LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-27-2002, 10:30 AM   #1
hubergeek
Member
 
Registered: Mar 2002
Location: Hackensack, NJ.
Distribution: RedHat 7.0
Posts: 75

Rep: Reputation: 15
It's this a breaking attent?


Hi,

I was checking my samba log files and there are a number of log files like "albert.log", when I open this file I see this :

[2002/11/19 12:18:57, 1] smbd/password.cass_check_smb(497)
Couldn't find user 'ops2' in UNIX password database.
[2002/11/19 12:18:57, 1] smbd/password.cass_check_smb(497)
Couldn't find user 'ops2' in UNIX password database.
[2002/11/19 12:18:57, 1] smbd/reply.c:reply_sesssetup_and_X(927)
Rejecting user 'ops2': authentication failed
[2002/11/19 14:22:53, 1] smbd/password.cass_check_smb(497)
Couldn't find user 'ops2' in UNIX password database.
[2002/11/19 14:22:53, 1] smbd/password.cass_check_smb(497)
Couldn't find user 'ops2' in UNIX password database.
[2002/11/19 14:22:53, 1] smbd/reply.c:reply_sesssetup_and_X(927)
Rejecting user 'ops2': authentication failed

Is this an indication that this guy was trying to break into my workgroup?.

I work in a place where my network it's connected to a windows domain, so people in other departments can see my group and and see the machines in it, but can not browse any of the pcs in my department.

What do you make of this?

Thanks
 
Old 11-27-2002, 11:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,524
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
It's a login attempt (for now). The names like "albert".log should correllate with how samba is configured to handle lognames using "%L" or "%U".

With "login attempt" I mean I only see 2 login attempts with a 2hr+ interval on the same day using the same username. Try to match the log/login names to system names and user names in your domain. If nothing/no one matches and/or your server doesn't expose shares, *then* you can say it's a possible attempt to break in, AFAIK but then again I'm not a Samba expert...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Breaking out of Chroot Aeiri Linux - Security 1 02-26-2005 02:10 PM
Breaking Into Programming - What now? simsjr Programming 14 06-07-2004 01:16 PM
breaking waves... marsques Linux - Software 4 05-18-2004 01:25 AM
Slackware is breaking on me h1tman Slackware 8 08-18-2003 06:53 AM
Breaking Windows cli_man General 17 04-20-2002 02:35 AM


All times are GMT -5. The time now is 07:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration