Solved

Unknown connection

Posted on 2004-08-29
6
440 Views
Last Modified: 2013-11-22
Here's my problem. I'm running FreeBSD 4.10 stable, the only applications I'm running on this box is PostgreSQL DBMS, MySQL, Apache, and Tomcat. I have one web application I got running.
My main concern is when I run netstat, I get this line below:

Local Address       Foreign Address                (state)
bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT

I ran it a number of times and it changed a bit but still points to blah.hotmail.smtp. How can I find out exactly what this is? I assume that somehow some program maybe using my machine to send spam or outgoing mails. I configure the firwall to block incoming smtp and pop request, but it still shows up.
Does anyone got an idea what this is, I don't want this running because I don't know what it is?
0
Comment
Question by:Squig
  • 3
  • 2
6 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 11928763
Looks like common spamming trick - try running netstat -an, then whois on respective IP address and if it does not belong to Microsoft - blacklist whole subnet, /var/log/maillog may tell you more....
0
 
LVL 4

Assisted Solution

by:frankcheong
frankcheong earned 250 total points
ID: 11928962
You should act before the problem happened.
1. Stop sendmail if you don't use it (edit /etc/rc.conf with sendmail_enabled="NO")
2. Install anti-spam package like mailscanner with spamassasin and clamav if you really need to use sendmail.
3. If sendmail is not mandatory while you still need email capabilities, I prefer to use postfix which is much easier to configure with anti-spamming capabilities. Install postfix with amavisd which is also available in ports collection. The installation is real easy. Just follow the link : -

Postfix installation FreeBSD guide
http://www.onlamp.com/pub/a/bsd/2003/08/21/postfix.html

Postfix with anti-spam for openBSD Guide
http://www.flakshack.com/anti-spam/

0
 
LVL 4

Expert Comment

by:frankcheong
ID: 11928973
One more: -

Howto configure postfix with crus SSL/TLS and amavis

http://www.freebsdforums.org/forums/showthread.php?s=&threadid=8032&highlight=postfix

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:Squig
ID: 11931085
Ok, I'll check those options you guys suggested. I temporarily took the machine off the network until I figured out what exactly was going on. When I checked in my firewall log to see outgoing connections there a lot of traffic going to a these ip addresses to port 25. When I looked up the ip address on google, I found this site that says they are hotmail smtp servers. But when I trace the ip through http://www.network-tools.com they go back to an ISP of someone who was trying to gain root access to my machine recently.
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points
ID: 11934916
Do not trust everything google says.
If whois "ip.address" is not an option, you can use www.uwhois.com , and make sure *all* your hotmail outgoing addresses belong to Microsoft NOC

!!!Imagine the SOMEONE backdoored your machine already - you need new machine now!!!
have a nice installing party, as no data on your machine can be trusted
if some data is needed, then extract it with extreme care using install CD of your system, not anything that runs on backdoored system

If you want to track abuser, you can install some kind of bridge with firewall (Another FreeBSD or one OpenBSD with two network cards) in front of backdoored machine while reinstalling it

Please shut down your "Open Relay" ASAP, using sendmail_enable="NO", thiss will still allow local programs to get mail out.
Then get familiar with securing sendmail:
http://www.sendmail.org/tips/relaying.html
And updating Your operating system along with preinstalled sendmail:
http://www.experts-exchange.com/Operating_Systems/FreeBSD/Q_21084480.html
Then consider some alternative mailer, which is easier to control than sendmail - Postfix or Exim

bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT
this looks like someone uses your server to send spam out to hotmail, and hotmail has already blacklisted you....
0
 
LVL 4

Expert Comment

by:frankcheong
ID: 11938051
Just want to let you know that www.dnsstuff.com is also a very good site if you need domain related information and more.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now