Date: Mon, 4 Jun 2012 10:38:03 -0600 From: "Chad Leigh Shire.Net LLC" <chad@shire.net> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Cc: Robert Bonomi <bonomi@mail.r-bonomi.com> Subject: Re: question on SYN_SENT Message-ID: <410A7962-99F9-4474-A3E5-E220E7542C1C@shire.net> In-Reply-To: <201205120006.q4C06Itk036463@mail.r-bonomi.com> References: <201205120006.q4C06Itk036463@mail.r-bonomi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 11, 2012, at 6:06 PM, Robert Bonomi wrote: >=20 > 'Should not' does not mean 'is not'. and unfortunately, it -is- = attempting > to "go out". >=20 > There are at least a couple of possible explanations, none of them = "good". > 1) the jail is attempting a DoS (or participating in DDoS) against = an > Israeli _government_ network/machine. > 2) the jail is 'owned' by a botnet, and is trying to 'phone home' for > instructions. Sorry for the delay in response. Did not mean to ignore this. Was busy = figuring out and correcting this (and then the other normal day to day = stuff that comes up). Yes, it looks like a customer's JBOSS installation had been hacked. It = was running in its own jail with RO mounting of /usr (except /usr/local) = and /bin /sbin and other system directories. It was basically scanning = for more open JBOSS stuff. The attack had just barely happened (the = server had just been installed). I disabled the JBOSS and cleaned = everything up and scanned the jail for problem files etc. Customer = fixed the JBOSS vulnerability (well known one) and decided to leave it = off for now. Thanks for all the help on this Chad --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?410A7962-99F9-4474-A3E5-E220E7542C1C>