hacked?

[Steve Bertrand]

On 2010.04.14 18:56, Steve Franks wrote:
> I don't have bsdstats or similar that I'm aware of installed, so this
> smells bad:

You have an incredibly poor sense of smell.

> Firewall is showing repeated attempts from your FreeBSD machine to
> connect to port 25 (standard SMTP mail port) on a server in Belgium. This
> implies something on your system is trying to send mail out.

Your method of troubleshooting network issues lead you to use the word
'implied'. You should never imply anything, unless you have conclusive
proof to explicitly show that you aren't making a mistake.

> [14/Apr/2010 15:11:09] DROP "SMTP Deny" packet from Local Area
> Connection - LAN, proto:TCP, len:48, ip/port:192.168.1.38:17343 ->
> 81.247.120.78:25, flags: SYN , seq:43473770 ack:0, win:65535, tcplen:0

If you are that concerned, go to your ISP. Do not ask an open mailing
list about problems that don't concern it's subscribers. I still can't
fathom how you assume that this is a FreeBSD problem.

The IP you quoted is from a dynamic range that an ISP in Belgium has
been allocated from it's RIR.

I suspect that your intrusion attempts also have the 1918 space in it,
because you are behind a NAT device of some sort, and have a mail system
within that space.

You are port-forwarding TCP 25 back through a NAT device to your
internal email system, and reading 'firewall logs' from that, yes?

> Where would I start sniffing around as far as what got put on my box?

...don't sniff. Close port 25 if you are using it internally and forward
that traffic outbound to your ISP, or if this 'warning' is being sent by
your perimeter firewall that doesn't allow anything through, then ignore it.

If you want to sniff, and this is serious, read tcpdump(1).

Steve

[ full disclaimer: I could potentially be classified as an activist when
it comes to eradicating falsified src/dst IP(v6) addresses on the Internet ]