http://cej.nightwolf.org.uk/
>
>
> _______________________________________________
> Sheffield Linux User's Group
> http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> FAQ at: http://www.sheflug.org.uk/mailfaq.html
>
> GNU - The Choice of a Complete Generation
>
>
> --
> Kind Regards,
>
> Gavin Henry.
> Managing Director.
>
> T +44 (0) 1224 279484
> M +44 (0) 7930 323266
> F +44 (0) 1224 824887
> E [email protected]
>
> Open Source. Open Solutions(tm).
>
> http://www.suretecsystems.com/
>
> Suretec Systems is a limited company registered in Scotland. Registered
> number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
> Aberdeenshire, AB51 8GL.
>
> Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
>
> Do you know we have our own VoIP provider called SureVoIP? See
> http://www.surevoip.co.uk
>
> Did you see our API? http://www.surevoip.co.uk/api
> _______________________________________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/voiceops
>
------------------------------
Message: 5
Date: Thu, 21 Feb 2013 16:40:42 -0700
From: Manuel Mar?n <[email protected]>
To: Gamaliel Bedolla <[email protected]>, [email protected],
Networks Operations <[email protected]>
Subject: Re: [VoiceOps] PROBLEM: Yate-Status CICs-Yate.Mx is CRITICAL
on host ELP-SOT-DC1.Yate.Mx
Message-ID:
<cad0twz-efjdohgxhg+d2sykse+c8fgrb283wsvjexni48yz...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Gamaliel
Independientemente de las rutas ambas deben estar limpias.
Por favor usen equipo de prueba par que validen ambs rutas y no fecten los
circuitos hasta que baje el trafico
Necesitamos asegurarnos de que ambas rutas esten operando de manera
correcta pues hay circuitos de clientes que pasan por donde mismo
On Thu, Feb 21, 2013 at 4:29 PM, Gamaliel Bedolla <[email protected]>wrote:
> NOC,
> Se estan viendo algunos errores en 2 de los 3 E1s que van desde Barrancas
> a Ezero. Se cree que estan utilizando la ruta larga SNCP
> Barrancas-Torres-Ezero. Se van a regresar a la ruta corta.
> Aqui le doy seguimiento a esto.
>
> ---------- Forwarded message ----------
> From: <[email protected]>
> Date: 2013/2/21
> Subject: PROBLEM: Yate-Status CICs-Yate.Mx is CRITICAL on host
> ELP-SOT-DC1.Yate.Mx
> To: [email protected]
>
>
>
> PROBLEM: Yate-Status CICs-Yate.Mx is CRITICAL on host ELP-SOT-DC1.Yate.Mx
>
> Service: Yate-Status CICs-Yate.Mx
> Host: ELP-SOT-DC1.Yate.Mx
> Alias: ELP-SOT.DC1.Yate.Mx
> Address: 10.100.0.66
> Host Group Hierarchy: Opsview > Core - Telephony > Core - Telephony
> Gateways
> State: CRITICAL
> Date & Time: Thu Feb 21 16:09:18 MST 2013
>
>
> Additional Information:
>
>
>
>
> Advertencia: CICs Bloqueados
> \n189=e1_6
>
> Service URL:
> http://10.11.0.127/cgi-bin/extinfo.cgi?type=2&host=ELP-SOT-DC1.Yate.Mx&service=Yate-Status%20CICs-Yate.Mx
>
>
--
Manuel Mar?n
Transtelco Inc.
1.9152172232
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130221/2581ca0f/attachment-0001.html>
------------------------------
Message: 6
Date: Fri, 22 Feb 2013 13:19:47 +0000
From: Paul Cupis <[email protected]>
To: [email protected]
Subject: Re: [VoiceOps] Fwd: [Sheflug] Zero-day rootkit?
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Thu, Feb 21, 2013 at 09:46:25PM +0000, Gavin Henry wrote:
> Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that
> are built on Linux kernels?
There is a suggestion that it is related to cPanel tech support server
being compromised.
http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
http://www.webhostingtalk.com/showpost.php?p=8569905&postcount=1187
http://forums.cpanel.net/f185/cpanel-security-325062.html
Regards,
------------------------------
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
End of VoiceOps Digest, Vol 44, Issue 20
****************************************
