question on SYN_SENT

Chad Leigh Shire.Net LLC chad at
Mon Jun 4 16:56:02 UTC 2012

On May 11, 2012, at 6:06 PM, Robert Bonomi wrote:
> 'Should not' does not mean 'is not'. and unfortunately, it -is- attempting
> to "go out".
> There are at least a couple of possible explanations, none of them "good".
>  1) the jail is attempting a DoS (or participating in  DDoS) against an
>     Israeli _government_ network/machine.
>  2) the jail is 'owned' by a botnet, and is trying to 'phone home' for
>     instructions.

Sorry for the delay in response.  Did not mean to ignore this.  Was busy figuring out and correcting this (and then the other normal day to day stuff that comes up).

Yes, it looks like a customer's JBOSS installation had been hacked.  It was running in its own jail with RO mounting of /usr (except /usr/local) and /bin /sbin and other system directories.  It was basically scanning for more open JBOSS stuff.  The attack had just barely happened (the server had just been installed).  I disabled the JBOSS and cleaned everything up and scanned the jail for problem files etc.  Customer fixed the JBOSS vulnerability (well known one) and decided to leave it off for now.

Thanks for all the help on this



More information about the freebsd-questions mailing list