ok, so i was messing around w/ some konfab. widgets, and i found this one that shows who is logged into your system, and any other network connections you've made. i was a little startled to see an ip that was not on my home network logged in via samba. the ip addy is 67.142.27.66.
i went and checked the samba log and found over 6000 failed login attempts. does anyone know, aside from digging through logs, how to see someone attempting or succeeding to log into your machine?

ok, so i was messing around w/ some konfab. widgets, and i found this one that shows who is logged into your system, and any other network connections you've made. i was a little startled to see an ip that was not on my home network logged in via samba. the ip addy is 67.142.27.66.
i went and checked the samba log and found over 6000 failed login attempts. does anyone know, aside from digging through logs, how to see someone attempting or succeeding to log into your machine?

You can check active SMB connections with the smbstatus utility. Just open up a terminal, and type smbstatus.

You probably want an intrustion detection program like Snort (http://www.securemac.com/macosxsnort.php), which can, amongst other things, detect attempts to break in through SMB. There's a gui-fied version called HenWen (http://seiryu.home.comcast.net/henwen.html) which is free for personal, non-profit or educational use.

You might want to fiddle with your firewall to disallow smb connections from outside your local network. Brickhouse (http://brianhill.dyndns.org/site/modules.php?op=modload&name=News&file=article&sid=15) apparently still works as a configuration utility for OS X's firewall, and I stumbled over Sunshield (http://www.sunprotectingfactory.com/sunShield/shield_news.html) this morning, which might also be useful. Little Snitch (http://www.obdev.at/products/littlesnitch/), properly configured, is a very easy way to stop unauthorised network connections as well.

thanks, ill try some of those. btw, does anyone know why i cant do a traceroute on my mac? it keeps timing out. my roomies pc works fine tho :\

ok, so i got a traceroute on this guy, his ISP is direct PC. any way to turn him in?

traceroute to 67.142.27.66 (67.142.27.66), 30 hops max, 40 byte packets
1 GigabitEthernet0-1.dickson5.Canberra.telstra.net (203.50.0.5) 0.561 ms 0.403 ms 0.395 ms
2 GigabitEthernet4-1.civ12.Canberra.telstra.net (203.50.8.1) 0.656 ms 0.595 ms 0.513 ms
3 GigabitEthernet3-1.civ-core2.Canberra.telstra.net (203.50.7.5) 0.657 ms 0.461 ms 0.524 ms
4 GigabitEthernet2-2.dkn-core1.Canberra.telstra.net (203.50.6.126) 0.899 ms 0.773 ms 0.722 ms
5 Pos4-0.ken-core4.Sydney.telstra.net (203.50.6.121) 4.175 ms 4.134 ms 4.133 ms
6 10GigabitEthernet3-0.pad-core4.Sydney.telstra.net (203.50.6.86) 4.495 ms 4.457 ms 4.501 ms
7 GigabitEthernet0-2.syd-core01.Sydney.net.reach.com (203.50.13.226) 4.7 ms 4.679 ms 4.658 ms
8 202.84.143.233 (202.84.143.233) 192.285 ms 192.379 ms 192.703 ms
9 qwest.sjc-core01.net.reach.com (134.159.63.30) 192.444 ms 192.231 ms 192.532 ms
10 svx-core-01.inet.qwest.net (205.171.214.133) 192.006 ms 192.102 ms 192.358 ms
11 svl-core-02.inet.qwest.net (205.171.14.77) 177.711 ms 177.569 ms 177.659 ms
12 dca-core-01.inet.qwest.net (205.171.8.201) 274.241 ms 274.289 ms 274.225 ms
13 dca-edge-13.inet.qwest.net (205.171.209.74) 264.41 ms 264.319 ms 264.126 ms
14 65.113.48.90 (65.113.48.90) 259.234 ms 259.484 ms 259.287 ms
15 dpc6682016070.direcpc.com (66.82.16.70) 259.032 ms 258.89 ms 258.995 ms
16 dpc6682016142.direcpc.com (66.82.16.142) 259.605 ms 259.92 ms 259.697 ms
17 dpc6714227066.direcpc.com (67.142.27.66) 1437.57 ms 1355.42 ms 1451.26 ms

lol, just start port scanning him. then download some fun little utils, and send things his way.

actually, dude has a pile of ports open. he might not know he's scanning you.

Port Scanning host: 67.142.27.66

Open Port: 10
Open Port: 15
Open Port: 31 msg-auth
Open Port: 35
Open Port: 41 graphics
Open Port: 44 mpm-flags
Open Port: 80 http
Open Port: 86 mfcobol
Open Port: 115 sftp
Open Port: 123 ntp
Open Port: 132 cisco-sys
Open Port: 149 aed-512
Open Port: 151 hems
Open Port: 160 sgmp-traps
Open Port: 167 namp
Open Port: 170 print-srv
Open Port: 299
Open Port: 311 asip-webadmin
Open Port: 317 zannet
Open Port: 321 pip
Open Port: 329
Open Port: 337
Open Port: 340
Open Port: 344 pdap
Open Port: 350 matip-type-a
Open Port: 359 nsrmp
Open Port: 360 scoi2odialog
Open Port: 361 semantix
Open Port: 365 dtk
Open Port: 366 odmr
Open Port: 377 tnETOS
Open Port: 384 arns
Open Port: 388 unidata-ldm
Open Port: 391 synotics-relay
Open Port: 398 kryptolan
Open Port: 402 genie
Open Port: 426 smartsdp
Open Port: 437 comscm
Open Port: 443 https
Open Port: 731 netviewdm3
Open Port: 898
Open Port: 1025 blackjack
Open Port: 1026 cap

um, yeah. that's just where i stopped. dude has a pile of ports open. i'm guessing this machine is being used by someone else.

ok, so i got a traceroute on this guy, his ISP is direct PC. any way to turn him in?

traceroute to 67.142.27.66 (67.142.27.66), 30 hops max, 40 byte packets
1 GigabitEthernet0-1.dickson5.Canberra.telstra.net (203.50.0.5) 0.561 ms 0.403 ms 0.395 ms

(snippage)



Are you a Canberran, Thunderpoit?

lol, just start port scanning him. then download some fun little utils, and send things his way.

actually, dude has a pile of ports open. he might not know he's scanning you.

um, yeah. that's just where i stopped. dude has a pile of ports open. i'm guessing this machine is being used by someone else.

If they're scanning smb shares, it's possible they have one of the variants of RBot (http://sophos.com/virusinfo/analyses/w32rbotca.html), which spreads by attacking Windows shares with weak passwords.

Are you a Canberran, Thunderpoit?

no, i had to use a web based traceroute because mine kept timing out for some reason.

no, i had to use a web based traceroute because mine kept timing out for some reason.

Oh well, I suppose we don't get to extend our massive per-head-of-population lead in the "where do you live?" stakes. :(