hi! 1. most of smb exploits originates from china,taiwan,korea. Those attackers use windows based smb exploits which has no effect on non-microsoft O.S. That doesn't mean theres no exploits for *nix boxes.;-). 2. On a windows box it successfully retrieves userid/password and this attack remotely mounts the shared drive on the attackers box with full access. 3. don't run samba in your gateway m/c. 4. don't access internet without proper firewall installation. :-) 5. turning sshd on doesn't prevent accessing your box using smb protocol exploits.
[EMAIL PROTECTED] wrote: > hey!! > what you said it might the case but even if i keep > my "sshd" on, same thing > happening means as if group of hosts are trying > connect with random > username/password and most of them are from > china/korea eg. bora.net etc. > i 'll send a snippet of my log files later, for > better interprtation... > ?? > rgds > somu > > > GOSSAMER PENGUIN writes: > > > > > Soumyadip, > > My idea is that this is not a > planned "attack" as such . > > since you are using a shared network (dhcp-ed ) > BSNL is making > > all its customer a node in it's internal ( not > visible on the internet ) > > 61.*.*.* > > network which gets NAT'ed at the end to connect to > the internet > > through a gateway server . I have observed that > if SAMBA is running > > and so configured then all the machines on the > same subnet ( ie > > other DIAS users ) running WinXP are able to see > your samba drive(folder) > > as a network drive or folder from "network > neighbourhood etc" . > > I am on descon/reach2net and able to see my > neibours "shared" drives > > and/or folders sometimes ??!!@@## from winXP . > > This makes someone curious / dumb enough to click > on this icon in windows > > -- then windows tries to connect to this "network > resource" but is > > obviously > > denied permission . Samba by default logs all such > failed "read" attempts > > . > > This probably what is happeniiing here - but no > one can be 100% sure . > > Do configure your samba server properly and do use > an old redundant > > PC with something like "coyote linux floppy > firewall" for foolproof > > security. > > This shall properly seperate your internal network > form the outside world > > while retaining internet connection for all your > internal machines > > simultaneously. > > What do all you guys think ? > > > >> From: Soumyadip Modak <[EMAIL PROTECTED]> > >> Reply-To: [email protected] > >> To: [email protected] > >> Subject: Re: [ilug-cal] /var/log/messages > >> Date: Sun, 10 Apr 2005 08:42:21 +0530 > >> > >> On Sat, 2005-04-09 at 06:47 -0600, > [EMAIL PROTECTED] wrote: > >> > i am having a linux box configured with > (dhcp-ed)DIAS, and > >> > squid,sendmail,samba etc,etc. and as usual get > an ip in 61.3.118.0 > >> subnet | > >> > network -------- > >> > > > > > > _________________________________________________________________ > > Print your digital images. > http://www.kodakexpress.co.in?soe=4956 Only on > > Kodak Paper. > > > > > > -- > > To unsubscribe, send mail to > [EMAIL PROTECTED] with the body > > "unsubscribe ilug-cal" and an empty subject line. > > FAQ: http://www.ilug-cal.org/node.php?id=3 > > > -- > To unsubscribe, send mail to [EMAIL PROTECTED] > with the body > "unsubscribe ilug-cal" and an empty subject line. > FAQ: http://www.ilug-cal.org/node.php?id=3 > __________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs -- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
