Hi,

I recently started having unusual directories appear on one of my mounted arrays. I did not create them (intentionally) and I have no clue what they are. Google has been of no help.

They all have the this in the name of the folder "samba_symlink_dir_traversal.nasl-<10-digit number>" they all have the same time-stamp for the date modified column (see pic).

What are these folders? Why are they appearing? And how can I make it stop? It doesn't do this on my other mounted arrays and disks.

I recently grew my two attached arrays, this started right after that, but only on one of them. Connection?

Also, it may be relevant, the folders are different today in their modified date(reflecting today's date) and the numbers in the name of the folder are different too.

attached is a screenshot of the folders. Thanks!

Attached Thumbnails

 

no one!!?

I don't use Samba, so don't quote me on this.. But since you seem eager for info, try sticking the following:
into Google. It produces not many hits, but all the hits that are produced point to the same thing, which if I understand what I'm reading, is indicative of a vulnerability in Samba that can be exploited due to an insecure configuration. It allows a user to make symlinks to files that they should not be able to do. The solution (or workaround) is also shown on several of the google hits.

Again - I'm not sure about it - so don't jump up & down just yet! I'm going to ask our 'Security Forum' folks to have a look and give an opinion.

You're right. NASL is the FLA for "Nessus Attack Scripting Language". The Nessus samba_symlink_dir_traversal.nasl plugin and what it tests for is described here, the CVE entry for the vulnerability is here (also see this) and the fix (set "wide links = no" in the [global] section of smb.conf and restart smbd) is described here. If the OP did not test the machine him/herself then system and daemon logs may or may not show who attempted accessed the share during the timeframe leading up to the timestamps of the screenshot the OP posted here.

Thanks Grapefuit, I did read all that but it made no sense to me because it started only after I grew my array, which is why I thought it might be related to that.

thanks for the help unspawn, I'm changing the smb.conf now. But, what do FLA, CVE, and OP stand for?

"Common Vulnerabilities & Exposures" = CVE
"OP" Original Post(er) (i.e. you, the person who started the thread, or the first post in a thread.)
"FLA" = ... "Foot Long Acronym" (kidding! I don't know what this one is)

Close. In this case, it likely means four letter acronym.

OKIGIN (OK I get it now). Ugh. Acronyms and jargon. Nightmares for a novice.

So, I followed the instructions in one of the links unSpawn posted:

I made the change and restarted samba.

I deleted all the symlink folders too but as of 30 minutes ago another samba_symlink folder appeared. Any other ideas?

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

update: I stopped the samba service yesterday afternoon but this morning (now) there are new "symlink" folders that have appeared. How could that be possible?

still only the two folders but the modified date is current. I still have no idea what else to do. I changed the smb.conf to have wide links = no

- Temporarily set up smbd to ditch CAP_DAC_OVERRIDE (see 'man 7 capabilities') if your system allows configuring and changing per-process capabilities (GRSecurity, LIDS).
- Upgrade (or alternatively downgrade): http://us1.samba.org/samba/security/CVE-2010-0728.html.
- Do your run Nessus or OpenVAS or any of that type of auditing?
- Who has access (write rights?) to the share?
- Who has access (write rights) to the machine the share is on?
- Who accessed the share during file or directory creation time ('stat /path/to/physical\ directory\ name;')?
- Who accessed the machine the share is on during file or directory creation time?

Thanks for help unSpawn. Right after my last post I deleted the two folders and there have been no new ones created since. I didn't attempt the two suggestions you made...yet. Should I anyway?

No, I'm not running Nessus or OpenVAS. I don't even know what those are.

There are only two users, both have write access to the machine and share. I'm the only one who uses it really. One other person is setting up a genome browser on the server but the problem started before he began that process.

When the issue arose I was the only one who had accessed the server. There are only three people who even need to access it at any time. But during the time prior to the problem arising I was expanding the arrays so I had them offline. Other than the other guy I mentioned there has been no accessing it by anyone other than me.

I'll be keeping an eye on it of course. Thanks for your help so far!

Upgrading would be good, yes, it may fix more issues.