LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ERROR: Invalid password length 4222. (https://www.linuxquestions.org/questions/linux-security-4/error-invalid-password-length-4222-a-415180/)

greigster 02-14-2006 01:06 AM

ERROR: Invalid password length 4222.
 
our samba-servers are getting the following messages in the logs:

Feb 14 04:56:47 njord smbd[5767]: Your machine may be under attack by someone attempting to exploit an old bug.
Feb 14 04:56:47 njord smbd[5767]: Attack was from IP = x.x.x.225.
Feb 14 06:59:06 njord smbd[6026]: [2006/02/14 06:59:06, 0] smbd/reply.c:(50)
Feb 14 06:59:06 njord smbd[6026]: ERROR: Invalid password length 4222.
Feb 14 06:59:06 njord smbd[6026]: Your machine may be under attack by someone attempting to exploit an old bug.
Feb 14 06:59:06 njord smbd[6026]: Attack was from IP = x.x.x.225.
Feb 14 07:18:41 njord smbd[6085]: [2006/02/14 07:18:41, 0] smbd/reply.c:(50)
Feb 14 07:18:41 njord smbd[6085]: ERROR: Invalid password length 4222.
Feb 14 07:18:41 njord smbd[6085]: Your machine may be under attack by someone attempting to exploit an old bug.
Feb 14 07:18:41 njord smbd[6085]: Attack was from IP = x.x.x.225.

I have virusscan'ed and run ad-aware on the pc with IP x.x.x.225, but its still making log-entries.

Does anyone have any suggestions? its a win2k pc. our samba-servers are linux and hp-ux.

Matir 02-14-2006 09:01 PM

Use netstat to see what process is opening ports 137-139 or 445. For example, netstat -pn.

greigster 02-15-2006 02:29 AM

netstat -n | grep 137, 138, 139 and 445 gave me no results from unknown pc's (139 gave me the list over pc's using samba.. ).

Matir 02-15-2006 09:25 AM

Sorry, I was suggesting you might try that on the Win2k machine as well. If something is hitting your samba machine from there, that should show the connection.

greigster 02-16-2006 02:46 AM

when running "netstat -n" on my own pc I get up approx. 17 lines of comms.

-on the suspect pc I get about 250 lines..

Matir 02-16-2006 02:27 PM

That's alot running. Anything on the SMB front?

greigster 02-17-2006 04:14 AM

scanned the pc with Stinger from McAfee, and got the following report:Scan initiated on Fri Feb 17 08:38:09 2006
C:\WINNT\msnet32.exe
Found the W32/Sdbot.worm.gen.h virus !!!
C:\WINNT\msnet32.exe has been deleted.
Number of clean files: 31579
Number of infected files: 1
Number of files deleted: 1

No more warnings in the samba-log after the scan so I hope its been fixed now.


All times are GMT -5. The time now is 07:51 PM.