Tiny Core Linux
		Tiny Core Extensions => TCE Talk => Topic started by: PingPing on July 07, 2009, 08:45:23 AM
		
			
			- 
				I took a quick look at the logs in /var/log/samba and noticed I had loads from machines I don't recognise, eg.:
 
 /var/log/samba/log.porky
 /var/log/samba/log.66.118.164.220
 /var/log/samba/log.190.57.98.155
 /var/log/samba/log.201.252.6.155
 /var/log/samba/log.f__nyig__bor-pc
 /var/log/samba/log.80.98.12.98
 /var/log/samba/log.41.243.31.202
 /var/log/samba/log.newton___
 /var/log/samba/log.0.0.0.0
 /var/log/samba/log.jcthc
 /var/log/samba/log.
 /var/log/samba/log.91.115.221.119
 /var/log/samba/log.newtonto_
 /var/log/samba/log.lqpxf2isqgev1bgk
 ...
 
 My /etc/samba/smb.conf has the line "logfile = /var/log/samba/log.%m"
 and I only have three machines on my network (hostnames):
 
 netbook
 asrock
 box
 
 I'm concerned that I've had a break-in/been cracked.
 Looking at some of the logs there are lots of things like:
 
 getpeername failed. Error was Transport endpoint is not connected
 read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
 
 [2009/06/29 11:11:49,  1] smbd/service.c:make_connection(1284)
 make_connection: refusing to connect with no session setup
 
 The server sits behind my firewall/gateway and the only port open is 80 (I run my busybox httpd on the same machine as samba).
 
 Am I the victim of a bot net?