Date: Wed, 14 Apr 2010 18:29:15 -0600 From: Tim Judd <tajudd@gmail.com> To: Steve Franks <bahamasfranks@gmail.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: hacked? Message-ID: <l2yade45ae91004141729y89a84550u4c11023db8d6afa7@mail.gmail.com> In-Reply-To: <x2k539c60b91004141556u10ba49bfsd11cc069e5ef791f@mail.gmail.com> References: <x2k539c60b91004141556u10ba49bfsd11cc069e5ef791f@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/14/10, Steve Franks <bahamasfranks@gmail.com> wrote: > I don't have bsdstats or similar that I'm aware of installed, so this > smells bad: > > Firewall is showing repeated attempts from your FreeBSD machine to > connect to port 25 (standard SMTP mail port) on a server in Belgium. This > implies something on your system is trying to send mail out. Who is stating this? > > [14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area > Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 -> > 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0 Which log is generating this entry, local or remote? RFC1918 IP blocks (192.168.0.0/16 is one of these blocks) cannot be routed on the public internet, routers should drop any packet in route, unless the packet itself is spoofed. > > IP-Whois searches for "81.247.120.78:25" show this IP address belongs to > a Belgian ISP: > > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=81.247.120.78&do_search=Search > > inetnum: 81.247.96.0 - 81.247.127.255 > netname: BE-SKYNET-ADSL1 > descr: ADSL-GO-PLUS > descr: Belgacom ISP SA/NV > country: BE > > Where would I start sniffing around as far as what got put on my box? > > Steve I've seen "hacked" boxes due to insecure services offered to the public Internet have scripts or binaries in globally writable directories, such as /tmp and/or /var/tmp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?l2yade45ae91004141729y89a84550u4c11023db8d6afa7>