LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-04-2010, 09:11 AM   #1
skoinga
Member
 
Registered: May 2010
Posts: 87

Rep: Reputation: 0
Suspected samba log


Hi all,

my home network is behind a typical dsl router, with a dynamic ip address from my ISP.
Recently I never opened samba port (135/tcp, 139/tcp, 445/tcp) to my Linux server with samba daemon.
However, looking in the /var/log/samba directory, I found several log like this:

Quote:
-rw-r--r-- 1 root root 9979 2010-04-30 09:33 log.gx150
-rw-r--r-- 1 root root 1026967 2010-04-30 09:33 log.gx150.old
-rw-r--r-- 1 root root 31158 2010-04-22 15:10 log.inetsvr
-rw-r--r-- 1 root root 1025131 2010-04-22 15:10 log.inetsvr.old
-rw-r--r-- 1 root root 415743 2010-05-18 09:56 log.iulius-564d6773
-rw-r--r-- 1 root root 1213535 2010-04-23 19:19 log.iulius-564d6773.old
and others like log.__ffff_123.123.123.123 (some public ip address, out of my country too).

"gx150", "inetsvr", etc.. don't belong to any of my machines in my network.
How it's possible?
From external, with nmap, the tcp ports involved in samba are closed..
Thankyou
 
Old 08-05-2010, 05:58 PM   #2
SciFi-Bob
Member
 
Registered: Aug 2008
Location: Denmark
Distribution: Debian/Ubuntu
Posts: 49

Rep: Reputation: 18
Some of those are ipv6 addresses, but I don't know Sambas capabilities on that front.
Could it be, that your ISP recently has added ipv6 capabilities?

To be sure, you could try to add a
"bind interfaces only = Yes"
line to your config, and adding only those interfaces you want to be public.

For example:

interfaces = 192.168.1.0/24, 127.0.0.0/8
bind interfaces only = Yes

Then your samba server should not be listening on any other interfaces.
 
Old 08-05-2010, 06:48 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,947
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
...and in addition to what's been offered sofar: what do these logs actually read and what do you mean by "recently"?
 
Old 08-06-2010, 07:59 PM   #4
skoinga
Member
 
Registered: May 2010
Posts: 87

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by SciFi-Bob View Post
Some of those are ipv6 addresses
Why do you think this? For the "ffff" prefix in the file name?
However I'll bind samba only to my ipv4 interface, right.
 
Old 08-06-2010, 08:04 PM   #5
skoinga
Member
 
Registered: May 2010
Posts: 87

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
...and in addition to what's been offered sofar: what do these logs actually read and what do you mean by "recently"?
Recently = in the last 3 or 4 months..
The log are very detailed, I've set debug level to 9.
For example..

Quote:
[2010/05/12 20:28:09, 6] param/loadparm.c:lp_file_list_changed(6729)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Apr 22 13:25:27 2010

[2010/05/12 20:28:09, 5] smbd/reply.c:reply_special(472)
init msg_type=0x81 msg_flags=0x0
[2010/05/12 20:28:09, 0] lib/util_sock.c:write_data(1136)
[2010/05/12 20:28:09, 0] lib/util_sock.c:get_peer_addr_internal(1676)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
[2010/05/12 20:28:09, 0] smbd/process.c:srv_send_smb(74)
Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2010/05/12 20:28:09, 5] lib/util_sock.c:read_socket_with_timeout(928)
read_socket_with_timeout: blocking read. EOF from client.
[2010/05/12 20:28:09, 3] smbd/process.c:smbd_process(2056)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2010/05/12 20:28:09, 5] lib/gencache.c:gencache_shutdown(93)
Closing cache file
[2010/05/12 20:28:09, 5] libsmb/namecache.c:namecache_shutdown(81)
namecache_shutdown: netbios namecache closed successfully.
[2010/05/12 20:28:09, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/12 20:28:09, 5] auth/token_util.c:debug_nt_user_token(464)
NT user token: (NULL)
[2010/05/12 20:28:09, 5] auth/token_util.c:debug_unix_user_token(490)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/05/12 20:28:09, 5] smbd/uid.c:change_to_root_user(287)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2010/05/12 20:28:09, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2010/05/12 20:28:09, 3] smbd/connection.c:yield_connection(42)
deleting connection record returned NT_STATUS_NOT_FOUND
[2010/05/12 20:28:09, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)
 
Old 08-10-2010, 12:20 PM   #6
SciFi-Bob
Member
 
Registered: Aug 2008
Location: Denmark
Distribution: Debian/Ubuntu
Posts: 49

Rep: Reputation: 18
A log level above 4-5 seldom has any meaning to anyone except the Samba developers. Be aware that Samba broadcasts a lot of seemingly meaningless data, being the poorly designed MS protocol it is, so many lines in a level 9 log may be perfectly normal.
I normally log at level 2, and when debugging at level 4. Never had any reason to increase the level.

Believe me, if you are under attack, you WILL see something in the logs even at level 3.

Also, you also may want to know, that you can choose the level by class, like this:

Code:
debug class = yes  # Displays the class in the log file. Class may be lanman, rpc_srv, etc.
log level = all:1 printdrivers:3 lanman:1 rpc_parse:2 rpc_srv:3 rpc_cli:2 passdb:2 sam:2 auth:2

Last edited by SciFi-Bob; 08-10-2010 at 12:22 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there any way to log user samba who delete or move files/folders on samba server ? b-RAM Linux - Server 1 02-09-2010 12:33 AM
Suspected Unauthorized Visitor n00b1shzyx Linux - Newbie 6 03-22-2009 01:49 AM
Can,t log into samba on linux; windows 2k, xp, vista can not log in to smb; admir330 Linux - General 1 12-23-2008 08:31 PM
suspected motherboard problem materazzi Linux - Hardware 2 10-07-2006 10:45 AM
HELP Hacker suspected Evilone Linux - Security 19 03-30-2004 02:49 PM


All times are GMT -5. The time now is 09:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration