Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I did'nt see btmillers reply. The IP's are not publicly routable (The network IP's are 192.168.2.* - if thats what you mean).
I'd say the most likely thing is they got through the ports that were open, however, I'm the only person that really uses the FTP and HTTP servers via the WAN address, I think there's been two people, that I know of, that has connected to these servers. Even so, the servers have been down most of today, and the 'message' only appeared when samba was enabled/ I enabled sharing of the C drive.
Which almost rules out the possibility of getting through on the open ports.... Looks like I do need to do some detective work... Where should I start? Could this be nothing to do with my linux box at all?
I'm fairly sure that my routers are configured correctly, then again I'm not totually sure of anything right now.
I'm.... pretty... sure it was'nt me, not sure though.. *suspicous eyes*
I was infected with a virus a few days ago, but I got rid of that, I missed the name though, some sort of worm.
If the worm created the file, then it seems strange that it mentions a problem with the sharing, when I only first noticed it when I editted the sharing of the C drive.....
why don't you run a port scan on you win machine tighten up your linux firewall and you should be fine unless you have 50 open ports in which case it become complicated
The firewall is on the router itself. I found that using a firewall on a client machine can cause problems when being behind a router that has a built in firewall.
Originally posted by pepsi why don't you run a port scan on you win machine tighten up your linux firewall and you should be fine unless you have 50 open ports in which case it become complicated
@TBomb
Have you got a friend to port scan your WAN address? I didn't see a mention of this in the thread, but I may be blind. Doing this would quickly tell you if there are other ports you weren't aware of open from the outside world :(
Kinda weird that the e-mail address is invalid though, doesn't really seem like a "good samaritan" thing to be, more like as someone suggsted in this thread - covering up a more sinister action. You checked both machines for viruses / spam bots - any unusual activity etc?
And what about logs? Doesn't sambca keep logs of access to *stuff* in general? :)
Steve
P.S. sorry, I was in a bit of a rush, if I've repeated anything said in the thread it's because I am a bad speed reader :(
I'll get a friend to do the port scan tonight. I've scanned my WAN address on ports 137 and 139, which, as far as I'm aware, is sharing. But it says the ports are closed...?
Okay the scans been done... I got him to scan the full IP range 0 - 65535, here's the results:
Ports (13 opened, 65523 closed)
110 Open (pop3)
80 Open (www-http)
25 Open (smtp)
23 Open (telnet)
21 Open (ftp)
254 Open
255 Open
3516 Open
8080 Open (http-proxy)
8644 Open
27134 Open
39436 Open
44257 Open
I looked up some of the un-named ports in that list, and in all of the port listings I looked at, some of the port numbers where skipped....
Some of the ports in that list I know of, 80, 8080 and 21 I knew were open, as I use those regulary. Note aswell that both 139 and 137 are closed....
BTW, the telnet port I realised is for one of my routers, not my client PC's.
It could be that one of your machines got a Trojan, and connected out to the hacker to establish a connection, in which case, the firewall wouldn't help much.
There are people constantly scanning the internet for SMB shares and other services. You were lucky that the person wasn't malicious. You need to add a line to the global section of your smb.conf
hosts allow = 192.168.0 <--- just replace the IP octets with your own subnet and restart samba.
This is much more of a Security related question than it is a general Software question. You might want to ask the moderator to move this thread to the Security forum. -- J.W.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.