Beglebone Black img send Email automaticaly on port 25

P. S. the IP address of the board is 192.168.1.14

The module is BeagleBone Black with serial number 3914BBBK2833.
Effectively it is a strange behaviour . It seems like a virus .


Wireshark Beaglebone Black.pcapng (2,5 MB)
These files are Wireshark capture on TCP port

okay, module = beaglebone black, here i thought it was something else you plugged in…

nc localhost -v 25

Regards,

But I think is a Server SMTP no client . It can not send Email

whith Nmap I can see port 25 open ssh

i’m checking the image, console, iot or xfce?

Regards,

Sorry before i 've confused port 25 with port 22
The only port open is 22 ssh

Correct 22 is open, for ssh access…

So is port 25 sending emails by default, and which image, so i can disable/kill it…

Regards,

Is that out of the box image?

Was your board locked down before/while connected to the internet?

That would not be an isssue locally, make sure your gateway is blocking 22 inbound from the internet.

How can I disable/Kill port 25 ?

At this point, pull the board from your network.

Are you in the Netherlads?

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '185.183.33.0 - 185.183.33.255'

% Abuse contact for '185.183.33.0 - 185.183.33.255' is 'abuse@worldstream.nl'

inetnum:        185.183.33.0 - 185.183.33.255
netname:        WORLDSTREAM
country:        NL
admin-c:        WS1670-RIPE
tech-c:         WS1670-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-WORLDSTREAM
mnt-domains:    MNT-WORLDSTREAM
mnt-routes:     MNT-WORLDSTREAM
created:        2019-02-05T09:20:16Z
last-modified:  2019-02-05T09:20:16Z
source:         RIPE # Filtered

role:           WORLDSTREAM DBM
address:        Industriestraat 24
address:        2671CT NAALDWIJK
address:        The Netherlands
phone:          +31174712117
abuse-mailbox:  abuse@worldstream.nl
admin-c:        DV1495-RIPE
tech-c:         DV1495-RIPE
nic-hdl:        WS1670-RIPE
mnt-by:         MNT-WORLDSTREAM
created:        2008-05-15T09:52:38Z
last-modified:  2013-08-20T11:17:59Z
source:         RIPE # Filtered

% Information related to '185.183.33.0/24AS49981'

route:          185.183.33.0/24
origin:         AS49981
remarks:        ------------------------------------------------
remarks:        Abuse notifications to: abuse@worldstream.nl
remarks:        ------------------------------------------------
mnt-by:         MNT-WORLDSTREAM
created:        2022-11-22T09:53:05Z
last-modified:  2022-11-22T09:53:05Z
source:         RIPE

After pulllng the board continue PCAP and see what else is going on.

ufw… UncomplicatedFirewall - Ubuntu Wiki

but still an out of box image should not be sending emails over port 25, please let us know exactly what image it was… File name…

Regards,

Tomorrow i’ll repeat flash immage and write you the result

AM335x 11.7 2023-09-02 4GB microSD IoT
Download software images
»
Home
»
Distro
»
AM335x 11.7 2023-09-02 4GB microSD IoT
Debian image for BeagleBone Black using external microSD

Kernel: 5.10.168-ti-r71
U-Boot: v2022.04
default username:password is [debian:temppwd]
For flashing instructions or other images, see Debian 11.x (Bullseye) - Monthly Snapshot - 2023-10-07

okay, downloading and testing: https://rcn-ee.net/rootfs/release/2023-09-02/bullseye-iot-armhf/am335x-debian-11.7-iot-armhf-2023-09-02-4gb.img.xz

Regards,

I uploaded and tested this morning
https://rcn-ee.net/rootfs/release/2023-09-02/bullseye-iot-armhf/am335x-debian-11.7-iot-armhf-2023-09-02-4gb. img.xz

I edited the file
beaglebone:/etc/network interfaces

The primary network interface

car eth0
iface eth0 inet static
address 192.168.1.14
netmask 255.255.255.0
gateway 192.168.1.4

to have static IP

Unfortunately, everything is as before

I will now try to buy a new BeagleBone Black and repeat all the tests

Regards

car eth0 is
auto eth0

Please share your test, a new board isn’t going to change anything, the image has the defaults

debian@BeagleBone:~$ cat /etc/dogtag 
BeagleBoard.org Debian Bullseye IoT Image 2023-09-02
debian@BeagleBone:~$ netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:2947          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:2947                :::*                    LISTEN     
tcp6       0      0 :::5355                 :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:5355            0.0.0.0:*                          
udp        0      0 127.0.0.53:53           0.0.0.0:*                          
udp        0      0 192.168.3.206:68        0.0.0.0:*                          
udp        0      0 0.0.0.0:43855           0.0.0.0:*                          
udp6       0      0 :::5353                 :::*                               
udp6       0      0 :::5355                 :::*                               
udp6       0      0 :::46439                :::*

now having fun with tshark, how to filter ARP 60… (ssh i’m ssh’ed in…)

sudo tshark -i eth0 not port 22

ps, probably going to add tshark to default install…

Update, running for…

debian@BeagleBone:~$ uptime -p
up 2 hours, 22 minutes

no traffic over port 25… i think you have a bigger problem ‘inside’ your network from something else… (at-least change the default debian password and root password)

Regards,

I think you’re right.
In fact we found that the IP 192.168.1.14 is already online, intermittently. I didn’t have time today to find out who it is but I’ll find out on Monday morning.
Thanks
I’ll let you know