From owner-freebsd-questions@FreeBSD.ORG Sat Mar 21 17:30:07 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9944CC8A for ; Sat, 21 Mar 2015 17:30:07 +0000 (UTC) Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5766072 for ; Sat, 21 Mar 2015 17:30:07 +0000 (UTC) Received: by igcau2 with SMTP id au2so12260892igc.0 for ; Sat, 21 Mar 2015 10:30:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=0g4J5VryhZ4iQLNozL7fW68ck4KGQKUUpnPnbfeFZO8=; b=RpUByH9115YM607ZC2o0GxffWxk58ZYI5yLC65bNww2193U1dCCGVlwiH7OR16/t8g 4jTIOWqhmQGjwMcpS4y7cZiBvP6QwJygODWSXVgKsjFG+Acxlsg67HHdY+BVX1Yn/vfC 4VsQ4tf4uYCqkA6XaKOrqvQl7D50xHG+xEKrp8QPt43FxVEIILd6YArxyCt7L3MGGuAz +txdnjiCVuFrxeYPcuCbUNVwJfwv1iUlstGsc6BJpC3u6Ck3U4VAt9F1kAC8jS5JsblX LRfNxOW4jm9sGdTZk/AK87wow6QGTrx4Biz/12M/ZUOZVkoWHjquQxW6aCg76zekeBXc ctbw== X-Received: by 10.50.122.5 with SMTP id lo5mr4279119igb.37.1426959006789; Sat, 21 Mar 2015 10:30:06 -0700 (PDT) Received: from [192.168.89.100] (192-171-49-199.cpe.pppoe.ca. [192.171.49.199]) by mx.google.com with ESMTPSA id w9sm1701716igl.0.2015.03.21.10.30.05 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 21 Mar 2015 10:30:05 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: 10.0 system issuing outbound packets to port 25 smtp to 66.96.214.197 From: The Lost Admin In-Reply-To: <550DAA1A.50002@gmail.com> Date: Sat, 21 Mar 2015 13:30:03 -0400 Message-Id: <07DB6EB0-0E43-4E21-BBEC-101AA034C8EA@gmail.com> References: <550D8B0E.2020406@gmail.com> <1B9D189E-4FD6-495D-8381-E0E3CFF5A2A2@gmail.com> <550DAA1A.50002@gmail.com> To: Ernie Luzar X-Mailer: Apple Mail (2.1878.6) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2015 17:30:07 -0000 The Lost Admin thelostadmin@gmail.com On Mar 21, 2015, at 1:27 PM, Ernie Luzar wrote: >=20 >> On Mar 21, 2015, at 11:15 AM, Ernie Luzar > wrote: >>> My ipfilter firewall logs 2 outbound packets on port 25 every 70 = minuets. There is no LAN behind this box so it must be coming from the >>> freebsd 10.0 system or from one of the official installed ports I = have. >>> Sendmail is disabled and postfix is running in it's place. >>>=20 >>> 66.96.214.197,25 tcp is the target public ip address. >>>=20 >>> How should I go about finding the running task that is doing this??? >>=20 > > The Lost Admin wrote: > > Ernie, > > > > Did you do an nslookup on the address in question? I did and it is > > listed as part of the hostnoc.net domain. > > Googling that domain gets some pretty fishy results in the top 10. > > > > The Lost Admin > > thelostadmin@gmail.com > > > > >=20 > The nslookup command has been removed from the base as its obsolete. > SO how did you issue that command? I=92m still on 9.3 BUT you=92ve also got the host and dig commands = instead of nslookup. > whois command says it belongs to Arabsgate >=20 > My orginal question deals with "why is 10.1 issuing these port 25 = packets"? IS my 10.1 system compromised?? >=20 >=20 >=20