Suspected samba log

skoinga · 08-04-2010, 09:11 AM

Hi all,

my home network is behind a typical dsl router, with a dynamic ip address from my ISP.
Recently I never opened samba port (135/tcp, 139/tcp, 445/tcp) to my Linux server with samba daemon.
However, looking in the /var/log/samba directory, I found several log like this:

Quote:

-rw-r--r-- 1 root root 9979 2010-04-30 09:33 log.gx150
-rw-r--r-- 1 root root 1026967 2010-04-30 09:33 log.gx150.old
-rw-r--r-- 1 root root 31158 2010-04-22 15:10 log.inetsvr
-rw-r--r-- 1 root root 1025131 2010-04-22 15:10 log.inetsvr.old
-rw-r--r-- 1 root root 415743 2010-05-18 09:56 log.iulius-564d6773
-rw-r--r-- 1 root root 1213535 2010-04-23 19:19 log.iulius-564d6773.old

and others like log.__ffff_123.123.123.123 (some public ip address, out of my country too).

"gx150", "inetsvr", etc.. don't belong to any of my machines in my network.
How it's possible?
From external, with nmap, the tcp ports involved in samba are closed..
Thankyou

SciFi-Bob · 08-05-2010, 05:58 PM

Some of those are ipv6 addresses, but I don't know Sambas capabilities on that front.
Could it be, that your ISP recently has added ipv6 capabilities?

To be sure, you could try to add a
"bind interfaces only = Yes"
line to your config, and adding only those interfaces you want to be public.

For example:

interfaces = 192.168.1.0/24, 127.0.0.0/8
bind interfaces only = Yes

Then your samba server should not be listening on any other interfaces.

unSpawn · 08-05-2010, 06:48 PM

...and in addition to what's been offered sofar: what do these logs actually read and what do you mean by "recently"?

skoinga · 08-06-2010, 07:59 PM

Quote:

Originally Posted by SciFi-Bob

Some of those are ipv6 addresses

Why do you think this? For the "ffff" prefix in the file name?
However I'll bind samba only to my ipv4 interface, right.

skoinga · 08-06-2010, 08:04 PM

Quote:

Originally Posted by unSpawn

...and in addition to what's been offered sofar: what do these logs actually read and what do you mean by "recently"?

Recently = in the last 3 or 4 months..
The log are very detailed, I've set debug level to 9.
For example..

Quote:

[2010/05/12 20:28:09, 6] param/loadparm.c:lp_file_list_changed(6729)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Apr 22 13:25:27 2010

[2010/05/12 20:28:09, 5] smbd/reply.c:reply_special(472)
init msg_type=0x81 msg_flags=0x0
[2010/05/12 20:28:09, 0] lib/util_sock.c:write_data(1136)
[2010/05/12 20:28:09, 0] lib/util_sock.c:get_peer_addr_internal(1676)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
[2010/05/12 20:28:09, 0] smbd/process.c:srv_send_smb(74)
Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2010/05/12 20:28:09, 5] lib/util_sock.c:read_socket_with_timeout(928)
read_socket_with_timeout: blocking read. EOF from client.
[2010/05/12 20:28:09, 3] smbd/process.c:smbd_process(2056)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2010/05/12 20:28:09, 5] lib/gencache.c:gencache_shutdown(93)
Closing cache file
[2010/05/12 20:28:09, 5] libsmb/namecache.c:namecache_shutdown(81)
namecache_shutdown: netbios namecache closed successfully.
[2010/05/12 20:28:09, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/12 20:28:09, 5] auth/token_util.c:debug_nt_user_token(464)
NT user token: (NULL)
[2010/05/12 20:28:09, 5] auth/token_util.c:debug_unix_user_token(490)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/05/12 20:28:09, 5] smbd/uid.c:change_to_root_user(287)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2010/05/12 20:28:09, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2010/05/12 20:28:09, 3] smbd/connection.c:yield_connection(42)
deleting connection record returned NT_STATUS_NOT_FOUND
[2010/05/12 20:28:09, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)

SciFi-Bob · 08-10-2010, 12:20 PM

A log level above 4-5 seldom has any meaning to anyone except the Samba developers. Be aware that Samba broadcasts a lot of seemingly meaningless data, being the poorly designed MS protocol it is, so many lines in a level 9 log may be perfectly normal.
I normally log at level 2, and when debugging at level 4. Never had any reason to increase the level.

Believe me, if you are under attack, you WILL see something in the logs even at level 3.

Also, you also may want to know, that you can choose the level by class, like this:

Code:

debug class = yes  # Displays the class in the log file. Class may be lanman, rpc_srv, etc.
log level = all:1 printdrivers:3 lanman:1 rpc_parse:2 rpc_srv:3 rpc_cli:2 passdb:2 sam:2 auth:2