LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2006, 02:06 AM   #1
greigster
LQ Newbie
 
Registered: Oct 2003
Location: Norway
Distribution: Suse 8.x
Posts: 21

Rep: Reputation: 15
ERROR: Invalid password length 4222.


our samba-servers are getting the following messages in the logs:

Feb 14 04:56:47 njord smbd[5767]: Your machine may be under attack by someone attempting to exploit an old bug.
Feb 14 04:56:47 njord smbd[5767]: Attack was from IP = x.x.x.225.
Feb 14 06:59:06 njord smbd[6026]: [2006/02/14 06:59:06, 0] smbd/reply.c50)
Feb 14 06:59:06 njord smbd[6026]: ERROR: Invalid password length 4222.
Feb 14 06:59:06 njord smbd[6026]: Your machine may be under attack by someone attempting to exploit an old bug.
Feb 14 06:59:06 njord smbd[6026]: Attack was from IP = x.x.x.225.
Feb 14 07:18:41 njord smbd[6085]: [2006/02/14 07:18:41, 0] smbd/reply.c50)
Feb 14 07:18:41 njord smbd[6085]: ERROR: Invalid password length 4222.
Feb 14 07:18:41 njord smbd[6085]: Your machine may be under attack by someone attempting to exploit an old bug.
Feb 14 07:18:41 njord smbd[6085]: Attack was from IP = x.x.x.225.

I have virusscan'ed and run ad-aware on the pc with IP x.x.x.225, but its still making log-entries.

Does anyone have any suggestions? its a win2k pc. our samba-servers are linux and hp-ux.
 
Old 02-14-2006, 10:01 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Use netstat to see what process is opening ports 137-139 or 445. For example, netstat -pn.
 
Old 02-15-2006, 03:29 AM   #3
greigster
LQ Newbie
 
Registered: Oct 2003
Location: Norway
Distribution: Suse 8.x
Posts: 21

Original Poster
Rep: Reputation: 15
netstat -n | grep 137, 138, 139 and 445 gave me no results from unknown pc's (139 gave me the list over pc's using samba.. ).
 
Old 02-15-2006, 10:25 AM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Sorry, I was suggesting you might try that on the Win2k machine as well. If something is hitting your samba machine from there, that should show the connection.
 
Old 02-16-2006, 03:46 AM   #5
greigster
LQ Newbie
 
Registered: Oct 2003
Location: Norway
Distribution: Suse 8.x
Posts: 21

Original Poster
Rep: Reputation: 15
when running "netstat -n" on my own pc I get up approx. 17 lines of comms.

-on the suspect pc I get about 250 lines..
 
Old 02-16-2006, 03:27 PM   #6
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
That's alot running. Anything on the SMB front?
 
Old 02-17-2006, 05:14 AM   #7
greigster
LQ Newbie
 
Registered: Oct 2003
Location: Norway
Distribution: Suse 8.x
Posts: 21

Original Poster
Rep: Reputation: 15
scanned the pc with Stinger from McAfee, and got the following report:Scan initiated on Fri Feb 17 08:38:09 2006
C:\WINNT\msnet32.exe
Found the W32/Sdbot.worm.gen.h virus !!!
C:\WINNT\msnet32.exe has been deleted.
Number of clean files: 31579
Number of infected files: 1
Number of files deleted: 1

No more warnings in the samba-log after the scan so I hope its been fixed now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
su error: password invalid Drunkalot Linux - General 2 08-13-2005 01:40 PM
increasing password length... jsheffie Solaris / OpenSolaris 4 07-26-2005 09:59 AM
Password length ust Linux - Distributions 1 04-06-2005 06:18 AM
squirremail ...it says invalid user or invalid password. rnj Fedora 9 10-25-2004 10:56 PM
Password length in SuSE 8.0 odin123 Linux - Security 3 05-24-2002 04:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration