From: LANE WILLIAM HOY (email_suppressed_at_lugwash.org)
Date: Tue 02-Sep-2003 08:29:34 AM EDT
Jeff,
I suggest checking bugtraq and the samba site for any Linux worms or
trojans that try to spread via samba. I know that the 2.2.8a release is a
bugfix to cure a security issue, but I do not recall the details off hand.
The file access attempts that you are look very much like something that I
recall seeing about how to access secondary file streams in
Win{NT,2k,XP}.
The NT variants of MS-Windows support multiple 'streams' within a file,
where each secondary stream is referenced as 'file.ext:stream' but all the
user ever sees is 'file.ext'. It looks to me as though someone is
scanning for linux systems with vulnerable samba installs, and shooting
to install a kernel-module based root kit.
I suggest going to 'http://www.chkrootkit.org/', getting the latest
version, and scanning the targeted box just to make sure that nothing got
through. I assume that you are denying anything not on the subnet the
webserver lives on.
Are there other options that your user community could be persuaded to
use? If the main purpose of samba is for users to get web pages onto the
webserver from Windows PC's, then you might be interested in Cygwin's ssh
+ WinCVS + TortoiseCVS, plus a few shell scripts and Windows shortcuts for
the users. I have been using the WinCVS 1.3* beta versions on a Windows
box with a repository on a Sun box for some web work, and I have been
pretty pleased with the interface; the only headache is from Windows-is-
case-preserving-and-*nix-is-case-sensitive issue; as long as folks do not
try to mix-and-match working on *nix with working on Windows, this works
okay.
Lane Hoy
School of Dentistry Programming Services
URL's:
http://cvsgui.sourceforge.net/ #Home page for assorted CVS front ends
http://sources.redhat.com/cygwin/ #Home page for getting Cygwin
On Fri, 29 Aug 2003 [e-mail suppressed] wrote:
> I've been running Red Hat Linux 9.0 and Samba 2.2.8a on our web server
> at work for a couple of months now. I started getting a few of these
> type errors from systems across the corporate WAN initially, but after
> the blackout and the release of so many new worms in the past couple
> of weeks, the smbd.log file is indicating dozens of systems making
> anywhere from 1 to 10 attempts to access the server during any 24 hour
> period.
>
> [2003/08/22 08:35:57, 0] lib/access.c:check_access(333)
> Denied connection from (19.73.89.120)
> [2003/08/22 08:35:57, 0] smbd/oplock_linux.c:linux_init_kernel_oplocks
> (287)
> Failed to setup RT_SIGNAL_LEASE handler
>
> Unfortunately, the only information I can get from this is the system's
> IP address, not exactly what it was attempting to do. I have the
> smb.conf set up to only allow connections from 2 of our 3 subnets on
> the LAN since there is no need for anyone outside of the site on the
> WAN to make such a connection. I haven't seen anything else in any other
> logs thath would provide more details.
>
> I've suspected these were caused by infected systems on the network and
> was able to verify a couple of definite infections due to wide open
> share permissions on a Win2k box or two... but otherwise, it's just
> been suspicion. Is there anything else that anyone knows of that would
> cause a legitimate (i.e. non-worm infected) system from trying to scan
> a network thath would result in these errors? Is there something else
> possibly going on that I'm not considering? Or is this highly likely
> worm infections as I first assumed they were? Google search didn't
> yield much assistance.
>
> --
> Jeff Traigle
> [e-mail suppressed]
> http://www-personal.si.umich.edu/~traigle/
> --
> *** Sent from [e-mail suppressed] *** http://www.lugwash.org
> to unsubscribe: `echo "unsubscribe" | mail [e-mail suppressed]`
>
-- *** Sent from [e-mail suppressed] *** http://www.lugwash.org to unsubscribe: `echo "unsubscribe" | mail [e-mail suppressed]`
This archive was generated by hypermail 2.1.5 : Wed 01-Oct-2003 01:00:01 AM EDT