From owner-freebsd-questions@FreeBSD.ORG Thu Apr 15 00:29:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D57FB1065676 for ; Thu, 15 Apr 2010 00:29:16 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-yw0-f181.google.com (mail-yw0-f181.google.com [209.85.211.181]) by mx1.freebsd.org (Postfix) with ESMTP id 914DB8FC1E for ; Thu, 15 Apr 2010 00:29:16 +0000 (UTC) Received: by ywh11 with SMTP id 11so376666ywh.7 for ; Wed, 14 Apr 2010 17:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=pZKF/dCSRaRtXbvHkWswhw/saewn5BQvL5j6q0XREHU=; b=F6kJydSsJQGPxkbEwLVvn4d0gTSa9Acx7SNXkVSlXRDWkEluCzTveRmLpr6wpDq3CS AAQiGe0wSmTA0ttM7w0BjXNO8WO8KWlmr8xZMCgR5Pp06+ftSOOY+tjJidNZQnaZ+k0c 55GHquFIO0Y/15YcK9bkyaDZMC1ay+Lk4u/jA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=dMTBBS8odW7leAJJt1n2vWYTdxeVyHNo8cDwdmsrBj8MpfdjBT+tCxOnWomItivwAN Ws5I0f9XgBDhyxYAC4hUyaekBBQtNSvrc/vDQ7bRmPO3klOfjZe3TZi8o+xABjrpPuAS 6yKQeWsHUS03gPUvDnvAwpO7OnRynIh1iPEAA= MIME-Version: 1.0 Received: by 10.231.152.209 with HTTP; Wed, 14 Apr 2010 17:29:15 -0700 (PDT) In-Reply-To: References: Date: Wed, 14 Apr 2010 18:29:15 -0600 Received: by 10.150.141.2 with SMTP id o2mr7158394ybd.332.1271291355940; Wed, 14 Apr 2010 17:29:15 -0700 (PDT) Message-ID: From: Tim Judd To: Steve Franks Content-Type: text/plain; charset=ISO-8859-1 Cc: FreeBSD Mailing List Subject: Re: hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2010 00:29:16 -0000 On 4/14/10, Steve Franks wrote: > I don't have bsdstats or similar that I'm aware of installed, so this > smells bad: > > Firewall is showing repeated attempts from your FreeBSD machine to > connect to port 25 (standard SMTP mail port) on a server in Belgium. This > implies something on your system is trying to send mail out. Who is stating this? > > [14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area > Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 -> > 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0 Which log is generating this entry, local or remote? RFC1918 IP blocks (192.168.0.0/16 is one of these blocks) cannot be routed on the public internet, routers should drop any packet in route, unless the packet itself is spoofed. > > IP-Whois searches for "81.247.120.78:25" show this IP address belongs to > a Belgian ISP: > > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=81.247.120.78&do_search=Search > > inetnum: 81.247.96.0 - 81.247.127.255 > netname: BE-SKYNET-ADSL1 > descr: ADSL-GO-PLUS > descr: Belgacom ISP SA/NV > country: BE > > Where would I start sniffing around as far as what got put on my box? > > Steve I've seen "hacked" boxes due to insecure services offered to the public Internet have scripts or binaries in globally writable directories, such as /tmp and/or /var/tmp