Solved

Unknown connection

Posted on 2004-08-29
6
446 Views
Last Modified: 2013-11-22
Here's my problem. I'm running FreeBSD 4.10 stable, the only applications I'm running on this box is PostgreSQL DBMS, MySQL, Apache, and Tomcat. I have one web application I got running.
My main concern is when I run netstat, I get this line below:

Local Address       Foreign Address                (state)
bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT

I ran it a number of times and it changed a bit but still points to blah.hotmail.smtp. How can I find out exactly what this is? I assume that somehow some program maybe using my machine to send spam or outgoing mails. I configure the firwall to block incoming smtp and pop request, but it still shows up.
Does anyone got an idea what this is, I don't want this running because I don't know what it is?
0
Comment
Question by:Squig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 11928763
Looks like common spamming trick - try running netstat -an, then whois on respective IP address and if it does not belong to Microsoft - blacklist whole subnet, /var/log/maillog may tell you more....
0
 
LVL 4

Assisted Solution

by:frankcheong
frankcheong earned 250 total points
ID: 11928962
You should act before the problem happened.
1. Stop sendmail if you don't use it (edit /etc/rc.conf with sendmail_enabled="NO")
2. Install anti-spam package like mailscanner with spamassasin and clamav if you really need to use sendmail.
3. If sendmail is not mandatory while you still need email capabilities, I prefer to use postfix which is much easier to configure with anti-spamming capabilities. Install postfix with amavisd which is also available in ports collection. The installation is real easy. Just follow the link : -

Postfix installation FreeBSD guide
http://www.onlamp.com/pub/a/bsd/2003/08/21/postfix.html

Postfix with anti-spam for openBSD Guide
http://www.flakshack.com/anti-spam/

0
 
LVL 4

Expert Comment

by:frankcheong
ID: 11928973
One more: -

Howto configure postfix with crus SSL/TLS and amavis

http://www.freebsdforums.org/forums/showthread.php?s=&threadid=8032&highlight=postfix

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Squig
ID: 11931085
Ok, I'll check those options you guys suggested. I temporarily took the machine off the network until I figured out what exactly was going on. When I checked in my firewall log to see outgoing connections there a lot of traffic going to a these ip addresses to port 25. When I looked up the ip address on google, I found this site that says they are hotmail smtp servers. But when I trace the ip through http://www.network-tools.com they go back to an ISP of someone who was trying to gain root access to my machine recently.
0
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 11934916
Do not trust everything google says.
If whois "ip.address" is not an option, you can use www.uwhois.com , and make sure *all* your hotmail outgoing addresses belong to Microsoft NOC

!!!Imagine the SOMEONE backdoored your machine already - you need new machine now!!!
have a nice installing party, as no data on your machine can be trusted
if some data is needed, then extract it with extreme care using install CD of your system, not anything that runs on backdoored system

If you want to track abuser, you can install some kind of bridge with firewall (Another FreeBSD or one OpenBSD with two network cards) in front of backdoored machine while reinstalling it

Please shut down your "Open Relay" ASAP, using sendmail_enable="NO", thiss will still allow local programs to get mail out.
Then get familiar with securing sendmail:
http://www.sendmail.org/tips/relaying.html
And updating Your operating system along with preinstalled sendmail:
http://www.experts-exchange.com/Operating_Systems/FreeBSD/Q_21084480.html
Then consider some alternative mailer, which is easier to control than sendmail - Postfix or Exim

bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT
this looks like someone uses your server to send spam out to hotmail, and hotmail has already blacklisted you....
0
 
LVL 4

Expert Comment

by:frankcheong
ID: 11938051
Just want to let you know that www.dnsstuff.com is also a very good site if you need domain related information and more.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question