From owner-freebsd-questions@FreeBSD.ORG Sat Mar 21 17:27:49 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8367DBBE for ; Sat, 21 Mar 2015 17:27:49 +0000 (UTC) Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3629DB for ; Sat, 21 Mar 2015 17:27:49 +0000 (UTC) Received: by qgez102 with SMTP id z102so28085593qge.3 for ; Sat, 21 Mar 2015 10:27:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=kEDwyVRooLWXkgmtcmnB0GXzFcIz1+0t72E5v4fedVk=; b=kLVUC86a0YOJI/86NYouttXSclJ59qjbz1Md3obOrLAxAXijRTMgbzt9/Dgic3f0es o4JBBdkwS6nTgDMbR/itiY4PTBV5o2ESKapYgbw5+3Lef3XHHj05ewOynpwItr5VMsst Pc9APOTKnHr36Df3SzW4X2GVilesYd6US5EXCquGbppDtpew04xAUuJvIAuJYqt9GuV/ ciHAnqUgGIBU8CMX+s1rxDrqlcalWUOc3E9mWpuxBFkkpjH1RtIPuCr85dO0VrpNo7kY Q2Dn0yUHkdzgKqYdaCCkSHjxT2oR7y4vjgJphS8JefBx2UrOVqHBnF3Logwy67ehZIdg JL8A== X-Received: by 10.229.28.9 with SMTP id k9mr98453800qcc.11.1426958868408; Sat, 21 Mar 2015 10:27:48 -0700 (PDT) Received: from [10.0.10.1] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id e69sm5476482qka.40.2015.03.21.10.27.47 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 21 Mar 2015 10:27:48 -0700 (PDT) Message-ID: <550DAA1A.50002@gmail.com> Date: Sat, 21 Mar 2015 13:27:54 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: The Lost Admin Subject: Re: 10.0 system issuing outbound packets to port 25 smtp to 66.96.214.197 References: <550D8B0E.2020406@gmail.com> <1B9D189E-4FD6-495D-8381-E0E3CFF5A2A2@gmail.com> In-Reply-To: <1B9D189E-4FD6-495D-8381-E0E3CFF5A2A2@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2015 17:27:49 -0000 > > On Mar 21, 2015, at 11:15 AM, Ernie Luzar > wrote: > >> My ipfilter firewall logs 2 outbound packets on port 25 every 70 >> minuets. There is no LAN behind this box so it must be coming from the >> freebsd 10.0 system or from one of the official installed ports I have. >> Sendmail is disabled and postfix is running in it's place. >> >> 66.96.214.197,25 tcp is the target public ip address. >> >> How should I go about finding the running task that is doing this??? > > The Lost Admin wrote: > Ernie, > > Did you do an nslookup on the address in question? I did and it is > listed as part of the hostnoc.net domain. > Googling that domain gets some pretty fishy results in the top 10. > > The Lost Admin > thelostadmin@gmail.com > > The nslookup command has been removed from the base as its obsolete. SO how did you issue that command? whois command says it belongs to Arabsgate My orginal question deals with "why is 10.1 issuing these port 25 packets"? IS my 10.1 system compromised??