Asterisk service problems

Discussion in 'General' started by Mirko87, Feb 19, 2010.

  1. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Hi people of Elastix,
    this morning my PBX wasn't unable to start, because of a problem with the directory /var/log/asterisk... In fact, this directory seemed to be deleted and the Asterisk service didn't start up.
    This is the error --> Unable to connect to remote asterisk (does /var/run/asterisk.ctl exist?), I noticed that the log directory wasn't reachable, so that I've solved re-creating the directory, and after that Asterisk service was ok.
    Now, my problem is that I can't access to the PBX web interface... It seems like some service is down have you got some ideas about this problem?


    Best regards,

    Mirko
     
  2. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    well not good news i think.../var/ directory has all the info for web pages service mails etc and if it was deleted i think you have been hacked so...format is the best solution right now...with all the system deleted the reinstall is the fastest way to operate again..then put same version backup for restoring your info...

    see ya
     
  3. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Hi man, the problem is that only the directory /var/log/asterisk has been deleted.
    The directorys into /var seems to be ok... I can see my backup tars...

    Now I make some checks on the logs...

    Thanks for the answer...
     
  4. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    but with /var/log/asterisk deleted asterisk works ok ...it recreates the files at the next restart...did you see your secure log? or bash_history to see the acess to your server???
     
  5. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    I'm trying to check out secure logs or bash history, but I don't know how to do these checks... Can you help me please? :)

    Thanks a lot man...
     
  6. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    look for access denied lines in secure.log or unknown ip....and in bash history is just an historical of the users commands
     
  7. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Oh, I forget... /var/log was deleted, so that I can only see the logs starting from today...
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    To me, that would be a red-flag, any penetration would advantageously delete that structure to cover up their success, and an arbitrary deletion of such structure by anything would have me very concerned. keep a very close look at the ip's of registered extensions, and use netstat -an to watch for any unexpected connections or listening ports.

    through in a logrotate -f /etc/logrotate.conf just incase they any aren't working

    dicko
     
  9. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    totally agreed with dicko...in mi case i will inmediately shutdown that server for a security analisys and heve the server replaced by a backup asap
     
  10. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Thanks guys for your help.
    I've just checked out, and on the command "sip show peers" I can see that both 2 my extensions are the local IP address I've setted.
    With command netstat -an there aren't any IP address connected with me or there aren't any strange listening situation.

    Now, I'm looking for check my bill, and planning my defense.

    By the way, do you know why I'm not able to log into the web interface of elastix?

    Best regards...
     
  11. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    what do the logs in /var/log/httpd say when you start or try to access the web server?
     
  12. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    There is a bad news...

    When I do:
    cd /var/log
    ls
    I get:
    Segmentation Fault

    I can't understand what is happened, baecause my bill it's ok, could it be an HD problem?
     
  13. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    It could be almost anything :), but my guess is that you have been "messed with", I would no longer trust that machine, Sorry, move your backups to another place, rebuild a new machine and restore the backup, then do all the firewall/security stuff, especially add rkhunter or something like, at least that way if it happens again you will know what happened.

    dicko

    which ls

    and


    ls -la /bin/ls should show an appropriate date and might show when it happened.
     
  14. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    maybe the guys deleted amportal.conf or some databases or /var/lib/asterisk or var/www/html
    seeya
     
  15. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Hi guys, I've just make up a replacement PBX while I'm looking for the problem on my official PBX.
    I'll keep you up to date.
    A special thank you both two... I've followed your advice, and I installed rkhunter, fail2ban.. And now, I'm studying something more to improve security.

    Best Regards,
    Mirko
     

Share This Page