Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

suspicious smbd connections

0 views
Skip to first unread message

outsider

unread,
Dec 23, 2003, 3:30:23 PM12/23/03
to
Hi,
Last time I frequently get messages like
"smbd[949]: refused connect from " in my /var/log/syslog. Every time
with new IP-address. What are these connections? Is somebody trying to
scan me or what is the reason for these messages?
Thank you in advance!


--
To UNSUBSCRIBE, email to debian-secu...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Noah L. Meyerhans

unread,
Dec 23, 2003, 3:40:19 PM12/23/03
to
On Tue, Dec 23, 2003 at 07:01:01PM +0100, outsider wrote:
> Last time I frequently get messages like
> "smbd[949]: refused connect from " in my /var/log/syslog. Every time
> with new IP-address. What are these connections? Is somebody trying to
> scan me or what is the reason for these messages?

You are being scanned. Get used to it. You're not specifically being
targetted, but rather your IP address was randomly generated by some
worm on some Windows box and a connection attempt was made. If you're
feeling particularly motivated, you can try to track down the owner of
the infected machine (or at least the owner of the netblock it lives on)
and inform them, but it probably won't do you much good. I suspect that
you'll quickly find that most owners are simply not responsive.

noah

--
Hello to all my friends and fans in domestic surveillance.

Phillip Hofmeister

unread,
Dec 23, 2003, 4:40:05 PM12/23/03
to
You may wish to enable an iptables filter to block all ports except
those you explicitly allow.

On Tue, 23 Dec 2003 at 01:01:01PM -0500, outsider wrote:
> Hi,
> Last time I frequently get messages like
> "smbd[949]: refused connect from " in my /var/log/syslog. Every time
> with new IP-address. What are these connections? Is somebody trying to
> scan me or what is the reason for these messages?
> Thank you in advance!
>
>
>

--
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
--
Excuse #138: Popper unable to process jumbo kernel

outsider

unread,
Dec 24, 2003, 10:40:09 AM12/24/03
to
Noah L. Meyerhans wrote:
> On Tue, Dec 23, 2003 at 07:01:01PM +0100, outsider wrote:
>
>>Last time I frequently get messages like
>>"smbd[949]: refused connect from " in my /var/log/syslog. Every time
>>with new IP-address. What are these connections? Is somebody trying to
>>scan me or what is the reason for these messages?
>
>
> You are being scanned. Get used to it. You're not specifically being
> targetted, but rather your IP address was randomly generated by some
> worm on some Windows box and a connection attempt was made. If you're
> feeling particularly motivated, you can try to track down the owner of
> the infected machine (or at least the owner of the netblock it lives on)
> and inform them, but it probably won't do you much good. I suspect that
> you'll quickly find that most owners are simply not responsive.
>
> noah
>
But I have a dynamic IP. Every time I boot my system I get another
IP-address.

Noah L. Meyerhans

unread,
Dec 24, 2003, 11:10:08 AM12/24/03
to
On Wed, Dec 24, 2003 at 03:33:54PM +0100, outsider wrote:
> But I have a dynamic IP. Every time I boot my system I get another
> IP-address.

The worms are targetting random IP addresses. The IP address you have
tomorrow is just as likely to get scanned as the one you have today.
(Technically not *just* as likely, due to the nature of pseudo-random
number generators and the fact that all the Windows worms have bad PRNG
implementations, but you get the idea.)

noah

Jose Luis Domingo Lopez

unread,
Dec 24, 2003, 11:50:13 AM12/24/03
to
On Wednesday, 24 December 2003, at 15:33:54 +0100,
outsider wrote:

> But I have a dynamic IP. Every time I boot my system I get another
> IP-address.
>

There is no end of viruses, worms, and people with too much free time
and too little brain under their hulls out there. So having a dynamic IP
address is in no way equivalent to "scan free" or "intrussion attempt
free". It just makes people interested in breaking into your boxes more
difficult to know your IP address of the day, but automated viruses,
worms and such will cover the whole Internet address space whether you
want it or not :-(

Greetings.

--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0)

Christian Storch

unread,
Dec 24, 2003, 12:00:11 PM12/24/03
to
That's typical: IP's are really scanned like ..., 1.2.3.4, 1.2.3.5, 1.2.3.6, ... etc.

Dale Amon

unread,
Dec 24, 2003, 12:10:06 PM12/24/03
to
On Wed, Dec 24, 2003 at 03:33:54PM +0100, outsider wrote:
> But I have a dynamic IP. Every time I boot my system I get another
> IP-address.

Besides what everyone else said... I've also seen it
happen that someone pulls an address from dhcp that
was perhaps minutes before being used by someone running
a p2p server. Not relevant to your samba, but it can be
so bad you reboot to get off the ip.

--
------------------------------------------------------
Dale Amon am...@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------

Alvin Oga

unread,
Dec 24, 2003, 5:20:05 PM12/24/03
to

On Wed, 24 Dec 2003, Jose Luis Domingo Lopez wrote:

> On Wednesday, 24 December 2003, at 15:33:54 +0100,
> outsider wrote:
>
> > But I have a dynamic IP. Every time I boot my system I get another
> > IP-address.
> >
> There is no end of viruses, worms, and people with too much free time
> and too little brain under their hulls out there. So having a dynamic IP

consider their attempts a "free audit" of your network

if you dont use or have any windoze box that needs tot talk to that
machine ... you should be turning off nmbd/smbd on that box along
with lots of other default daemons you might not need

c ya
alvin

0 new messages