question on SYN_SENT
Chad Leigh Shire.Net LLC
chad at shire.net
Mon Jun 4 16:56:02 UTC 2012
On May 11, 2012, at 6:06 PM, Robert Bonomi wrote:
>
> 'Should not' does not mean 'is not'. and unfortunately, it -is- attempting
> to "go out".
>
> There are at least a couple of possible explanations, none of them "good".
> 1) the jail is attempting a DoS (or participating in DDoS) against an
> Israeli _government_ network/machine.
> 2) the jail is 'owned' by a botnet, and is trying to 'phone home' for
> instructions.
Sorry for the delay in response. Did not mean to ignore this. Was busy figuring out and correcting this (and then the other normal day to day stuff that comes up).
Yes, it looks like a customer's JBOSS installation had been hacked. It was running in its own jail with RO mounting of /usr (except /usr/local) and /bin /sbin and other system directories. It was basically scanning for more open JBOSS stuff. The attack had just barely happened (the server had just been installed). I disabled the JBOSS and cleaned everything up and scanned the jail for problem files etc. Customer fixed the JBOSS vulnerability (well known one) and decided to leave it off for now.
Thanks for all the help on this
Chad
--
More information about the freebsd-questions
mailing list