View Full Version : [ubuntu] Microsoft Sending Malware to Linux Computers

November 6th, 2009, 12:16 PM
Hey see this is the screenshot of firestarter it says it is serious event.it attempted 5 times:(

they are devils:twisted:

November 6th, 2009, 12:24 PM
Check this out :


It appears to be some kind of Samba-file sharing.

November 6th, 2009, 12:52 PM
Indeed it is. Contrary to Ubuntu which by default closes everything down, Windows machines are always on the lookout for eachother.
You can safely ignore those events, or better yet tell the Windows machines --if you control them-- to stop doing it.

November 6th, 2009, 02:23 PM
But i am not using samba.

November 6th, 2009, 03:39 PM
Your firewall (or router, or whatever) is obviously not configured to ignore such traffic. 445 (and 137, 138 and 139) is just file sharing, or samba. Those machines are basically asking your machine whether you have file sharing enabled. They're probably compromised and trying, ridiculously, to connect to you over the internet.

I say ridiculously because there's not a single use case I'm aware of that justifies using samba over the internet. It's just horribly insecure and no one should try it.

Get your firewall (your "proper" firewall, the one on your router) to stop this traffic at the perimeter.

Thought firestarter was long dead as a project too? Am I wrong? Probaby best stick with GUFW now that ufw is standard on Ubuntu.

And maybe change the title of this thread. It's really misleading and honestly nothing to do with "microsoft the corporation" in any way.

November 6th, 2009, 05:38 PM
And maybe change the title of this thread. It's really misleading and honestly nothing to do with "microsoft the corporation" in any way.

I was going to comment on the rascally "SOCKS" corporation but I see that he's accepting that traffic ;)

November 7th, 2009, 01:20 AM
Thread title == FAIL

Jive Turkey
November 7th, 2009, 01:25 AM
+1 for OP is confused.

[edit]You should probably take down that screen shot, whatever computers are at those ip addresses are probably vulnerable, if not compromised and you are advertising them.

November 30th, 2009, 10:33 PM
Kindly black out the IP addresses in the screenshot.Please be considerate of other people(s) details and very discrete about it.We dont know if those IP(s) were already targeted by some malicious person for heck of it.Either way,remove it even before its too late.


November 30th, 2009, 10:36 PM
I recall that annoyance. even with rules allowing CIFS from my lan, firestarted still displayed these messages. samba worked though...
I think this traffic relates to the browser election, but can't be sure without an sniffer.

November 30th, 2009, 10:54 PM
Oh, I have a thought: The University I'm at blocks external attempts on those ports unless VPN is used by its students/staff/faculty/etc. Their ISO (Information Security Office) set up auto-scans on all computers for those things.

So perhaps where you are computers are auto-scanning.

FYI: It's not Microsoft attacking you. The Microsoft-ds service is just what that port is usually used for.