From owner-freebsd-questions@FreeBSD.ORG Thu Jan 19 13:21:09 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA3816A41F for ; Thu, 19 Jan 2006 13:21:09 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from janeway.egs.uct.ac.za (janeway.egs.uct.ac.za [196.21.8.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAC6B43D53 for ; Thu, 19 Jan 2006 13:21:07 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from [196.21.8.146] (helo=particle.egs.uct.ac.za) by janeway.egs.uct.ac.za with esmtp (Exim 3.36 #4) id 1EzZif-0001LT-00 for freebsd-questions@freebsd.org; Thu, 19 Jan 2006 15:20:53 +0200 From: Kilian Hagemann Organization: University of Cape Town To: freebsd-questions@freebsd.org Date: Thu, 19 Jan 2006 15:21:13 +0200 User-Agent: KMail/1.8.1 References: <200601171907.17831.hagemann1@egs.uct.ac.za> <44255.195.139.252.5.1137597225.squirrel@webmail.i13i.com> <200601181746.51461.hagemann1@egs.uct.ac.za> In-Reply-To: <200601181746.51461.hagemann1@egs.uct.ac.za> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200601191521.13840.hagemann1@egs.uct.ac.za> Subject: Haven't been hacked, just prone to man-in-the-middle attacks (WAS: I have been hacked) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2006 13:21:09 -0000 Hi guys, Just to find closure on this thread, I'd like to admit that I jumped to conclusions too early and would like to share what had actually happened, after many hours wasted playing the detective :-( (glad I didn't format/reinstall though) When I "used" my FreeBSD gateway as an smtp server to convince myself I had been hacked, the smtp connection was somehow redirected to one of my institution's mail servers (or at least that's what gmail's mail headers are saying). Funny enough the same trick no longer works today, but then they're currently upgrading lots of stuff around here so that's a different story. Then when I used ftp to connect to my gateway and it came up with "frox transparent proxy", someone had actually intercepted my connection and forged/spoofed a reply. I know that because I went to the premises of my box, unplugged everything and tried that trick again, successfully, from a separate dial-up connection. Hey, nmap even told me my box had ports open even though it wasn't even up! I've never seen anything like this before, but I've notified my ISP. Remains to be seen if they do anything about it... Anyway, long story short I'm glad I'm still secure and thanks to everyone who helped me out and gave me advice. -- Kilian Hagemann