From owner-freebsd-questions@FreeBSD.ORG Thu Apr 15 01:14:51 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0F18106564A for ; Thu, 15 Apr 2010 01:14:51 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 611588FC12 for ; Thu, 15 Apr 2010 01:14:51 +0000 (UTC) Received: (qmail 68578 invoked by uid 89); 15 Apr 2010 01:17:54 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 15 Apr 2010 01:17:53 -0000 Message-ID: <4BC6688A.1090005@ibctech.ca> Date: Wed, 14 Apr 2010 21:14:50 -0400 From: Steve Bertrand User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1 MIME-Version: 1.0 To: Steve Franks References: In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: FreeBSD Mailing List Subject: Re: hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2010 01:14:51 -0000 On 2010.04.14 18:56, Steve Franks wrote: > I don't have bsdstats or similar that I'm aware of installed, so this > smells bad: You have an incredibly poor sense of smell. > Firewall is showing repeated attempts from your FreeBSD machine to > connect to port 25 (standard SMTP mail port) on a server in Belgium. This > implies something on your system is trying to send mail out. Your method of troubleshooting network issues lead you to use the word 'implied'. You should never imply anything, unless you have conclusive proof to explicitly show that you aren't making a mistake. > [14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area > Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 -> > 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0 If you are that concerned, go to your ISP. Do not ask an open mailing list about problems that don't concern it's subscribers. I still can't fathom how you assume that this is a FreeBSD problem. The IP you quoted is from a dynamic range that an ISP in Belgium has been allocated from it's RIR. I suspect that your intrusion attempts also have the 1918 space in it, because you are behind a NAT device of some sort, and have a mail system within that space. You are port-forwarding TCP 25 back through a NAT device to your internal email system, and reading 'firewall logs' from that, yes? > Where would I start sniffing around as far as what got put on my box? ...don't sniff. Close port 25 if you are using it internally and forward that traffic outbound to your ISP, or if this 'warning' is being sent by your perimeter firewall that doesn't allow anything through, then ignore it. If you want to sniff, and this is serious, read tcpdump(1). Steve [ full disclaimer: I could potentially be classified as an activist when it comes to eradicating falsified src/dst IP(v6) addresses on the Internet ]