Asterisk service problems

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#1
Hi people of Elastix,
this morning my PBX wasn't unable to start, because of a problem with the directory /var/log/asterisk... In fact, this directory seemed to be deleted and the Asterisk service didn't start up.
This is the error --> Unable to connect to remote asterisk (does /var/run/asterisk.ctl exist?), I noticed that the log directory wasn't reachable, so that I've solved re-creating the directory, and after that Asterisk service was ok.
Now, my problem is that I can't access to the PBX web interface... It seems like some service is down have you got some ideas about this problem?


Best regards,

Mirko
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#2
well not good news i think.../var/ directory has all the info for web pages service mails etc and if it was deleted i think you have been hacked so...format is the best solution right now...with all the system deleted the reinstall is the fastest way to operate again..then put same version backup for restoring your info...

see ya
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#3
Hi man, the problem is that only the directory /var/log/asterisk has been deleted.
The directorys into /var seems to be ok... I can see my backup tars...

Now I make some checks on the logs...

Thanks for the answer...
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#4
but with /var/log/asterisk deleted asterisk works ok ...it recreates the files at the next restart...did you see your secure log? or bash_history to see the acess to your server???
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#5
I'm trying to check out secure logs or bash history, but I don't know how to do these checks... Can you help me please? :)

Thanks a lot man...
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#6
look for access denied lines in secure.log or unknown ip....and in bash history is just an historical of the users commands
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#7
Oh, I forget... /var/log was deleted, so that I can only see the logs starting from today...
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#8
To me, that would be a red-flag, any penetration would advantageously delete that structure to cover up their success, and an arbitrary deletion of such structure by anything would have me very concerned. keep a very close look at the ip's of registered extensions, and use netstat -an to watch for any unexpected connections or listening ports.

through in a logrotate -f /etc/logrotate.conf just incase they any aren't working

dicko
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#9
totally agreed with dicko...in mi case i will inmediately shutdown that server for a security analisys and heve the server replaced by a backup asap
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#10
Thanks guys for your help.
I've just checked out, and on the command "sip show peers" I can see that both 2 my extensions are the local IP address I've setted.
With command netstat -an there aren't any IP address connected with me or there aren't any strange listening situation.

Now, I'm looking for check my bill, and planning my defense.

By the way, do you know why I'm not able to log into the web interface of elastix?

Best regards...
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#11
what do the logs in /var/log/httpd say when you start or try to access the web server?
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#12
There is a bad news...

When I do:
cd /var/log
ls
I get:
Segmentation Fault

I can't understand what is happened, baecause my bill it's ok, could it be an HD problem?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#13
It could be almost anything :), but my guess is that you have been "messed with", I would no longer trust that machine, Sorry, move your backups to another place, rebuild a new machine and restore the backup, then do all the firewall/security stuff, especially add rkhunter or something like, at least that way if it happens again you will know what happened.

dicko

which ls

and


ls -la /bin/ls should show an appropriate date and might show when it happened.
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#14
maybe the guys deleted amportal.conf or some databases or /var/lib/asterisk or var/www/html
seeya
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#15
Hi guys, I've just make up a replacement PBX while I'm looking for the problem on my official PBX.
I'll keep you up to date.
A special thank you both two... I've followed your advice, and I installed rkhunter, fail2ban.. And now, I'm studying something more to improve security.

Best Regards,
Mirko
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,565
Latest member
omarmenichetti
Top