Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Unknown connection

Posted on 2004-08-29
6
443 Views
Last Modified: 2013-11-22
Here's my problem. I'm running FreeBSD 4.10 stable, the only applications I'm running on this box is PostgreSQL DBMS, MySQL, Apache, and Tomcat. I have one web application I got running.
My main concern is when I run netstat, I get this line below:

Local Address       Foreign Address                (state)
bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT

I ran it a number of times and it changed a bit but still points to blah.hotmail.smtp. How can I find out exactly what this is? I assume that somehow some program maybe using my machine to send spam or outgoing mails. I configure the firwall to block incoming smtp and pop request, but it still shows up.
Does anyone got an idea what this is, I don't want this running because I don't know what it is?
0
Comment
Question by:Squig
  • 3
  • 2
6 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 11928763
Looks like common spamming trick - try running netstat -an, then whois on respective IP address and if it does not belong to Microsoft - blacklist whole subnet, /var/log/maillog may tell you more....
0
 
LVL 4

Assisted Solution

by:frankcheong
frankcheong earned 250 total points
ID: 11928962
You should act before the problem happened.
1. Stop sendmail if you don't use it (edit /etc/rc.conf with sendmail_enabled="NO")
2. Install anti-spam package like mailscanner with spamassasin and clamav if you really need to use sendmail.
3. If sendmail is not mandatory while you still need email capabilities, I prefer to use postfix which is much easier to configure with anti-spamming capabilities. Install postfix with amavisd which is also available in ports collection. The installation is real easy. Just follow the link : -

Postfix installation FreeBSD guide
http://www.onlamp.com/pub/a/bsd/2003/08/21/postfix.html

Postfix with anti-spam for openBSD Guide
http://www.flakshack.com/anti-spam/

0
 
LVL 4

Expert Comment

by:frankcheong
ID: 11928973
One more: -

Howto configure postfix with crus SSL/TLS and amavis

http://www.freebsdforums.org/forums/showthread.php?s=&threadid=8032&highlight=postfix

0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:Squig
ID: 11931085
Ok, I'll check those options you guys suggested. I temporarily took the machine off the network until I figured out what exactly was going on. When I checked in my firewall log to see outgoing connections there a lot of traffic going to a these ip addresses to port 25. When I looked up the ip address on google, I found this site that says they are hotmail smtp servers. But when I trace the ip through http://www.network-tools.com they go back to an ISP of someone who was trying to gain root access to my machine recently.
0
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 11934916
Do not trust everything google says.
If whois "ip.address" is not an option, you can use www.uwhois.com , and make sure *all* your hotmail outgoing addresses belong to Microsoft NOC

!!!Imagine the SOMEONE backdoored your machine already - you need new machine now!!!
have a nice installing party, as no data on your machine can be trusted
if some data is needed, then extract it with extreme care using install CD of your system, not anything that runs on backdoored system

If you want to track abuser, you can install some kind of bridge with firewall (Another FreeBSD or one OpenBSD with two network cards) in front of backdoored machine while reinstalling it

Please shut down your "Open Relay" ASAP, using sendmail_enable="NO", thiss will still allow local programs to get mail out.
Then get familiar with securing sendmail:
http://www.sendmail.org/tips/relaying.html
And updating Your operating system along with preinstalled sendmail:
http://www.experts-exchange.com/Operating_Systems/FreeBSD/Q_21084480.html
Then consider some alternative mailer, which is easier to control than sendmail - Postfix or Exim

bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT
this looks like someone uses your server to send spam out to hotmail, and hotmail has already blacklisted you....
0
 
LVL 4

Expert Comment

by:frankcheong
ID: 11938051
Just want to let you know that www.dnsstuff.com is also a very good site if you need domain related information and more.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question