Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Apr 2016 09:07:36 -0400
From:      Ernie Luzar <luzar722@gmail.com>
To:        questions@freebsd.org
Subject:   Security - is my system penetrated?
Message-ID:  <57138A98.4050601@gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello list;

In this morning's "daily run output" I have these messages which I have 
never seen before.

> Mail in local queue:
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> 19A8C13CB2     1046 Sat Apr 16 04:02:05  root@dir21
>                 (connect to dir21[198.105.244.228]:25: Network is unreachable)
>                                          root@dir21
> 
> 1BA9913CB7     2928 Sat Apr 16 17:44:14  MAILER-DAEMON
>                 (connect to dir20[198.105.244.228]:25: Network is unreachable)
>                                          root@dir20
> 
> 0FDC013CB1     1106 Sat Apr 16 08:16:04  root@dir21
>                 (connect to dir21[198.105.254.228]:25: Network is unreachable)
>                                          root@dir21
> 
> DF3A513CB4     1046 Sun Apr 17 04:01:14  root@dir21
>                 (connect to dir21[198.105.244.228]:25: Network is unreachable)
>                                          root@dir21
> 
> BB6CE13CBA     1046 Sun Apr 17 04:01:52  root@dir20
>                 (connect to dir20[198.105.254.228]:25: Network is unreachable)
>                                          root@dir20
> 
> 6532F13CA9     2868 Sun Apr 17 04:49:14  MAILER-DAEMON
>                 (connect to dir20[198.105.244.228]:25: Network is unreachable)
>                                          root@dir20
> 
> -- 9 Kbytes in 6 Requests.

To me this looks like received inbound mail trying to commutate with my 
jails. This is why I think my system has been penetrated.

This system has only been running 4 days now. I installed 10.3 from 
scratch. sendmail is turned off and running postfix. Port 25 is blocked 
in ipf firewall. Run fetchmail against my domain mail service provided 
by my domain register. dir20 and dir21 are jails which only became 
active on Apr 15 around 9am. Have 4 xp systems & one win7 system on LAN 
behind the host.

I can not see how an outsider could know about the jails with out having 
  admin authority to the host system.

Could one of the LAN boxes be infected in such a way as to allow remote 
user to access the host FBSD system?

I know that I can delete those queued postfix emails, but is there a way 
    to read them from the host instead?

Desire suggestions on ways to investigate and determine what is happing.

Thanks for your help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57138A98.4050601>