[Gllug] Have I been compromised??

Tom Gilbert tom at linuxbrit.co.uk
Mon Sep 2 17:38:42 UTC 2002


* omphe (omphe at keiko.demon.co.uk) wrote:
> Tom Gilbert wrote:
> 
> >  Not sure if
> > > I'm being paranoid or not.
> >
> > Why do you think you've been compromised? Seeing external addresses in
> > your apache logs is pretty normal, after all =P
> 
> The access.log shows a few entries to ***.***.***.***:6667 (obviously I've
> *ed the real address).  Being a newbie, I read furiously for an hour or so
> and this seems to indicate that someone is trying to access me through/for
> IRC.

Couple of things there, for one, why not show us the log entries you're
worried about? I'm sceptical myself, because for you to have people
connecting to your webserver on port 6667, you'd have to have
specifically configured it to listen on 6667 yourself.

> Furthermore, my nmbd (Samba netbios) logs show countless unsuccessful
> (I hope) connection attempts.  I'm checking every log that I can, but I'm
> not sure of everything that I should be looking for.

Try not to have samba (etc) listening on an external-facing IP address,
edit your samba config, and add the line:
socket address = 192.168.0.2
(obviously using whatever your internal address is instead of
192.168.0.2).

Tom.
-- 
   .^.    .-------------------------------------------------------.
   /V\    | Tom Gilbert, London, England | http://linuxbrit.co.uk |
 /(   )\  | Open Source/UNIX consultant  | tom at linuxbrit.co.uk    |
  ^^-^^   `-------------------------------------------------------'

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list