strange log "log.devil"
Paul Civati
paul at xciv.org
Thu Feb 21 10:16:45 GMT 2002
David Foulis <dbfpyro at gmx.net> wrote:
> log.devil
>
> [2002/01/16 01:17:08, 1] smbd/service.c:make_connection(550) devil
> (213.3.192.197) connect to service colani as user nobody (uid=65534,
> gid=65534) (pid 751)
> [2002/01/16 01:19:09, 1] smbd/service.c:close_cnum(583) devil
> (213.3.192.197) closed connection to service colani
This address (213.3.192.197) connected to the service 'colani' for
about 2 minutes as the 'guest' user. I expect 'devil' was the
WINS computer name being used by the connecting host.
> The IP from host "devil" is 213.3.192.197 is an internet number.
% whois -h whois.ripe.net 213.3.192.197
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 213.3.128.0 - 213.3.255.255
netname: BLUEWINNET
descr: Bluewin is an internet service provider in CH.
country: CH
admin-c: PZ1009-RIPE
tech-c: AM1626-RIPE
tech-c: MR1192-RIPE
rev-srv: dns1.bluewin.ch
rev-srv: dns2.bluewin.ch
rev-srv: dns3.bluewin.ch
status: ASSIGNED PA
remarks: In case of hack attacks, spam, scans etc. please
remarks: send abuse notifications to hostmaster at bluewin.ch
[...]
> Is it possible that "devil" would have been trying to enter a windows
> computer generally?
Hard to say what their motivation could be, but one could assume that they
might have been scanning IP blocks for open shares and/or old versions of
Samba daemons that are vulnerable to remotely exploitable root security
holes.
> and then with my system of course was answered by samba and did or did
> not get in.
They connected as the 'guest' user which I think means they would have
had read-only access to that share.
> I also am not sure if I he did get in or just tried the passwords?
Looks like he connected as 'guest' which is the userid that can be
accessed if they do not have a valid login/password, it depends on how
your Samba is configured though.
> Or is the whole thing a misinterpretation by me and "devil" is some
> kind of programm daemon?
I expect 'devil' was their WINS computer name.
-Paul-
More information about the Ukfreebsd
mailing list