CentOS - Aug 2009 - OT: Strange message in root e-mail possiablly hacked!!! Not sure??

Morning all,

Little back ground.  Running CentOS 5.3 fully update.  I basically run 
this as router and gateway for home network.  I have two(2) winblows 
machines hooked up.  I am running samba for shares.   I opened up root's 
mail this morning and found this strange little comment :

Connections Denied:
    lib/access.c:check_access(327)  58.239.84.158 : 1 Time(s)
    smbd/process.c:process_smb(1062) 58.239.84.158 : 1 Time(s)

So I started looking around in /var/log.  I looked at my secure logs and 
saw nothing out of the ordinary.  I looked in samba and found a log file 
58.239.84.158.log.  I opened it up and it said the following:

[2009/08/15 06:31:34, 0] lib/access.c:check_access(327)
  Denied connection from  (58.239.84.158)
[2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062)
  Connection denied from 58.239.84.158

There is nothing on this server that I can not replace.  Did I just get 
hacked?  Should I wipe this thing and start over?  Any and all advice is 
greatly appreciated!!!

Thanks.

Lee Perez

At Sun, 16 Aug 2009 07:51:50 -0500 CentOS mailing list <centos at
centos.org> wrote:
> 
> Morning all,
> 
> Little back ground.  Running CentOS 5.3 fully update.  I basically run 
> this as router and gateway for home network.  I have two(2) winblows 
> machines hooked up.  I am running samba for shares.   I opened up
root's
> mail this morning and found this strange little comment :
> 
> Connections Denied:
>     lib/access.c:check_access(327)  58.239.84.158 : 1 Time(s)
>     smbd/process.c:process_smb(1062) 58.239.84.158 : 1 Time(s)
> 
> So I started looking around in /var/log.  I looked at my secure logs and 
> saw nothing out of the ordinary.  I looked in samba and found a log file 
> 58.239.84.158.log.  I opened it up and it said the following:
> 
> [2009/08/15 06:31:34, 0] lib/access.c:check_access(327)
>   Denied connection from  (58.239.84.158)
> [2009/08/15 06:31:34, 1] smbd/process.c:process_smb(1062)
>   Connection denied from 58.239.84.158
> 
> There is nothing on this server that I can not replace.  Did I just get 
> hacked?  Should I wipe this thing and start over?  Any and all advice is 
> greatly appreciated!!!
I don't think you got hacked.  You might want to check your firewall
settings though.  It *looks* like your firewall is letting netbios
connections from off your LAN -- you should not be allowing this!

It does look like someone from 58.239.84.158 (SK Broadband Co Ltd in
Seoul) tried to check out your samba shares, but was denied access.
> 
> Thanks.
> 
> Lee Perez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>                     
-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
heller at deepsoft.com       -- http://www.deepsoft.com/ModelRailroadSystem/

On Sun, Aug 16, 2009 at 7:51 AM, Lee Perez<leecajun at windstream.net>
wrote:
<snip>
> There is nothing on this server that I can not replace. ?Did I just get
> hacked? ?Should I wipe this thing and start over? ?Any and all advice is
> greatly appreciated!!!
If you eventually decide to wipe it and start over, you might consider
running IPCop Linux, a special distribution for Firewall/Router
purposes. I use it at home and some on the list use it at work.
The fewer services you run, the safer it will be. Samba as someone
said, probably should not be run on a firewall. http://www.ipcop.org/
 The version currently available has been around for awhile, but they
have a new version in testing. I have IPCop running on an old box with
a Pentium 233 MHz MMX chip and 64 MB of RAM and it's headless.    HTH