Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
Dave, If you only going to answer the OP's questions and not make further points on replies, please reply to the OP's message directly. Dave wrote: On Sun, Aug 16, 2009 at 4:39 AM, Chan Chung Hang Christopherchristopher.c...@bradbury.edu.hk wrote: So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I never wrote the above and your reply to the OP via my post makes it look like I did. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following: Seems like this would help, since your'e not using samba? # yum erase samba The OP did say that he was using samba to for shares. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
Lanny Marcus wrote: On Sun, Aug 16, 2009 at 7:51 AM, Lee Perezleeca...@windstream.net wrote: snip There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!! If you eventually decide to wipe it and start over, you might consider running IPCop Linux, a special distribution for Firewall/Router purposes. I use it at home and some on the list use it at work. The fewer services you run, the safer it will be. Samba as someone said, probably should not be run on a firewall. http://www.ipcop.org/ The version currently available has been around for awhile, but they have a new version in testing. I have IPCop running on an old box with a Pentium 233 MHz MMX chip and 64 MB of RAM and it's headless.HTH Thanks Lanny and everyone else. Sorry for the late reply back. Don't want anyone to think that I do not appreciate the help. I work nights and just got in. I didn't know that IPCOP could run on one that old. I have one like that up in the attic, time to bring it back down. Before I upgraded to 5.3, I was running 4.7 with FireStarter and did not have any troubles. As soon as I get some sleep I will be looking in to setting it up. Thanks again everyone for the advice. Lee Perez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
I didn't know that IPCOP could run on one that old. I have one like that up in the attic, time to bring it back down. Before I upgraded to 5.3, I was running 4.7 with FireStarter and did not have any troubles. As soon as I get some sleep I will be looking in to setting it up. If it is a pure firewall/nat box then you may want to give OpenBSD a try. Expand your horizons a bit. I ran OpenBSD headless on a Pentium too but with a bit more RAM and diskless too. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
Morning all, Little back ground. Running CentOS 5.3 fully update. I basically run this as router and gateway for home network. I have two(2) winblows machines hooked up. I am running samba for shares. I opened up root's mail this morning and found this strange little comment : Connections Denied: lib/access.c:check_access(327) 58.239.84.158 : 1 Time(s) smbd/process.c:process_smb(1062) 58.239.84.158 : 1 Time(s) So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following: [2009/08/15 06:31:34, 0] lib/access.c:check_access(327) Denied connection from (58.239.84.158) [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062) Connection denied from 58.239.84.158 There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!! Thanks. Lee Perez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
At Sun, 16 Aug 2009 07:51:50 -0500 CentOS mailing list centos@centos.org wrote: Morning all, Little back ground. Running CentOS 5.3 fully update. I basically run this as router and gateway for home network. I have two(2) winblows machines hooked up. I am running samba for shares. I opened up root's mail this morning and found this strange little comment : Connections Denied: lib/access.c:check_access(327) 58.239.84.158 : 1 Time(s) smbd/process.c:process_smb(1062) 58.239.84.158 : 1 Time(s) So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following: [2009/08/15 06:31:34, 0] lib/access.c:check_access(327) Denied connection from (58.239.84.158) [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062) Connection denied from 58.239.84.158 There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!! I don't think you got hacked. You might want to check your firewall settings though. It *looks* like your firewall is letting netbios connections from off your LAN -- you should not be allowing this! It does look like someone from 58.239.84.158 (SK Broadband Co Ltd in Seoul) tried to check out your samba shares, but was denied access. Thanks. Lee Perez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Robert Heller -- 978-544-6933 Deepwoods Software-- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows hel...@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following: [2009/08/15 06:31:34, 0] lib/access.c:check_access(327) Denied connection from (58.239.84.158) [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062) Connection denied from 58.239.84.15 I don't think you got hacked. You might want to check your firewall settings though. It *looks* like your firewall is letting netbios connections from off your LAN -- you should not be allowing this! He can do better. Why is samba bound to an Internet facing interface at all? Unless you have a need to allow smb/cifs connections over the Internet, samba should never ever be allowed to bind to an interface with an Internet ip. It does look like someone from 58.239.84.158 (SK Broadband Co Ltd in Seoul) tried to check out your samba shares, but was denied access. Yea for tcp wrappers... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
On Sun, Aug 16, 2009 at 7:51 AM, Lee Perezleeca...@windstream.net wrote: snip There is nothing on this server that I can not replace. Did I just get hacked? Should I wipe this thing and start over? Any and all advice is greatly appreciated!!! If you eventually decide to wipe it and start over, you might consider running IPCop Linux, a special distribution for Firewall/Router purposes. I use it at home and some on the list use it at work. The fewer services you run, the safer it will be. Samba as someone said, probably should not be run on a firewall. http://www.ipcop.org/ The version currently available has been around for awhile, but they have a new version in testing. I have IPCop running on an old box with a Pentium 233 MHz MMX chip and 64 MB of RAM and it's headless.HTH ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: Strange message in root e-mail possiablly hacked!!! Not sure??
On Sun, Aug 16, 2009 at 4:39 AM, Chan Chung Hang Christopherchristopher.c...@bradbury.edu.hk wrote: So I started looking around in /var/log. I looked at my secure logs and saw nothing out of the ordinary. Are you running denyhosts? By default I think it only covers ssh, but you can configure it to cover other protocols. I looked in samba and found a log file 58.239.84.158.log. I opened it up and it said the following: Seems like this would help, since your'e not using samba? # yum erase samba Dave ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
