User Name
Password
AppleNova Forums » General Discussion »

somone sneaking into my system?


Register Members List Calendar Search FAQ Posting Guidelines
somone sneaking into my system?
Thread Tools
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-06-29, 20:44

ok, so i was messing around w/ some konfab. widgets, and i found this one that shows who is logged into your system, and any other network connections you've made. i was a little startled to see an ip that was not on my home network logged in via samba. the ip addy is 67.142.27.66.
i went and checked the samba log and found over 6000 failed login attempts. does anyone know, aside from digging through logs, how to see someone attempting or succeeding to log into your machine?
  quote
staph
Microbial member
 
Join Date: May 2004
Send a message via AIM to staph  
2004-06-29, 22:10

Quote:
Originally Posted by ThunderPoit
ok, so i was messing around w/ some konfab. widgets, and i found this one that shows who is logged into your system, and any other network connections you've made. i was a little startled to see an ip that was not on my home network logged in via samba. the ip addy is 67.142.27.66.
i went and checked the samba log and found over 6000 failed login attempts. does anyone know, aside from digging through logs, how to see someone attempting or succeeding to log into your machine?
You can check active SMB connections with the smbstatus utility. Just open up a terminal, and type smbstatus.

You probably want an intrustion detection program like Snort, which can, amongst other things, detect attempts to break in through SMB. There's a gui-fied version called HenWen which is free for personal, non-profit or educational use.

You might want to fiddle with your firewall to disallow smb connections from outside your local network. Brickhouse apparently still works as a configuration utility for OS X's firewall, and I stumbled over Sunshield this morning, which might also be useful. Little Snitch, properly configured, is a very easy way to stop unauthorised network connections as well.

Last edited by staph : 2004-06-29 at 22:21.
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-06-29, 22:45

thanks, ill try some of those. btw, does anyone know why i cant do a traceroute on my mac? it keeps timing out. my roomies pc works fine tho
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-06-29, 22:51

ok, so i got a traceroute on this guy, his ISP is direct PC. any way to turn him in?

Code:
traceroute to 67.142.27.66 (67.142.27.66), 30 hops max, 40 byte packets 1 GigabitEthernet0-1.dickson5.Canberra.telstra.net (203.50.0.5) 0.561 ms 0.403 ms 0.395 ms 2 GigabitEthernet4-1.civ12.Canberra.telstra.net (203.50.8.1) 0.656 ms 0.595 ms 0.513 ms 3 GigabitEthernet3-1.civ-core2.Canberra.telstra.net (203.50.7.5) 0.657 ms 0.461 ms 0.524 ms 4 GigabitEthernet2-2.dkn-core1.Canberra.telstra.net (203.50.6.126) 0.899 ms 0.773 ms 0.722 ms 5 Pos4-0.ken-core4.Sydney.telstra.net (203.50.6.121) 4.175 ms 4.134 ms 4.133 ms 6 10GigabitEthernet3-0.pad-core4.Sydney.telstra.net (203.50.6.86) 4.495 ms 4.457 ms 4.501 ms 7 GigabitEthernet0-2.syd-core01.Sydney.net.reach.com (203.50.13.226) 4.7 ms 4.679 ms 4.658 ms 8 202.84.143.233 (202.84.143.233) 192.285 ms 192.379 ms 192.703 ms 9 qwest.sjc-core01.net.reach.com (134.159.63.30) 192.444 ms 192.231 ms 192.532 ms 10 svx-core-01.inet.qwest.net (205.171.214.133) 192.006 ms 192.102 ms 192.358 ms 11 svl-core-02.inet.qwest.net (205.171.14.77) 177.711 ms 177.569 ms 177.659 ms 12 dca-core-01.inet.qwest.net (205.171.8.201) 274.241 ms 274.289 ms 274.225 ms 13 dca-edge-13.inet.qwest.net (205.171.209.74) 264.41 ms 264.319 ms 264.126 ms 14 65.113.48.90 (65.113.48.90) 259.234 ms 259.484 ms 259.287 ms 15 dpc6682016070.direcpc.com (66.82.16.70) 259.032 ms 258.89 ms 258.995 ms 16 dpc6682016142.direcpc.com (66.82.16.142) 259.605 ms 259.92 ms 259.697 ms 17 dpc6714227066.direcpc.com (67.142.27.66) 1437.57 ms 1355.42 ms 1451.26 ms
  quote
alcimedes
I shot the sherrif.
 
Join Date: May 2004
Send a message via ICQ to alcimedes  
2004-06-29, 23:07

lol, just start port scanning him. then download some fun little utils, and send things his way.

actually, dude has a pile of ports open. he might not know he's scanning you.

Code:
Port Scanning host: 67.142.27.66 Open Port: 10 Open Port: 15 Open Port: 31 msg-auth Open Port: 35 Open Port: 41 graphics Open Port: 44 mpm-flags Open Port: 80 http Open Port: 86 mfcobol Open Port: 115 sftp Open Port: 123 ntp Open Port: 132 cisco-sys Open Port: 149 aed-512 Open Port: 151 hems Open Port: 160 sgmp-traps Open Port: 167 namp Open Port: 170 print-srv Open Port: 299 Open Port: 311 asip-webadmin Open Port: 317 zannet Open Port: 321 pip Open Port: 329 Open Port: 337 Open Port: 340 Open Port: 344 pdap Open Port: 350 matip-type-a Open Port: 359 nsrmp Open Port: 360 scoi2odialog Open Port: 361 semantix Open Port: 365 dtk Open Port: 366 odmr Open Port: 377 tnETOS Open Port: 384 arns Open Port: 388 unidata-ldm Open Port: 391 synotics-relay Open Port: 398 kryptolan Open Port: 402 genie Open Port: 426 smartsdp Open Port: 437 comscm Open Port: 443 https Open Port: 731 netviewdm3 Open Port: 898 Open Port: 1025 blackjack Open Port: 1026 cap
um, yeah. that's just where i stopped. dude has a pile of ports open. i'm guessing this machine is being used by someone else.

Last edited by alcimedes : 2004-06-29 at 23:44.
  quote
staph
Microbial member
 
Join Date: May 2004
Send a message via AIM to staph  
2004-06-30, 00:46

Quote:
Originally Posted by ThunderPoit
ok, so i got a traceroute on this guy, his ISP is direct PC. any way to turn him in?

Code:
traceroute to 67.142.27.66 (67.142.27.66), 30 hops max, 40 byte packets 1 GigabitEthernet0-1.dickson5.Canberra.telstra.net (203.50.0.5) 0.561 ms 0.403 ms 0.395 ms (snippage)
Are you a Canberran, Thunderpoit?
  quote
staph
Microbial member
 
Join Date: May 2004
Send a message via AIM to staph  
2004-06-30, 00:50

Quote:
Originally Posted by alcimedes
lol, just start port scanning him. then download some fun little utils, and send things his way.

actually, dude has a pile of ports open. he might not know he's scanning you.

um, yeah. that's just where i stopped. dude has a pile of ports open. i'm guessing this machine is being used by someone else.
If they're scanning smb shares, it's possible they have one of the variants of RBot, which spreads by attacking Windows shares with weak passwords.
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-06-30, 08:09

Quote:
Originally Posted by staph
Are you a Canberran, Thunderpoit?
no, i had to use a web based traceroute because mine kept timing out for some reason.
  quote
staph
Microbial member
 
Join Date: May 2004
Send a message via AIM to staph  
2004-06-30, 09:09

Quote:
Originally Posted by ThunderPoit
no, i had to use a web based traceroute because mine kept timing out for some reason.
Oh well, I suppose we don't get to extend our massive per-head-of-population lead in the "where do you live?" stakes.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools

« Previous Thread | Next Thread »

All times are GMT -5. The time now is 20:21.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2024, AppleNova