From owner-freebsd-questions@FreeBSD.ORG Fri Jan 20 11:39:06 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 767C216A41F for ; Fri, 20 Jan 2006 11:39:06 +0000 (GMT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (unsane.co.uk [62.140.220.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8266843D49 for ; Fri, 20 Jan 2006 11:39:05 +0000 (GMT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (localhost [127.0.0.1]) by unsane.co.uk (8.13.5/8.13.3) with ESMTP id k0KBbDLW000918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 20 Jan 2006 11:37:13 GMT (envelope-from jhary@unsane.co.uk) Received: from localhost (jhary@localhost) by unsane.co.uk (8.13.5/8.13.3/Submit) with ESMTP id k0KBbAEi000910; Fri, 20 Jan 2006 11:37:13 GMT (envelope-from jhary@unsane.co.uk) Date: Fri, 20 Jan 2006 11:37:09 +0000 (GMT) From: Vince Hoffman To: Kilian Hagemann In-Reply-To: <200601191521.13840.hagemann1@egs.uct.ac.za> Message-ID: <20060120113208.T99873@unsane.co.uk> References: <200601171907.17831.hagemann1@egs.uct.ac.za> <44255.195.139.252.5.1137597225.squirrel@webmail.i13i.com> <200601181746.51461.hagemann1@egs.uct.ac.za> <200601191521.13840.hagemann1@egs.uct.ac.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-questions@freebsd.org Subject: Re: Haven't been hacked, just prone to man-in-the-middle attacks (WAS: I have been hacked) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2006 11:39:06 -0000 On Thu, 19 Jan 2006, Kilian Hagemann wrote: > Hi guys, > > Just to find closure on this thread, I'd like to admit that I jumped to > conclusions too early and would like to share what had actually happened, > after many hours wasted playing the detective :-( (glad I didn't > format/reinstall though) > > When I "used" my FreeBSD gateway as an smtp server to convince myself I had > been hacked, the smtp connection was somehow redirected to one of my > institution's mail servers (or at least that's what gmail's mail headers are > saying). Funny enough the same trick no longer works today, but then they're > currently upgrading lots of stuff around here so that's a different story. > > Then when I used ftp to connect to my gateway and it came up with "frox > transparent proxy", someone had actually intercepted my connection and > forged/spoofed a reply. I know that because I went to the premises of my box, > unplugged everything and tried that trick again, successfully, from a > separate dial-up connection. Hey, nmap even told me my box had ports open > even though it wasn't even up! > > I've never seen anything like this before, but I've notified my ISP. Remains > to be seen if they do anything about it... > Good to know you werent hacked, I have seen this before for at least one dialup ISP, redirecting all smtp traffic via their smtp server(s) presumably to stop spammers. (Confused me back at the time to see an exim banner on what should be a sendmail server.) Havent heard about other services having this kind of "transparent proxy" imposed but it doesnt supprise me. Vince > Anyway, long story short I'm glad I'm still secure and thanks to everyone who > helped me out and gave me advice. > > -- > Kilian Hagemann > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >