From owner-freebsd-questions@FreeBSD.ORG  Thu Apr 15 05:45:58 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9123A106564A
	for <freebsd-questions@freebsd.org>;
	Thu, 15 Apr 2010 05:45:58 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4892D8FC16
	for <freebsd-questions@freebsd.org>;
	Thu, 15 Apr 2010 05:45:57 +0000 (UTC)
Received: from beta.local (host-82-135-113-58.customer.m-online.net
	[82.135.113.58])
	by mail.locolomo.org (Postfix) with ESMTPSA id 3E7271C0871
	for <freebsd-questions@freebsd.org>;
	Thu, 15 Apr 2010 07:45:55 +0200 (CEST)
Message-ID: <4BC6A811.90402@locolomo.org>
Date: Thu, 15 Apr 2010 07:45:53 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
	rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <x2k539c60b91004141556u10ba49bfsd11cc069e5ef791f@mail.gmail.com>
In-Reply-To: <x2k539c60b91004141556u10ba49bfsd11cc069e5ef791f@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: hacked?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2010 05:45:58 -0000

On 15/04/10 00:56, Steve Franks wrote:
> I don't have bsdstats or similar that I'm aware of installed, so this
> smells bad:
>
> Firewall is showing repeated attempts from your FreeBSD machine to
> connect to port 25 (standard SMTP mail port) on a server in Belgium. This
> implies something on your system is trying to send mail out.

Who's firewall? Is this above snip from some notice you have received 
from a third party claiming you are attempting to connect to their server?

Who's the one notifying you? The owner of the server or network 
receiving these connections? Or your LAN Lord?

> [14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area
> Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 ->
> 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0

192.168.1.38 - is that you? always?

> Where would I start sniffing around as far as what got put on my box?

How about

ps ax
sockstat -4

Erik
-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org