Morning all,
Little back ground. Running CentOS 5.3 fully update. I basically run this as router and gateway for home network. I have two(2) winblows machines hooked up. I am running samba for shares. I opened up root's mail this morning and found this strange little comment :
Connections Denied: lib/access.c:check_access(327) 58.239.84.158 : 1 Time(s) smbd/process.c:process_smb(1062) 58.239.84.158 : 1 Time(s)
So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following:
[2009/08/15 06:31:34, 0] lib/access.c:check_access(327) Denied connection from (58.239.84.158) [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062) Connection denied from 58.239.84.158
There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!!
Thanks.
Lee Perez
At Sun, 16 Aug 2009 07:51:50 -0500 CentOS mailing list centos@centos.org wrote:
Morning all,
Little back ground. Running CentOS 5.3 fully update. I basically run this as router and gateway for home network. I have two(2) winblows machines hooked up. I am running samba for shares. I opened up root's mail this morning and found this strange little comment :
Connections Denied: lib/access.c:check_access(327) 58.239.84.158 : 1 Time(s) smbd/process.c:process_smb(1062) 58.239.84.158 : 1 Time(s)
So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following:
[2009/08/15 06:31:34, 0] lib/access.c:check_access(327) Denied connection from (58.239.84.158) [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062) Connection denied from 58.239.84.158
There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!!
I don't think you got hacked. You might want to check your firewall settings though. It *looks* like your firewall is letting netbios connections from off your LAN -- you should not be allowing this!
It does look like someone from 58.239.84.158 (SK Broadband Co Ltd in Seoul) tried to check out your samba shares, but was denied access.
Thanks.
Lee Perez _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following:
[2009/08/15 06:31:34, 0] lib/access.c:check_access(327) Denied connection from (58.239.84.158) [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062) Connection denied from 58.239.84.15
I don't think you got hacked. You might want to check your firewall settings though. It *looks* like your firewall is letting netbios connections from off your LAN -- you should not be allowing this!
He can do better. Why is samba bound to an Internet facing interface at all? Unless you have a need to allow smb/cifs connections over the Internet, samba should never ever be allowed to bind to an interface with an Internet ip.
It does look like someone from 58.239.84.158 (SK Broadband Co Ltd in Seoul) tried to check out your samba shares, but was denied access.
Yea for tcp wrappers...
On Sun, Aug 16, 2009 at 4:39 AM, Chan Chung Hang Christopherchristopher.chan@bradbury.edu.hk wrote:
So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary.
Are you running denyhosts? By default I think it only covers ssh, but you can configure it to cover other protocols.
I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following:
Seems like this would help, since your'e not using samba?
# yum erase samba
Dave
Dave,
If you only going to answer the OP's questions and not make further points on replies, please reply to the OP's message directly.
Dave wrote:
On Sun, Aug 16, 2009 at 4:39 AM, Chan Chung Hang Christopherchristopher.chan@bradbury.edu.hk wrote:
So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary.
I never wrote the above and your reply to the OP via my post makes it look like I did.
I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following:
Seems like this would help, since your'e not using samba?
# yum erase samba
The OP did say that he was using samba to for shares.
On Sun, Aug 16, 2009 at 7:51 AM, Lee Perezleecajun@windstream.net wrote: <snip>
There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!!
If you eventually decide to wipe it and start over, you might consider running IPCop Linux, a special distribution for Firewall/Router purposes. I use it at home and some on the list use it at work. The fewer services you run, the safer it will be. Samba as someone said, probably should not be run on a firewall. http://www.ipcop.org/ The version currently available has been around for awhile, but they have a new version in testing. I have IPCop running on an old box with a Pentium 233 MHz MMX chip and 64 MB of RAM and it's headless. HTH
Lanny Marcus wrote:
On Sun, Aug 16, 2009 at 7:51 AM, Lee Perezleecajun@windstream.net wrote:
<snip>
There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!!
If you eventually decide to wipe it and start over, you might consider running IPCop Linux, a special distribution for Firewall/Router purposes. I use it at home and some on the list use it at work. The fewer services you run, the safer it will be. Samba as someone said, probably should not be run on a firewall. http://www.ipcop.org/ The version currently available has been around for awhile, but they have a new version in testing. I have IPCop running on an old box with a Pentium 233 MHz MMX chip and 64 MB of RAM and it's headless. HTH
Thanks Lanny and everyone else. Sorry for the late reply back. Don't want anyone to think that I do not appreciate the help. I work nights and just got in.
I didn't know that IPCOP could run on one that old. I have one like that up in the attic, time to bring it back down. Before I upgraded to 5.3, I was running 4.7 with FireStarter and did not have any troubles. As soon as I get some sleep I will be looking in to setting it up.
Thanks again everyone for the advice.
Lee Perez
I didn't know that IPCOP could run on one that old. I have one like that up in the attic, time to bring it back down. Before I upgraded to 5.3, I was running 4.7 with FireStarter and did not have any troubles. As soon as I get some sleep I will be looking in to setting it up.
If it is a pure firewall/nat box then you may want to give OpenBSD a try. Expand your horizons a bit. I ran OpenBSD headless on a Pentium too but with a bit more RAM and diskless too.
Chan Chung Hang Christopher wrote:
I didn't know that IPCOP could run on one that old. I have one like that up in the attic, time to bring it back down. Before I upgraded to 5.3, I was running 4.7 with FireStarter and did not have any troubles. As soon as I get some sleep I will be looking in to setting it up.
If it is a pure firewall/nat box then you may want to give OpenBSD a try. Expand your horizons a bit. I ran OpenBSD headless on a Pentium too but with a bit more RAM and diskless too.
Thanks Chan, I will look into it because that is exactly what it would be. I have been wanting to setup a home website, but I did not want to run everything off of one server. IIRC I have 384 megs of ram on that PC, but I don't remember the mhz. I think it might be a 133mhz, do you think that would do?
Lee Perez
On Mon, 2009-08-17 at 07:33 -0500, Lee Perez wrote:
Chan Chung Hang Christopher wrote:
I didn't know that IPCOP could run on one that old. I have one like that up in the attic, time to bring it back down. Before I upgraded to 5.3, I was running 4.7 with FireStarter and did not have any troubles. As soon as I get some sleep I will be looking in to setting it up.
If it is a pure firewall/nat box then you may want to give OpenBSD a try. Expand your horizons a bit. I ran OpenBSD headless on a Pentium too but with a bit more RAM and diskless too.
Thanks Chan, I will look into it because that is exactly what it would be. I have been wanting to setup a home website, but I did not want to run everything off of one server. IIRC I have 384 megs of ram on that PC, but I don't remember the mhz. I think it might be a 133mhz, do you think that would do?
Ought to. My backup/production is a 200MHz Pentium with 96MB. Works fine. And I have a cable connect that gives decent download speed. The degradation is really not that noticable when I take out the 380MHz AMD K-6-II/256MB and put the Pentium unit in place.
Lee Perez
<snip sig stuff>
-
Chan Chung Hang Christopher -
Christopher Chan
-
Dave -
Lanny Marcus -
Lee Perez -
Robert Heller -
William L. Maltby