On Thu, Dec 11, 2003 at 10:43:59AM -0700, David Bear wrote: > I'm runnining a generic release-4.7 kernel. at some point I must have > set some sysctl option because I get a lot of message like: > > Dec 11 10:35:18 recsrv1 /kernel: Connection attempt to TCP > 129.219.208.171:135 from 129.219.90.69:4449 > Dec 11 10:35:19 recsrv1 last message repeated 2 times
No -- that's not your fault at all. You're being scanned by Windows machines infected with the MS-BLASTER worm or something like it that is attempting to exploit the RPC DCOM buffer overflow vulnerability -- see http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp or search for MS-BLAST on any of the anti-virus verndors' sites. > I am using log_in_vain='1' in rc.conf but, do have samba listening on > port 135. > > Any way I can quash these messages? Unplug your system from the internet? Or sit back, comfortable in the knowledge that even if your firewall wasn't blocking the packets, you'ld still be invulnerable to being exploited. Develop a nice sense of Schadenfreude, then come to the uncomfortable realization that the machines taken over by this worm generally get turned into zombie spam engines from hell... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature