From owner-freebsd-questions@FreeBSD.ORG  Mon Feb 15 10:40:26 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2EDF1106566B
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Feb 2010 10:40:26 +0000 (UTC)
	(envelope-from bg271828@yahoo.com)
Received: from web53507.mail.re2.yahoo.com (web53507.mail.re2.yahoo.com
	[206.190.37.68]) by mx1.freebsd.org (Postfix) with SMTP id B383B8FC0C
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Feb 2010 10:40:25 +0000 (UTC)
Received: (qmail 6769 invoked by uid 60001); 15 Feb 2010 10:13:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1266228825; bh=DqdDGL/ZZwF7Ohjt7GaOkWhyXkieBVhn6FXOmBKETd4=;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
	b=qkqHAPVwVd8gVVunUqufwlU3OvGpZYPWmpmO78levOha9/2uBELC6BG/dK2wVi5hMDWWuQHD517RfTyqz8zu754YCxdKNfurwDZao8L7uH7o0/S4y5y+mXhzXH8NMnFIoGYHcdmp32gWGVtWYT5yKK8y9N2FVazPOexkZl9B6xg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
	b=1k2liLdQABiucnWm0olZeViPF3IPmVXId9tE+BYJ8QW+xF99tqS1mcCJZhDPmCUpWk0rZdxZzfFCRaWg5Yw26qEq9r3MnRol75oTs7+dsb9GXbuXpHhNbaSls0gJabfd9sGyTkC2TxyNGXFG3E9pC87SLIZZ9/hDkZwAeYAzaTA=;
Message-ID: <556594.6744.qm@web53507.mail.re2.yahoo.com>
X-YMail-OSG: FquD6EwVM1nmK3UaBbwj7vUPw_Klrt1cjvTnrvZDCYnzWRqQ8trpwwbL3m4zjSf_FBEmirXm3Z0xuY1ebVCHZLYLwZp6.1vJ792fptijKQ8.OxpjTnofR_zgm9nRrbkernp4bPrm5pX2Rhf6CkljKWyD6QCnncDUVVYuT50lFdPH_dtMhubIRMo_md9sS0R8ufeJfqhO1yUF8Wch7Z0fl8EBq5SvlAKIpYaEQBmTcy_n8b7kVCKTwfx0xvBpMPicEz11xa6RevImEhmN1j.QqOlrOw2_yr3F854sZTKz
Received: from [66.65.127.8] by web53507.mail.re2.yahoo.com via HTTP;
	Mon, 15 Feb 2010 02:13:45 PST
X-Mailer: YahooMailClassic/9.1.10 YahooMailWebService/0.8.100.260964
Date: Mon, 15 Feb 2010 02:13:45 -0800 (PST)
From: "Dr. Jennifer Nussbaum" <bg271828@yahoo.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Cleaning up after attack?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 10:40:26 -0000

Hi. I have an up-to-date FreeBSD 7.2 box that has been compromised. Someone aparently got in to an account with certain admin priveleges and has been 
sending spam.

I disabled the account, shut off my MTA and used pf to block all traffic to port 25 out for good measure.

How do i analyse what might have happened and what has been installed?

Andis there anything to do other than rebuild the entire system to ensure that its clean?

Thanks.

Jen