Security - is my system penetrated?

Ernie Luzar luzar722 at gmail.com
Sun Apr 17 13:07:34 UTC 2016


Hello list;

In this morning's "daily run output" I have these messages which I have 
never seen before.

> Mail in local queue:
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> 19A8C13CB2     1046 Sat Apr 16 04:02:05  root at dir21
>                 (connect to dir21[198.105.244.228]:25: Network is unreachable)
>                                          root at dir21
> 
> 1BA9913CB7     2928 Sat Apr 16 17:44:14  MAILER-DAEMON
>                 (connect to dir20[198.105.244.228]:25: Network is unreachable)
>                                          root at dir20
> 
> 0FDC013CB1     1106 Sat Apr 16 08:16:04  root at dir21
>                 (connect to dir21[198.105.254.228]:25: Network is unreachable)
>                                          root at dir21
> 
> DF3A513CB4     1046 Sun Apr 17 04:01:14  root at dir21
>                 (connect to dir21[198.105.244.228]:25: Network is unreachable)
>                                          root at dir21
> 
> BB6CE13CBA     1046 Sun Apr 17 04:01:52  root at dir20
>                 (connect to dir20[198.105.254.228]:25: Network is unreachable)
>                                          root at dir20
> 
> 6532F13CA9     2868 Sun Apr 17 04:49:14  MAILER-DAEMON
>                 (connect to dir20[198.105.244.228]:25: Network is unreachable)
>                                          root at dir20
> 
> -- 9 Kbytes in 6 Requests.

To me this looks like received inbound mail trying to commutate with my 
jails. This is why I think my system has been penetrated.

This system has only been running 4 days now. I installed 10.3 from 
scratch. sendmail is turned off and running postfix. Port 25 is blocked 
in ipf firewall. Run fetchmail against my domain mail service provided 
by my domain register. dir20 and dir21 are jails which only became 
active on Apr 15 around 9am. Have 4 xp systems & one win7 system on LAN 
behind the host.

I can not see how an outsider could know about the jails with out having 
  admin authority to the host system.

Could one of the LAN boxes be infected in such a way as to allow remote 
user to access the host FBSD system?

I know that I can delete those queued postfix emails, but is there a way 
    to read them from the host instead?

Desire suggestions on ways to investigate and determine what is happing.

Thanks for your help


More information about the freebsd-questions mailing list