strange log "log.devil"
David Foulis
dbfpyro at gmx.net
Thu Feb 21 00:18:01 GMT 2002
A possible attempt to break into my computer.
I have been watching my log files on my freebsd firewall computer and found
the following entry
which was saved as "log.devil" But at that time my windows computer (I
have only one windows host + 3
running FreeBSD with samba) was called dbfwin1 and had local IP
192.168.1.3.
Now it is called winnet1 local IP 172.22.222.130.
Therefore I have the following samba logs in /var/log : log.dbfwin1
and
log.winnet1.
Then I saw log.devil and log.(blank) (only log dot).
Then I had the firewall rules set to completely open and was writing the
ipf.rules which now apply.
I also had (by setting samba with WEBMIN) all hosts allow / no hosts deny.
log.devil
[2002/01/16 01:17:08, 1] smbd/service.c:make_connection(550) devil
(213.3.192.197) connect to service colani as user nobody (uid=65534,
gid=65534) (pid
751)
[2002/01/16 01:19:09, 1] smbd/service.c:close_cnum(583) devil
(213.3.192.197) closed connection to service colani
log.
[2002/01/16 01:45:46, 0] lib/util_sock.c:read_socket_data(480)
read_socket_data: recv failure for 4. Error = No route to host
example of:
log.dbfwin1 (before)
[2002/01/03 00:48:42, 1] smbd/service.c:make_connection(550) dbfwin1
(192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid 1062)
[2002/01/03 01:31:33, 1] smbd/service.c:close_cnum(583) dbfwin1
(192.168.1.3) closed connection to service colani
log.dbfwin1 (then it was set wrongly by me "get host by name")
Gethostbyaddr failed for 192.168.1.3
[2002/01/15 04:27:37, 1] smbd/service.c:make_connection(550) dbfwin1
(192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid
261)
[2002/01/15 05:30:10, 1] smbd/service.c:close_cnum(583) dbfwin1
(192.168.1.3) closed connection to service colani [2002/01/16 05:20:36, 1]
lib/util_sock.c:client_name(1010)
Gethostbyaddr failed for 192.168.1.3
[2002/01/16 05:20:36, 1] smbd/service.c:make_connection(550) dbfwin1
(192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid
261)
[2002/01/16 05:36:35, 1] smbd/service.c:close_cnum(583) dbfwin1
(192.168.1.3) closed connection to service colani [2002/01/16 05:43:51, 1]
lib/util_sock.c:client_name(1010)
Gethostbyaddr failed for 192.168.1.3
[2002/01/16 05:43:51, 1] smbd/service.c:make_connection(550) dbfwin1
(192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid
251)
[2002/01/16 05:50:51, 1] smbd/service.c:close_cnum(583) dbfwin1
(192.168.1.3) closed connection to service colani [2002/01/16 06:26:06, 1]
lib/util_sock.c:client_name(1010)
This error from samba (obviously set up wrong by me) carried on till the
following:
Gethostbyaddr failed for 192.168.1.3
[2002/01/17 02:32:11, 1] smbd/service.c:make_connection(550) dbfwin1
(192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid 358)
[2002/01/17 06:41:26, 1] smbd/service.c:close_cnum(583) dbfwin1
(192.168.1.3) closed connection to service colani
[2002/01/17 06:58:53, 1] smbd/service.c:make_connection(550) dbfwin1
(192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid 270)
[2002/01/17 08:21:47, 1] smbd/service.c:close_cnum(583) dbfwin1
(192.168.1.3) closed connection to service colani
Now I have samba set to only allow 172.22.222.130 (winnet1) and have
written a set of rules for ipf
so it should be ok now.
The IP from host "devil" is 213.3.192.197 is an internet number.
Is it possible that "devil" would have been trying to enter a windows
computer generally?
and then with my system of course was answered by samba and did or did not
get in.
I also am not sure if I he did get in or just tried the passwords?
Or is the whole thing a misinterpretation by me and "devil" is some kind of
programm daemon?
As I'm just learning about the security side of things I'd be pleased if
someone gave an opinion of my
analysis of the situation.
Dave
--
David B Foulis
DBF-PYROTECHNIK
Switzerland
dbfpyro at gmx.net
0041 52 720 89 59
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
More information about the Ukfreebsd
mailing list