hacked?
Tim Judd
tajudd at gmail.com
Thu Apr 15 00:29:16 UTC 2010
On 4/14/10, Steve Franks <bahamasfranks at gmail.com> wrote:
> I don't have bsdstats or similar that I'm aware of installed, so this
> smells bad:
>
> Firewall is showing repeated attempts from your FreeBSD machine to
> connect to port 25 (standard SMTP mail port) on a server in Belgium. This
> implies something on your system is trying to send mail out.
Who is stating this?
>
> [14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area
> Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 ->
> 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0
Which log is generating this entry, local or remote? RFC1918 IP
blocks (192.168.0.0/16 is one of these blocks) cannot be routed on the
public internet, routers should drop any packet in route, unless the
packet itself is spoofed.
>
> IP-Whois searches for "81.247.120.78:25" show this IP address belongs to
> a Belgian ISP:
>
> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=81.247.120.78&do_search=Search
>
> inetnum: 81.247.96.0 - 81.247.127.255
> netname: BE-SKYNET-ADSL1
> descr: ADSL-GO-PLUS
> descr: Belgacom ISP SA/NV
> country: BE
>
> Where would I start sniffing around as far as what got put on my box?
>
> Steve
I've seen "hacked" boxes due to insecure services offered to the
public Internet have scripts or binaries in globally writable
directories, such as /tmp and/or /var/tmp
More information about the freebsd-questions
mailing list