From owner-freebsd-questions@FreeBSD.ORG Thu Dec 11 11:44:39 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D0916A4CE for ; Thu, 11 Dec 2003 11:44:39 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E97243D1D for ; Thu, 11 Dec 2003 11:44:36 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hBBJiFtd075691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Dec 2003 19:44:29 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hBBJiFVX075690; Thu, 11 Dec 2003 19:44:15 GMT (envelope-from matthew) Date: Thu, 11 Dec 2003 19:44:15 +0000 From: Matthew Seaman To: David Bear Message-ID: <20031211194415.GC75256@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , David Bear , freebsd-questions@freebsd.org References: <20031211104359.B4978@asu.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DSayHWYpDlRfCAAQ" Content-Disposition: inline In-Reply-To: <20031211104359.B4978@asu.edu> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: kernel tcp connection logging X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 19:44:39 -0000 --DSayHWYpDlRfCAAQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 11, 2003 at 10:43:59AM -0700, David Bear wrote: > I'm runnining a generic release-4.7 kernel. at some point I must have > set some sysctl option because I get a lot of message like: >=20 > Dec 11 10:35:18 recsrv1 /kernel: Connection attempt to TCP > 129.219.208.171:135 from 129.219.90.69:4449 > Dec 11 10:35:19 recsrv1 last message repeated 2 times No -- that's not your fault at all. You're being scanned by Windows machines infected with the MS-BLASTER worm or something like it that is attempting to exploit the RPC DCOM buffer overflow vulnerability -- see http://www.microsoft.com/technet/treeview/?url=3D/technet/security/bull= etin/MS03-039.asp or search for MS-BLAST on any of the anti-virus verndors' sites. =20 > I am using log_in_vain=3D'1' in rc.conf but, do have samba listening on > port 135. =20 >=20 > Any way I can quash these messages? Unplug your system from the internet? Or sit back, comfortable in the knowledge that even if your firewall wasn't blocking the packets, you'ld still be invulnerable to being exploited. Develop a nice sense of Schadenfreude, then come to the uncomfortable realization that the machines taken over by this worm generally get turned into zombie spam engines from hell... Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --DSayHWYpDlRfCAAQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/2MkPdtESqEQa7a0RAoNlAJ9/Zjmxl5MVd1QhDQquHG4Tz+ZHLACfU3Jf bWjPLiXfOKuaN8d5KZbdae0= =Hn5y -----END PGP SIGNATURE----- --DSayHWYpDlRfCAAQ--