strange log "log.devil"

Paul Civati paul at xciv.org
Thu Feb 21 10:16:45 GMT 2002


David Foulis <dbfpyro at gmx.net> wrote:

>  log.devil
>  
>  [2002/01/16 01:17:08, 1] smbd/service.c:make_connection(550) devil
>  (213.3.192.197) connect to service colani as user nobody (uid=65534,
>  gid=65534) (pid 751)
>   [2002/01/16 01:19:09, 1] smbd/service.c:close_cnum(583) devil
>  (213.3.192.197) closed connection to service colani

This address (213.3.192.197) connected to the service 'colani' for
about 2 minutes as the 'guest' user.  I expect 'devil' was the
WINS computer name being used by the connecting host.

>  The IP from host "devil" is 213.3.192.197 is an internet number.

% whois -h whois.ripe.net 213.3.192.197
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      213.3.128.0 - 213.3.255.255
netname:      BLUEWINNET
descr:        Bluewin is an internet service provider in CH.
country:      CH
admin-c:      PZ1009-RIPE
tech-c:       AM1626-RIPE
tech-c:       MR1192-RIPE
rev-srv:      dns1.bluewin.ch
rev-srv:      dns2.bluewin.ch
rev-srv:      dns3.bluewin.ch
status:       ASSIGNED PA
remarks:      In case of hack attacks, spam, scans etc. please
remarks:      send abuse notifications to hostmaster at bluewin.ch
[...]

> Is it possible that "devil" would have been trying to enter a windows
> computer generally?

Hard to say what their motivation could be, but one could assume that they
might have been scanning IP blocks for open shares and/or old versions of
Samba daemons that are vulnerable to remotely exploitable root security
holes.

> and then with my system of course was answered by samba and did or did
> not get in.

They connected as the 'guest' user which I think means they would have
had read-only access to that share.

>  I also am not sure if I he did get in or just tried the passwords?

Looks like he connected as 'guest' which is the userid that can be
accessed if they do not have a valid login/password, it depends on how
your Samba is configured though.

> Or is the whole thing a misinterpretation by me and "devil" is some
> kind of programm  daemon?

I expect 'devil' was their WINS computer name.

-Paul-






More information about the Ukfreebsd mailing list