My linode, now offline, was responsible for this report:

http://www.mynetwatchman.com/ListIncide ... =206738902

Can anyone throw any light on what sort of weakness was exploited to enable this intrusion, and what I might do to prevent a repeat performance when I reinstall my linode?

tia,

_________________
Dean Swift

Is it me, or doesn't this look AN AWFUL LOT like an nmap scan?

_________________
Dean Swift

Look at the report's fine print. All of these agents are Windows creatures; none of these afaik can live on a linux host. Am I wrong?

"Since the target port includes udp/137 (NetBios Adapter Status), then this host is likely infected with the OpaServ worm.
See: http://www.mynetwatchman.com/kb/securit ... 17/137.htm

"Since the target port includes tcp/445 (Microsoft CIFS), then this
host is likely infected with the Sasser or Agobot worm.
See: http://www.mynetwatchman.com/kb/securit ... /6/445.htm

"Since the target port includes tcp/135 (Microsoft RPC), then this
host is likely infected with the MSBlast / Lovsan worm.
See: http://www.mynetwatchman.com/kb/securit ... /6/135.htm

I *did* run nmap scans -- with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.

_________________
Dean Swift

No good deed goes unpunished. I just checked the IP address I scanned WITH PERMISSION against that myNetWatcher report. The first two numbers, 69.1.x.x, are a match. I think that clinches it. I am hoist on my own petard!

Case closed. Sorry to make such a fuss.

_________________
Dean Swift

They don't say that the system is infected with these worms, they just say that it is likely, which is true.

Since the sys/networkadmin at the target ip that you nmapped took the time to report your activity, you obviously didn't have permission from somebody that was in a position to grant that permission to you.