PDA

View Full Version : [ubuntu] Microsoft Sending Malware to Linux Computers



ssj6akshat
November 6th, 2009, 12:16 PM
Hey see this is the screenshot of firestarter it says it is serious event.it attempted 5 times:(

they are devils:twisted:

sliketymo
November 6th, 2009, 12:24 PM
Check this out :

http://lifelogvcastelo.spaces.live.com/blog/cns!F212C40049B5C48A!121.entry

It appears to be some kind of Samba-file sharing.

Trebaruna
November 6th, 2009, 12:52 PM
Indeed it is. Contrary to Ubuntu which by default closes everything down, Windows machines are always on the lookout for eachother.
You can safely ignore those events, or better yet tell the Windows machines --if you control them-- to stop doing it.

ssj6akshat
November 6th, 2009, 02:23 PM
But i am not using samba.

scaine
November 6th, 2009, 03:39 PM
Your firewall (or router, or whatever) is obviously not configured to ignore such traffic. 445 (and 137, 138 and 139) is just file sharing, or samba. Those machines are basically asking your machine whether you have file sharing enabled. They're probably compromised and trying, ridiculously, to connect to you over the internet.

I say ridiculously because there's not a single use case I'm aware of that justifies using samba over the internet. It's just horribly insecure and no one should try it.

Get your firewall (your "proper" firewall, the one on your router) to stop this traffic at the perimeter.

Thought firestarter was long dead as a project too? Am I wrong? Probaby best stick with GUFW now that ufw is standard on Ubuntu.

And maybe change the title of this thread. It's really misleading and honestly nothing to do with "microsoft the corporation" in any way.

__p1n__
November 6th, 2009, 05:38 PM
And maybe change the title of this thread. It's really misleading and honestly nothing to do with "microsoft the corporation" in any way.

I was going to comment on the rascally "SOCKS" corporation but I see that he's accepting that traffic ;)

rookcifer
November 7th, 2009, 01:20 AM
Thread title == FAIL

Jive Turkey
November 7th, 2009, 01:25 AM
Ya,
+1 for OP is confused.

[edit]You should probably take down that screen shot, whatever computers are at those ip addresses are probably vulnerable, if not compromised and you are advertising them.

dnvikram
November 30th, 2009, 10:33 PM
Kindly black out the IP addresses in the screenshot.Please be considerate of other people(s) details and very discrete about it.We dont know if those IP(s) were already targeted by some malicious person for heck of it.Either way,remove it even before its too late.

Thanks.

doas777
November 30th, 2009, 10:36 PM
I recall that annoyance. even with rules allowing CIFS from my lan, firestarted still displayed these messages. samba worked though...
I think this traffic relates to the browser election, but can't be sure without an sniffer.

teward
November 30th, 2009, 10:54 PM
Oh, I have a thought: The University I'm at blocks external attempts on those ports unless VPN is used by its students/staff/faculty/etc. Their ISO (Information Security Office) set up auto-scans on all computers for those things.

So perhaps where you are computers are auto-scanning.

FYI: It's not Microsoft attacking you. The Microsoft-ds service is just what that port is usually used for.