Unknown connection

Here's my problem. I'm running FreeBSD 4.10 stable, the only applications I'm running on this box is PostgreSQL DBMS, MySQL, Apache, and Tomcat. I have one web application I got running.
My main concern is when I run netstat, I get this line below:

Local Address       Foreign Address                (state)
bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT

I ran it a number of times and it changed a bit but still points to blah.hotmail.smtp. How can I find out exactly what this is? I assume that somehow some program maybe using my machine to send spam or outgoing mails. I configure the firwall to block incoming smtp and pop request, but it still shows up.
Does anyone got an idea what this is, I don't want this running because I don't know what it is?
SquigAsked:
Who is Participating?
 
gheistConnect With a Mentor Commented:
Do not trust everything google says.
If whois "ip.address" is not an option, you can use www.uwhois.com , and make sure *all* your hotmail outgoing addresses belong to Microsoft NOC

!!!Imagine the SOMEONE backdoored your machine already - you need new machine now!!!
have a nice installing party, as no data on your machine can be trusted
if some data is needed, then extract it with extreme care using install CD of your system, not anything that runs on backdoored system

If you want to track abuser, you can install some kind of bridge with firewall (Another FreeBSD or one OpenBSD with two network cards) in front of backdoored machine while reinstalling it

Please shut down your "Open Relay" ASAP, using sendmail_enable="NO", thiss will still allow local programs to get mail out.
Then get familiar with securing sendmail:
http://www.sendmail.org/tips/relaying.html
And updating Your operating system along with preinstalled sendmail:
http://www.experts-exchange.com/Operating_Systems/FreeBSD/Q_21084480.html
Then consider some alternative mailer, which is easier to control than sendmail - Postfix or Exim

bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT
this looks like someone uses your server to send spam out to hotmail, and hotmail has already blacklisted you....
0
 
gheistCommented:
Looks like common spamming trick - try running netstat -an, then whois on respective IP address and if it does not belong to Microsoft - blacklist whole subnet, /var/log/maillog may tell you more....
0
 
frankcheongConnect With a Mentor Commented:
You should act before the problem happened.
1. Stop sendmail if you don't use it (edit /etc/rc.conf with sendmail_enabled="NO")
2. Install anti-spam package like mailscanner with spamassasin and clamav if you really need to use sendmail.
3. If sendmail is not mandatory while you still need email capabilities, I prefer to use postfix which is much easier to configure with anti-spamming capabilities. Install postfix with amavisd which is also available in ports collection. The installation is real easy. Just follow the link : -

Postfix installation FreeBSD guide
http://www.onlamp.com/pub/a/bsd/2003/08/21/postfix.html

Postfix with anti-spam for openBSD Guide
http://www.flakshack.com/anti-spam/

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
frankcheongCommented:
One more: -

Howto configure postfix with crus SSL/TLS and amavis

http://www.freebsdforums.org/forums/showthread.php?s=&threadid=8032&highlight=postfix

0
 
SquigAuthor Commented:
Ok, I'll check those options you guys suggested. I temporarily took the machine off the network until I figured out what exactly was going on. When I checked in my firewall log to see outgoing connections there a lot of traffic going to a these ip addresses to port 25. When I looked up the ip address on google, I found this site that says they are hotmail smtp servers. But when I trace the ip through http://www.network-tools.com they go back to an ISP of someone who was trying to gain root access to my machine recently.
0
 
frankcheongCommented:
Just want to let you know that www.dnsstuff.com is also a very good site if you need domain related information and more.
0
All Courses

From novice to tech pro — start learning today.