From owner-freebsd-questions@freebsd.org Sun Apr 17 13:07:33 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E842CB10DAD for ; Sun, 17 Apr 2016 13:07:33 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id CA018121C for ; Sun, 17 Apr 2016 13:07:33 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id C58CEB10DAC; Sun, 17 Apr 2016 13:07:33 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5316B10DAB for ; Sun, 17 Apr 2016 13:07:33 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 91226121B for ; Sun, 17 Apr 2016 13:07:33 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x236.google.com with SMTP id g185so173458466ioa.2 for ; Sun, 17 Apr 2016 06:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=620GxwJkXHADNILUZMlyoGIXjlMeOywOKxc5d/gprzc=; b=c/jdt5HR/ppGV4eGYsJbO6V7SIrCPa6Fk2FIsFezDr8viVkHyuNxZO2t7aYnh/dDR+ n2Vlc9+zwi/UiMOmSIJLA4g/0kVwW+XFOG1nit7GDxvv0DxELzmWDjkEpIQ3n1Fe82O+ UcvlOLBx4FpbnDU/buAgsGjvYpWZVr/HRyPRKd1cn0WIoZtaOGzQOoqVKxWVURQqURsR 1m5lQuXPV+jS2DcqEg3f0iCU7we5Cir8s3TGBVIr/KsuZnPci0ZxWamcG5G2H3n2+TfM rdcM+JDQY4t80/0ZLksZglgWxrtv8+aE0/JPTgrcw9tHUf8Qk2iUtCbvNVFGMhQVUQp5 MpsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=620GxwJkXHADNILUZMlyoGIXjlMeOywOKxc5d/gprzc=; b=caKXXwdDemfG1AaqeHUsAYBUz1atHIQjNz9EAlD3cXaDivK3L5wfmbR7uPvYuoFvdr ld1It/cwueVFGRflLCGcaz7dy8tb1uDn09d2UuM5PAt7vUSihfsYgpnQ55FkroFnvwKV FSPABakKNQMybXvJJGkoQ+N85KEwltwhBevGZK461aZ5h3WrQSgkACDKL+hA/VZhsFKt zaEGh1Nvvz+vLwUP6P4Ta/2PXBvArxOW9YzE98zCP5XzR0whxqpyvBHQQ4qRqVumNPyp sAuWL7kxS6emujP09g88aaaV3Btlu5GcqHEMSRAMxiYfcaXsNtRUcFhxx5iMcU7Za++y Bqjg== X-Gm-Message-State: AOPr4FVumwikOa3pvBsw+CEZpv5cCx6JQ2JWLDEryV0fyPHK6xcuavT42/EIHOBWh0wBeg== X-Received: by 10.107.26.203 with SMTP id a194mr36008331ioa.115.1460898452934; Sun, 17 Apr 2016 06:07:32 -0700 (PDT) Received: from [10.0.10.3] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by smtp.googlemail.com with ESMTPSA id l80sm32987935iod.14.2016.04.17.06.07.32 for (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Apr 2016 06:07:32 -0700 (PDT) Message-ID: <57138A98.4050601@gmail.com> Date: Sun, 17 Apr 2016 09:07:36 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: questions@freebsd.org Subject: Security - is my system penetrated? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2016 13:07:34 -0000 Hello list; In this morning's "daily run output" I have these messages which I have never seen before. > Mail in local queue: > -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- > 19A8C13CB2 1046 Sat Apr 16 04:02:05 root@dir21 > (connect to dir21[198.105.244.228]:25: Network is unreachable) > root@dir21 > > 1BA9913CB7 2928 Sat Apr 16 17:44:14 MAILER-DAEMON > (connect to dir20[198.105.244.228]:25: Network is unreachable) > root@dir20 > > 0FDC013CB1 1106 Sat Apr 16 08:16:04 root@dir21 > (connect to dir21[198.105.254.228]:25: Network is unreachable) > root@dir21 > > DF3A513CB4 1046 Sun Apr 17 04:01:14 root@dir21 > (connect to dir21[198.105.244.228]:25: Network is unreachable) > root@dir21 > > BB6CE13CBA 1046 Sun Apr 17 04:01:52 root@dir20 > (connect to dir20[198.105.254.228]:25: Network is unreachable) > root@dir20 > > 6532F13CA9 2868 Sun Apr 17 04:49:14 MAILER-DAEMON > (connect to dir20[198.105.244.228]:25: Network is unreachable) > root@dir20 > > -- 9 Kbytes in 6 Requests. To me this looks like received inbound mail trying to commutate with my jails. This is why I think my system has been penetrated. This system has only been running 4 days now. I installed 10.3 from scratch. sendmail is turned off and running postfix. Port 25 is blocked in ipf firewall. Run fetchmail against my domain mail service provided by my domain register. dir20 and dir21 are jails which only became active on Apr 15 around 9am. Have 4 xp systems & one win7 system on LAN behind the host. I can not see how an outsider could know about the jails with out having admin authority to the host system. Could one of the LAN boxes be infected in such a way as to allow remote user to access the host FBSD system? I know that I can delete those queued postfix emails, but is there a way to read them from the host instead? Desire suggestions on ways to investigate and determine what is happing. Thanks for your help