From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 14 22:56:02 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9D5C6106566C
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2010 22:56:02 +0000 (UTC)
	(envelope-from bahamasfranks@gmail.com)
Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 765208FC1C
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2010 22:56:02 +0000 (UTC)
Received: by pwi9 with SMTP id 9so682240pwi.13
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Apr 2010 15:56:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:received:message-id
	:subject:from:to:content-type;
	bh=MOXjAiM+vxLeq0k13OtAOBrNO3ggTWuCjgNZ4ijhloE=;
	b=bw3sX4ewQTdTSSAM67D2BBvY7C/v8cnh5fbDjfeVZ5yswJ0UwVKP/ArO6WSDjt/Uu9
	jTX60Mi8+qWMlcHbiNTcfVmO6tMXfkCjy/d0JkKZ3sagRade+F2/ws1kqMlBvQmSlO74
	62mVwud8FWXowUgSKT/mk/Pr1BT6+c/PHmH0g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=TFELLwJYnyoZVKp8HpK6IeSZSM5lbob/4wUSFUbEswIQbfER8Hi0F9f8dC44egl+U0
	5KLsgpakVepDu/XRkyYfPkY/gCYToFHwkdaF86uApkHkFQZCD5q9xxigdfXdKQzn17yD
	n/ExB2TR3Zxp0Rv66WzdGqiTwfelRRTXliIos=
MIME-Version: 1.0
Received: by 10.141.36.15 with HTTP; Wed, 14 Apr 2010 15:56:01 -0700 (PDT)
Date: Wed, 14 Apr 2010 15:56:01 -0700
Received: by 10.141.124.16 with SMTP id b16mr7913391rvn.91.1271285761590; Wed, 
	14 Apr 2010 15:56:01 -0700 (PDT)
Message-ID: <x2k539c60b91004141556u10ba49bfsd11cc069e5ef791f@mail.gmail.com>
From: Steve Franks <bahamasfranks@gmail.com>
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2010 22:56:02 -0000

I don't have bsdstats or similar that I'm aware of installed, so this
smells bad:

Firewall is showing repeated attempts from your FreeBSD machine to
connect to port 25 (standard SMTP mail port) on a server in Belgium. This
implies something on your system is trying to send mail out.

[14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area
Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 ->
81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0

IP-Whois  searches for "81.247.120.78:25" show this IP address belongs to
a Belgian ISP:

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=81.247.120.78&do_search=Search

inetnum:         81.247.96.0 - 81.247.127.255
netname:         BE-SKYNET-ADSL1
descr:           ADSL-GO-PLUS
descr:           Belgacom ISP SA/NV
country:         BE

Where would I start sniffing around as far as what got put on my box?

Steve