strange log "log.devil"

David Foulis dbfpyro at gmx.net
Thu Feb 21 00:18:01 GMT 2002 

 A possible attempt to break into my computer.
 
 I have been watching my log files on my freebsd firewall computer and found
the following entry
 which was saved as "log.devil"  But at that time my windows computer (I
have only one windows host + 3
 running FreeBSD with samba) was called dbfwin1 and had local IP
192.168.1.3.
 
 Now it is called winnet1 local IP 172.22.222.130.
 
 Therefore I have the following samba logs in /var/log :        log.dbfwin1
and
 log.winnet1.
 
 Then I saw log.devil and log.(blank) (only log dot).
 
 Then I had the firewall rules set to completely open and was writing  the
ipf.rules which now apply.
 I also had (by setting samba with WEBMIN) all hosts allow / no hosts deny.
 
 
 log.devil
 
 [2002/01/16 01:17:08, 1] smbd/service.c:make_connection(550) devil
 (213.3.192.197) connect to service colani as user nobody (uid=65534,
 gid=65534) (pid
 751)
  [2002/01/16 01:19:09, 1] smbd/service.c:close_cnum(583) devil
 (213.3.192.197) closed connection to service colani
 
 log.
 
 [2002/01/16 01:45:46, 0] lib/util_sock.c:read_socket_data(480)
 read_socket_data: recv failure for 4. Error = No route to host
 
 example of:
 log.dbfwin1 (before)
 
 [2002/01/03 00:48:42, 1] smbd/service.c:make_connection(550) dbfwin1
 (192.168.1.3) connect to service colani as user nobody (uid=65534,
 gid=65534) (pid 1062)
 [2002/01/03 01:31:33, 1] smbd/service.c:close_cnum(583) dbfwin1
 (192.168.1.3) closed connection to service colani
 log.dbfwin1 (then it was set wrongly by me "get host by name")
 Gethostbyaddr failed for 192.168.1.3
 [2002/01/15 04:27:37, 1] smbd/service.c:make_connection(550) dbfwin1
 (192.168.1.3) connect to service colani as user nobody (uid=65534,
 gid=65534) (pid
 261)
 [2002/01/15 05:30:10, 1] smbd/service.c:close_cnum(583) dbfwin1
 (192.168.1.3) closed connection to service colani [2002/01/16 05:20:36, 1]
 lib/util_sock.c:client_name(1010)
 Gethostbyaddr failed for 192.168.1.3
 [2002/01/16 05:20:36, 1] smbd/service.c:make_connection(550) dbfwin1
 (192.168.1.3) connect to service colani as user nobody (uid=65534,
 gid=65534) (pid
 261)
 [2002/01/16 05:36:35, 1] smbd/service.c:close_cnum(583) dbfwin1
 (192.168.1.3) closed connection to service colani [2002/01/16 05:43:51, 1]
 lib/util_sock.c:client_name(1010)
 Gethostbyaddr failed for 192.168.1.3
 [2002/01/16 05:43:51, 1] smbd/service.c:make_connection(550) dbfwin1
 (192.168.1.3) connect to service colani as user nobody (uid=65534,
 gid=65534) (pid
 251)
 [2002/01/16 05:50:51, 1] smbd/service.c:close_cnum(583) dbfwin1
 (192.168.1.3) closed connection to service colani [2002/01/16 06:26:06, 1]
 lib/util_sock.c:client_name(1010)
 
 This error from samba (obviously set up wrong by me) carried on till the
 following:
 
 Gethostbyaddr failed for 192.168.1.3
 [2002/01/17 02:32:11, 1] smbd/service.c:make_connection(550) dbfwin1
 (192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid 358)
 [2002/01/17 06:41:26, 1] smbd/service.c:close_cnum(583) dbfwin1
 (192.168.1.3) closed connection to service colani
 [2002/01/17 06:58:53, 1] smbd/service.c:make_connection(550) dbfwin1
 (192.168.1.3) connect to service colani as user nobody (uid=65534,
gid=65534) (pid 270)
 [2002/01/17 08:21:47, 1] smbd/service.c:close_cnum(583) dbfwin1
 (192.168.1.3) closed connection to service colani
 
 
 Now I have samba set to only allow 172.22.222.130 (winnet1)  and have
written a set of rules for ipf
 so it should be ok now.
 
 The IP from host "devil" is 213.3.192.197 is an internet number.
 Is it possible that "devil" would have been trying to enter a windows
computer generally?
 and then with my system of course was answered by samba and did or did not
get in.
 
 I also am not sure if I he did get in or just tried the passwords?
 Or is the whole thing a misinterpretation by me and "devil" is some kind of
programm  daemon?
 As I'm just learning about the security side of things I'd be pleased if
someone gave an opinion of my
 analysis of the situation.
 
 Dave
 


-- 
David B Foulis
DBF-PYROTECHNIK
Switzerland
dbfpyro at gmx.net
0041 52 720 89 59

GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

More information about the Ukfreebsd mailing list