[Samba] smbd changeling and strange firewall logs

Rowland Penny rowlandpenny at googlemail.com
Tue Nov 11 04:46:56 MST 2014 

On 11/11/14 11:38, Lars Hanke wrote:
> I found in my firewall logs something that looked somewhat like a port 
> scan originating from my AD DC. So I started to check the machine and 
> already found something strange using ps aux:
>
> root at samba:/# samba -V
> Version 4.1.11-Debian
> root at samba:/# ps aux
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
> [...]
> root     10675  0.0  2.8 457368 29620 ?        S    Nov04   0:03 
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     10684  0.0  3.2 482328 34116 ?        S    Nov04   0:02 
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> 3000026  10686  0.0  3.2 482328 34096 ?        S    Nov04   0:01 
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     10688  0.0  3.2 482328 34100 ?        S    Nov04   0:01 
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     17934  0.0  0.0  49884     4 ?        Ss   Aug06   0:00 
> /usr/sbin/sshd
> [...]
>
> Of course there is no login user 3000026 and the machine does not 
> import any user accounts from anywhere outside. Apparently the process 
> is already running for a week. This has probably been the last upgrade.
>
> A few minutes later I see this:
>
> root     10686  0.0  3.2 482328 34096 ?        S    Nov04   0:01 
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> Okay, it became root again.
>
> Is there any intended behaviour in smbd, which could explain this?
>
> The original firewall fingerprint were tcp connection attempts from 
> the AD DC to all joined workstations in port ranges from 34478 to 
> 60746. The machine runs the DC with external Bind9. No other services 
> beyond infrastructure to make it run. Has anyone seen this before?
>
> Regards,
>  - lars.
>
>
OK, '3000026' is undoubtedly coming from 'idmap.ldb', run this on the DC:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

and search for '3000026', this will tell you who or what is running as 
the xidNumber.

Rowland

More information about the samba mailing list