Security - is my system penetrated?

Valeri Galtsev galtsev at kicp.uchicago.edu
Sun Apr 17 13:41:12 UTC 2016 

On Sun, April 17, 2016 8:07 am, Ernie Luzar wrote:
> Hello list;
>
> In this morning's "daily run output" I have these messages which I have
> never seen before.
>
>> Mail in local queue:
>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> 19A8C13CB2     1046 Sat Apr 16 04:02:05  root at dir21
>>                 (connect to dir21[198.105.244.228]:25: Network is
>> unreachable)
>>                                          root at dir21
>>
>> 1BA9913CB7     2928 Sat Apr 16 17:44:14  MAILER-DAEMON
>>                 (connect to dir20[198.105.244.228]:25: Network is
>> unreachable)
>>                                          root at dir20
>>
>> 0FDC013CB1     1106 Sat Apr 16 08:16:04  root at dir21
>>                 (connect to dir21[198.105.254.228]:25: Network is
>> unreachable)
>>                                          root at dir21
>>
>> DF3A513CB4     1046 Sun Apr 17 04:01:14  root at dir21
>>                 (connect to dir21[198.105.244.228]:25: Network is
>> unreachable)
>>                                          root at dir21
>>
>> BB6CE13CBA     1046 Sun Apr 17 04:01:52  root at dir20
>>                 (connect to dir20[198.105.254.228]:25: Network is
>> unreachable)
>>                                          root at dir20
>>
>> 6532F13CA9     2868 Sun Apr 17 04:49:14  MAILER-DAEMON
>>                 (connect to dir20[198.105.244.228]:25: Network is
>> unreachable)
>>                                          root at dir20
>>
>> -- 9 Kbytes in 6 Requests.
>
> To me this looks like received inbound mail trying to commutate with my
> jails. This is why I think my system has been penetrated.
>
> This system has only been running 4 days now. I installed 10.3 from
> scratch. sendmail is turned off and running postfix. Port 25 is blocked
> in ipf firewall. Run fetchmail against my domain mail service provided
> by my domain register. dir20 and dir21 are jails which only became
> active on Apr 15 around 9am. Have 4 xp systems & one win7 system on LAN
> behind the host.
>
> I can not see how an outsider could know about the jails with out having
>   admin authority to the host system.
>
> Could one of the LAN boxes be infected in such a way as to allow remote
> user to access the host FBSD system?
>
> I know that I can delete those queued postfix emails, but is there a way
>     to read them from the host instead?

Postfix keeps each message in a queue as a files, and filename is just
message ID postfix assigned to message. You can use "find" command to find
each of these files where postfix keeps queues, then use "postcat" postfix
command to display the message. Say, you found location of first message
with ID 19A8C13CB2. You can:

postcat /path/to/the/file/19A8C13CB2 | less

It is hard to have a judgement what could be going on without knowing
details of your setup. But you are right, reading messages may give you
some clues.

Good luck!

Valeri

>
> Desire suggestions on ways to investigate and determine what is happing.
>
> Thanks for your help
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list