thr3ads.net - samba - [Samba] Did I get hacked?? strange log info... [Nov 2002]

If this information is useful, please help other people find it:
Share via:

Jesse Vaughan

2002-Nov-15 05:29 UTC

[Samba] Did I get hacked?? strange log info...

I noticed I got a strange connection from what seems to be a user in 
italy?!?  and he connected to my SMB client maybe??

I'm assuming the errors in his logfile ( 
http://68.48.247.187/log.gustavo.txt )  not finding the service.c file are 
because he is being denied access.. but how is he connecting in the first 
place.. And why isnt he being refused by my servers hosts.deny file...?

I have about 6 of these rogue logs with different connect names being used.. 
  what can I do to clear this up??

Also on a side note, Any of you know what the deal is with the martian 
messages my kernel is getting??

or how to stop them?? They appeared right after a connection attempt by 
Gustavo.. I've attached a sample.. there are about 200-500 of them ::

Nov 14 04:40:00 server CROND[20451]: (root) CMD (   
/usr/share/msec/promisc_check.sh)
Nov 14 04:40:14 server smbd[20459]: [2002/11/14 04:40:14, 0] 
smbd/service.c:make_connection(248)
Nov 14 04:40:14 server smbd[20459]:   gustavo (195.250.245.176) couldn't 
find service c
Nov 14 04:40:28 server kernel: martian source 169.254.191.7 from 
169.254.191.7, on dev eth1
Nov 14 04:40:28 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:06
Nov 14 04:40:28 server kernel: martian source 169.254.191.7 from 
169.254.191.7, on dev eth1
Nov 14 04:40:28 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:06
Nov 14 04:40:29 server kernel: martian source 169.254.191.7 from 
169.254.191.7, on dev eth1
Nov 14 04:40:29 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:06
Nov 14 04:40:30 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:30 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:30 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:30 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:31 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:31 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:31 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:31 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:31 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:31 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:31 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:31 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:32 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:32 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:33 server kernel: NET: 1 messages suppressed.
Nov 14 04:40:33 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:33 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:38 server kernel: NET: 13 messages suppressed.
Nov 14 04:40:38 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:38 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:43 server kernel: NET: 4 messages suppressed.
Nov 14 04:40:43 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:43 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:48 server kernel: NET: 3 messages suppressed.
Nov 14 04:40:48 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:48 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:53 server kernel: NET: 6 messages suppressed.
Nov 14 04:40:53 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:53 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:40:58 server kernel: NET: 9 messages suppressed.
Nov 14 04:40:58 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:40:58 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:41:00 server CROND[20461]: (root) CMD (   
/usr/share/msec/promisc_check.sh)
Nov 14 04:41:55 server kernel: NET: 1 messages suppressed.
Nov 14 04:41:55 server kernel: martian source 169.254.255.255 from 
169.254.191.7, on dev eth1
Nov 14 04:41:55 server kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:50:da:1e:ba:32:08:00
Nov 14 04:42:00 server CROND[20470]: (root) CMD (   
/usr/share/msec/promisc_check.sh)



Any help would be appreciated.. just email me please.. jrv116@hotmail.com

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

Mathias Homann

2002-Nov-15 07:46 UTC

head link

[Samba] Did I get hacked?? strange log info...

Jesse Vaughan sagte:
> Also on a side note, Any of you know what the deal is with the martian
> messages my kernel is getting??
'martian sources' are a FAQ amongst linux firewall guys. In short, a
network device reports a 'martian source' when it sees a packet that
can't
be 'from this planet' so it must be from mars (=martian source). An
example would be a packet which comes from the internal net, HAS mac
adress info (=is not routed) but doesn't fit the network config of the
device in question.

For deeper insights, google for it.


bye,
MH

Reasonably Related Threads

Search for more seemingly similar threads

samba - Nov 2002 - Did I get hacked?? strange log info...

[Samba] Did I get hacked?? strange log info...

[Samba] Did I get hacked?? strange log info...

Reasonably Related Threads