kernel tcp connection logging

Thu Dec 11 11:44:39 PST 2003

On Thu, Dec 11, 2003 at 10:43:59AM -0700, David Bear wrote:
> I'm runnining a generic release-4.7 kernel.  at some point I must have
> set some sysctl option because I get a lot of message like:
> 
> Dec 11 10:35:18 recsrv1 /kernel: Connection attempt to TCP
> 129.219.208.171:135 from 129.219.90.69:4449
> Dec 11 10:35:19 recsrv1 last message repeated 2 times

No -- that's not your fault at all.  You're being scanned by Windows
machines infected with the MS-BLASTER worm or something like it that
is attempting to exploit the RPC DCOM buffer overflow vulnerability -- see

    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp

or search for MS-BLAST on any of the anti-virus verndors' sites.

> I am using log_in_vain='1' in rc.conf but, do have samba listening on
> port 135.  
> 
> Any way I can quash these messages?

Unplug your system from the internet?  Or sit back, comfortable in the
knowledge that even if your firewall wasn't blocking the packets,
you'ld still be invulnerable to being exploited.  Develop a nice sense
of Schadenfreude, then come to the uncomfortable realization that the
machines taken over by this worm generally get turned into zombie spam
engines from hell...

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031211/e8ac77e0/attachment.bin