i agree with btmiller, the fact that he left a friendly message can mask an unfriendly action...

Have you configured your routers properly?
Follow suggestions 2 & 3 above.

I did'nt see btmillers reply. The IP's are not publicly routable (The network IP's are 192.168.2.* - if thats what you mean).

I'd say the most likely thing is they got through the ports that were open, however, I'm the only person that really uses the FTP and HTTP servers via the WAN address, I think there's been two people, that I know of, that has connected to these servers. Even so, the servers have been down most of today, and the 'message' only appeared when samba was enabled/ I enabled sharing of the C drive.

Which almost rules out the possibility of getting through on the open ports.... Looks like I do need to do some detective work... Where should I start? Could this be nothing to do with my linux box at all?

I'm fairly sure that my routers are configured correctly, then again I'm not totually sure of anything right now.

Have you been drunk in the last week?

It could have been a prank set up by yourself, just you don't remember it

I'm.... pretty... sure it was'nt me, not sure though.. *suspicous eyes*

I was infected with a virus a few days ago, but I got rid of that, I missed the name though, some sort of worm.

If the worm created the file, then it seems strange that it mentions a problem with the sharing, when I only first noticed it when I editted the sharing of the C drive.....

why don't you run a port scan on you win machine tighten up your linux firewall and you should be fine unless you have 50 open ports in which case it become complicated

The firewall is on the router itself. I found that using a firewall on a client machine can cause problems when being behind a router that has a built in firewall.

@TBomb

Have you got a friend to port scan your WAN address? I didn't see a mention of this in the thread, but I may be blind. Doing this would quickly tell you if there are other ports you weren't aware of open from the outside world :(

Kinda weird that the e-mail address is invalid though, doesn't really seem like a "good samaritan" thing to be, more like as someone suggsted in this thread - covering up a more sinister action. You checked both machines for viruses / spam bots - any unusual activity etc?

And what about logs? Doesn't sambca keep logs of access to *stuff* in general? :)

Steve

P.S. sorry, I was in a bit of a rush, if I've repeated anything said in the thread it's because I am a bad speed reader :(

I'll get a friend to do the port scan tonight. I've scanned my WAN address on ports 137 and 139, which, as far as I'm aware, is sharing. But it says the ports are closed...?

I'll see what the port scan shows up.

Okay the scans been done... I got him to scan the full IP range 0 - 65535, here's the results:



Ports (13 opened, 65523 closed)

110 Open (pop3)
80 Open (www-http)
25 Open (smtp)
23 Open (telnet)
21 Open (ftp)
254 Open
255 Open
3516 Open
8080 Open (http-proxy)
8644 Open
27134 Open
39436 Open
44257 Open


I looked up some of the un-named ports in that list, and in all of the port listings I looked at, some of the port numbers where skipped....

Some of the ports in that list I know of, 80, 8080 and 21 I knew were open, as I use those regulary. Note aswell that both 139 and 137 are closed....

BTW, the telnet port I realised is for one of my routers, not my client PC's.

It could be that one of your machines got a Trojan, and connected out to the hacker to establish a connection, in which case, the firewall wouldn't help much.

So you can now find out what ports are being listened to on your linux box and find out what _could_ have been connected to :)?

su
netstat -nlp

That'll tell what programs are listening on what ports - then it's a case of finding out which ones could have be exploited :(

Steve

There are people constantly scanning the internet for SMB shares and other services. You were lucky that the person wasn't malicious. You need to add a line to the global section of your smb.conf

hosts allow = 192.168.0 <--- just replace the IP octets with your own subnet and restart samba.

Just a thought but do you have a wireless router?

This is much more of a Security related question than it is a general Software question. You might want to ask the moderator to move this thread to the Security forum. -- J.W.