Lo, on Wednesday, November 29, brian moore did write: > On Tue, Nov 28, 2000 at 05:38:12PM -0600, Richard Cobbe wrote: > > > > Well, they can be. Connections to TCP ports 137, 138, and 139 are part of > > Windows file- and printer-sharing. I don't know all that much about how > > SMB works, but I'm fairly sure there are broadcasts to these ports > > involved, primarily in setting up the Network Neighborhood. > > Yes, and here are even worms for Windows that go probing looking for > open SMB shares to write themselves into. > > > So, if you happen to be on a network (like, say, a cable modem local loop) > > with some Windows PCs that have file/print sharing turned on, these may not > > represent a security problem. (Well, for *you*, anyway.) > > Or if you happen to be on a network 'near' (typically within a dozen > /24's or so) of someone with one of the above worms running....
This doesn't surprise me in the least. However: 1) I don't think there's really any way to distinguish one of these worms from a legit SMB broadcast, at least not with the level of detail that ipchains logging gives you. (I'm not even sure that a packet sniffer/protocol analyzer like ethereal would allow you to distinguish between the two, but then I don't know anything about the details of the SMB protocol.) 2) This could only affect a Linux user if they've got samba installed and running on their machine. Since they would have to have some sort of ipchains firewalling stuff to get the logs in the first place, then blocking SMB traffic to/from the outside world is trivial. (This is why I claimed that such probes were not necessarily a security problem for a Linux machine---Windows machines are another story altogether.) I can't think of any legitimate reason to allow SMB traffic to/from the outside world. VPNs are fine, but that's different. Richard
