Solved

Unknown connection

Posted on 2004-08-29
6
439 Views
Last Modified: 2013-11-22
Here's my problem. I'm running FreeBSD 4.10 stable, the only applications I'm running on this box is PostgreSQL DBMS, MySQL, Apache, and Tomcat. I have one web application I got running.
My main concern is when I run netstat, I get this line below:

Local Address       Foreign Address                (state)
bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT

I ran it a number of times and it changed a bit but still points to blah.hotmail.smtp. How can I find out exactly what this is? I assume that somehow some program maybe using my machine to send spam or outgoing mails. I configure the firwall to block incoming smtp and pop request, but it still shows up.
Does anyone got an idea what this is, I don't want this running because I don't know what it is?
0
Comment
Question by:Squig
  • 3
  • 2
6 Comments
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Looks like common spamming trick - try running netstat -an, then whois on respective IP address and if it does not belong to Microsoft - blacklist whole subnet, /var/log/maillog may tell you more....
0
 
LVL 4

Assisted Solution

by:frankcheong
frankcheong earned 250 total points
Comment Utility
You should act before the problem happened.
1. Stop sendmail if you don't use it (edit /etc/rc.conf with sendmail_enabled="NO")
2. Install anti-spam package like mailscanner with spamassasin and clamav if you really need to use sendmail.
3. If sendmail is not mandatory while you still need email capabilities, I prefer to use postfix which is much easier to configure with anti-spamming capabilities. Install postfix with amavisd which is also available in ports collection. The installation is real easy. Just follow the link : -

Postfix installation FreeBSD guide
http://www.onlamp.com/pub/a/bsd/2003/08/21/postfix.html

Postfix with anti-spam for openBSD Guide
http://www.flakshack.com/anti-spam/

0
 
LVL 4

Expert Comment

by:frankcheong
Comment Utility
One more: -

Howto configure postfix with crus SSL/TLS and amavis

http://www.freebsdforums.org/forums/showthread.php?s=&threadid=8032&highlight=postfix

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Squig
Comment Utility
Ok, I'll check those options you guys suggested. I temporarily took the machine off the network until I figured out what exactly was going on. When I checked in my firewall log to see outgoing connections there a lot of traffic going to a these ip addresses to port 25. When I looked up the ip address on google, I found this site that says they are hotmail smtp servers. But when I trace the ip through http://www.network-tools.com they go back to an ISP of someone who was trying to gain root access to my machine recently.
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points
Comment Utility
Do not trust everything google says.
If whois "ip.address" is not an option, you can use www.uwhois.com , and make sure *all* your hotmail outgoing addresses belong to Microsoft NOC

!!!Imagine the SOMEONE backdoored your machine already - you need new machine now!!!
have a nice installing party, as no data on your machine can be trusted
if some data is needed, then extract it with extreme care using install CD of your system, not anything that runs on backdoored system

If you want to track abuser, you can install some kind of bridge with firewall (Another FreeBSD or one OpenBSD with two network cards) in front of backdoored machine while reinstalling it

Please shut down your "Open Relay" ASAP, using sendmail_enable="NO", thiss will still allow local programs to get mail out.
Then get familiar with securing sendmail:
http://www.sendmail.org/tips/relaying.html
And updating Your operating system along with preinstalled sendmail:
http://www.experts-exchange.com/Operating_Systems/FreeBSD/Q_21084480.html
Then consider some alternative mailer, which is easier to control than sendmail - Postfix or Exim

bruno.1132           mc1.bay6.hotmail.smtp      SYN_SENT
this looks like someone uses your server to send spam out to hotmail, and hotmail has already blacklisted you....
0
 
LVL 4

Expert Comment

by:frankcheong
Comment Utility
Just want to let you know that www.dnsstuff.com is also a very good site if you need domain related information and more.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now