From owner-freebsd-questions@FreeBSD.ORG Mon Jun 4 16:56:02 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A878D106566C for ; Mon, 4 Jun 2012 16:56:02 +0000 (UTC) (envelope-from chad@shire.net) Received: from mail.shire.net (mail.shire.net [199.102.78.250]) by mx1.freebsd.org (Postfix) with ESMTP id 817208FC0A for ; Mon, 4 Jun 2012 16:56:02 +0000 (UTC) Received: from c-76-27-96-201.hsd1.ut.comcast.net ([76.27.96.201] helo=[192.168.99.216]) by mail.shire.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77) (envelope-from ) id 1SbaI9-0005wd-GZ; Mon, 04 Jun 2012 10:38:05 -0600 Mime-Version: 1.0 (Apple Message framework v1257) From: "Chad Leigh Shire.Net LLC" In-Reply-To: <201205120006.q4C06Itk036463@mail.r-bonomi.com> Date: Mon, 4 Jun 2012 10:38:03 -0600 Message-Id: <410A7962-99F9-4474-A3E5-E220E7542C1C@shire.net> References: <201205120006.q4C06Itk036463@mail.r-bonomi.com> To: FreeBSD Mailing List X-Mailer: Apple Mail (2.1257) X-SA-Exim-Connect-IP: 76.27.96.201 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on mail.shire.net); SAEximRunCond expanded to false Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Robert Bonomi Subject: Re: question on SYN_SENT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2012 16:56:02 -0000 On May 11, 2012, at 6:06 PM, Robert Bonomi wrote: >=20 > 'Should not' does not mean 'is not'. and unfortunately, it -is- = attempting > to "go out". >=20 > There are at least a couple of possible explanations, none of them = "good". > 1) the jail is attempting a DoS (or participating in DDoS) against = an > Israeli _government_ network/machine. > 2) the jail is 'owned' by a botnet, and is trying to 'phone home' for > instructions. Sorry for the delay in response. Did not mean to ignore this. Was busy = figuring out and correcting this (and then the other normal day to day = stuff that comes up). Yes, it looks like a customer's JBOSS installation had been hacked. It = was running in its own jail with RO mounting of /usr (except /usr/local) = and /bin /sbin and other system directories. It was basically scanning = for more open JBOSS stuff. The attack had just barely happened (the = server had just been installed). I disabled the JBOSS and cleaned = everything up and scanned the jail for problem files etc. Customer = fixed the JBOSS vulnerability (well known one) and decided to leave it = off for now. Thanks for all the help on this Chad --