need help: samba mount intruder

need help: samba mount intruder

Post by Peter Wokau » Sat, 08 Aug 1998 04:00:00



hi all,

my port-listener told me:
my.host.ip:139 --- intruders.host.ip:number close_wait
my.host.ip:139 --- intruders.host.ip:number2 close_wait

Does that mean, that I had really an open connection to my
host ?
Okay, let me say: I talk about my personal computer with
ppp-protocol and analog-modem-connection.
It was NO winnuke-try.
Was it simply a telnet-try on port 139 of my pc ?
I beleave, that it was "smbmount" !
close_wait tells me, that there was an hard interrupt.
The connection was to slowly to that analog-modem-connmection,
I beleave.
But the questions is:
had he stolen any files of my PC ?
I am very angry.
I do NOT file-sharing, and no printer-share.
CAN an intruder have access to my harddisk c: of the pc ?
netstat -a
shows me
UDP nbname *.*
UDP nbfatagram *.*
So, that means I can haev MYSELF access to a winnt-server or
wfw-server, to their shares, write ?
Can anybody help me ?
I do not want to find my personal letters on the wire.

I beleave, someone has TRIED to check shares of my pc, if there
would any exists - not more.
But a try is a try - it is NOT correct !

The remote computer which wants to connect to my pc on the
port 139 was a Linux-Host. I checked it, because I was online.
It was NOT another win95-pc or winnt-pc. So the intruder must
had smbmount.c, write ? Is there a possibility to found
traces on that linux-pc, if I would contact to the postmaster
of that system ?
Of course, smbmount MUST install ROOT, and I beleave root at
itself did that hack.

Any chance for me ?

thank you in advance for your help,

Peter

 
 
 

1. Help: Need to foil intruder on my (AIX) system using ftp

Dear Mr. Thomas,

  If you want to fix the security problems without stirring
the pot, I suggest you use an anonymous remailer to let your
bosses and the sysadmin know that your system is being compromised.

  Someone else suggested that you run TCP wrappers to log and
deny access.  I use this approach myself, but it can be gotten
around also.

  It's important that you clean these people off your system,
because not only are your own machines at risk, but you may
be held liable for the damage these guys do FROM your systems
to other sites on the internet.

Regards,  

PeterM

2. Backing up with dump. Few questions

3. Help needed to check for intruders

4. FP2000 and .htaccess

5. Need help mounting home dir on Win98 w/ Samba

6. 2 3c509's

7. NEED Help on routing and Samba ! HELP HELP!!

8. Want to install linux on old P60

9. CD-ROM mount needs source <--> source needs CD-ROM mount

10. Help: How many automount/mount process need to mount same disk.?

11. Samba needs "mount version 6"

12. I need to mount WinNT directories on my bsd box can not use samba

13. "mounted cd-rom" and "mounted samba share" icons on KDE 3.1 desktop