strange log "log.devil"
paul at xciv.org
Thu Feb 21 10:16:45 GMT 2002
David Foulis <dbfpyro at gmx.net> wrote:
> [2002/01/16 01:17:08, 1] smbd/service.c:make_connection(550) devil
> (188.8.131.52) connect to service colani as user nobody (uid=65534,
> gid=65534) (pid 751)
> [2002/01/16 01:19:09, 1] smbd/service.c:close_cnum(583) devil
> (184.108.40.206) closed connection to service colani
This address (220.127.116.11) connected to the service 'colani' for
about 2 minutes as the 'guest' user. I expect 'devil' was the
WINS computer name being used by the connecting host.
> The IP from host "devil" is 18.104.22.168 is an internet number.
% whois -h whois.ripe.net 22.214.171.124
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 126.96.36.199 - 188.8.131.52
descr: Bluewin is an internet service provider in CH.
status: ASSIGNED PA
remarks: In case of hack attacks, spam, scans etc. please
remarks: send abuse notifications to hostmaster at bluewin.ch
> Is it possible that "devil" would have been trying to enter a windows
> computer generally?
Hard to say what their motivation could be, but one could assume that they
might have been scanning IP blocks for open shares and/or old versions of
Samba daemons that are vulnerable to remotely exploitable root security
> and then with my system of course was answered by samba and did or did
> not get in.
They connected as the 'guest' user which I think means they would have
had read-only access to that share.
> I also am not sure if I he did get in or just tried the passwords?
Looks like he connected as 'guest' which is the userid that can be
accessed if they do not have a valid login/password, it depends on how
your Samba is configured though.
> Or is the whole thing a misinterpretation by me and "devil" is some
> kind of programm daemon?
I expect 'devil' was their WINS computer name.
More information about the Ukfreebsd