From owner-freebsd-questions@freebsd.org Sun Apr 17 13:41:12 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 351B4B11690 for ; Sun, 17 Apr 2016 13:41:12 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 2415C1EF0 for ; Sun, 17 Apr 2016 13:41:12 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by mailman.ysv.freebsd.org (Postfix) id 1FA8DB1168F; Sun, 17 Apr 2016 13:41:12 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F4A7B1168E for ; Sun, 17 Apr 2016 13:41:12 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.70.90]) by mx1.freebsd.org (Postfix) with ESMTP id D31B31EEF for ; Sun, 17 Apr 2016 13:41:11 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id A9D31CB8CA2; Sun, 17 Apr 2016 08:41:10 -0500 (CDT) Received: from 76.193.16.109 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Sun, 17 Apr 2016 08:41:10 -0500 (CDT) Message-ID: <54382.76.193.16.109.1460900470.squirrel@cosmo.uchicago.edu> In-Reply-To: <57138A98.4050601@gmail.com> References: <57138A98.4050601@gmail.com> Date: Sun, 17 Apr 2016 08:41:10 -0500 (CDT) Subject: Re: Security - is my system penetrated? From: "Valeri Galtsev" To: "Ernie Luzar" Cc: questions@freebsd.org Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2016 13:41:12 -0000 On Sun, April 17, 2016 8:07 am, Ernie Luzar wrote: > Hello list; > > In this morning's "daily run output" I have these messages which I have > never seen before. > >> Mail in local queue: >> -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- >> 19A8C13CB2 1046 Sat Apr 16 04:02:05 root@dir21 >> (connect to dir21[198.105.244.228]:25: Network is >> unreachable) >> root@dir21 >> >> 1BA9913CB7 2928 Sat Apr 16 17:44:14 MAILER-DAEMON >> (connect to dir20[198.105.244.228]:25: Network is >> unreachable) >> root@dir20 >> >> 0FDC013CB1 1106 Sat Apr 16 08:16:04 root@dir21 >> (connect to dir21[198.105.254.228]:25: Network is >> unreachable) >> root@dir21 >> >> DF3A513CB4 1046 Sun Apr 17 04:01:14 root@dir21 >> (connect to dir21[198.105.244.228]:25: Network is >> unreachable) >> root@dir21 >> >> BB6CE13CBA 1046 Sun Apr 17 04:01:52 root@dir20 >> (connect to dir20[198.105.254.228]:25: Network is >> unreachable) >> root@dir20 >> >> 6532F13CA9 2868 Sun Apr 17 04:49:14 MAILER-DAEMON >> (connect to dir20[198.105.244.228]:25: Network is >> unreachable) >> root@dir20 >> >> -- 9 Kbytes in 6 Requests. > > To me this looks like received inbound mail trying to commutate with my > jails. This is why I think my system has been penetrated. > > This system has only been running 4 days now. I installed 10.3 from > scratch. sendmail is turned off and running postfix. Port 25 is blocked > in ipf firewall. Run fetchmail against my domain mail service provided > by my domain register. dir20 and dir21 are jails which only became > active on Apr 15 around 9am. Have 4 xp systems & one win7 system on LAN > behind the host. > > I can not see how an outsider could know about the jails with out having > admin authority to the host system. > > Could one of the LAN boxes be infected in such a way as to allow remote > user to access the host FBSD system? > > I know that I can delete those queued postfix emails, but is there a way > to read them from the host instead? Postfix keeps each message in a queue as a files, and filename is just message ID postfix assigned to message. You can use "find" command to find each of these files where postfix keeps queues, then use "postcat" postfix command to display the message. Say, you found location of first message with ID 19A8C13CB2. You can: postcat /path/to/the/file/19A8C13CB2 | less It is hard to have a judgement what could be going on without knowing details of your setup. But you are right, reading messages may give you some clues. Good luck! Valeri > > Desire suggestions on ways to investigate and determine what is happing. > > Thanks for your help > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++