[Samba] Suspicious activity on domain

Michael Wood esiotrot at gmail.com
Mon Jul 23 11:48:58 MDT 2012


Just a guess. The user's virus scanner decided to scan your server.

On 7/16/12, Ludovic Rouse-Lamarre <ludovic.rouse-lamarre at xyzcivitas.com> wrote:
> Hello,
>
> Last week I have detected with Zabbix that a member of my Samba domain
> had been downloading at a rate of around 8 Mbps for two days and a half.
> When asking the person to whom belonged the machine, he didn't know he
> was downloading anything but he said he had observed his machine had
> slowed down since then. I took a tcpdump of the traffic before
> terminating his session on Windows XP. I checked and there wasn't any
> large amount of data on his hard drive as the total drive capacity was
> 80GiB and there was 30GiB free. One of the oddities for me was that the
> bandwidth was being consumed through port tcp 139 of the Samba machine.
> Normally data is downloaded on port tcp 445. Another oddity is that when
> I put together some of the names in the trace from tcpdump, I can
> reconstitute names of files on the server. Unless I'm mistaken this type
> of information shouldn't be circulating on port 139?
>
> Here is the version of Samba:
> Samba version 3.4.9
>
> Here is a sample of the trace from tcpdump:
> 17:46:35.838212 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123157, win 65535,
> length 1239 NBT Session Packet: Unknown packet type 0x38Data: (41 bytes)
> [000] D5 F1 4E 73 4E 02 00 00  FB 04 00 00 2E 00 00 00
> \0xd5\0xf1NsN\0x02\0x00\0x00 \0xfb\0x04\0x00\0x00.\0x00\0x00\0x00
> [010] 00 00 00 00 01 00 00 00  00 00 64 40 43 32 32 30
> \0x00\0x00\0x00\0x00\0x01\0x00\0x00\0x00 \0x00\0x00d at C220
> [020] 30 38 2D 30 37 2D 32 33  5F                       08-07-23 _
>
> 17:46:35.842050 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7980391, win 65535,
> length 0
> 17:46:35.842313 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7981630, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.842446 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.842460 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x70Data: (41 bytes)
> [000] 63 50 4B 01 02 14 0B 14  00 00 00 08 00 80 96 F7
> cPK\0x01\0x02\0x14\0x0b\0x14 \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7
> [010] 38 63 04 52 FB 4E 02 00  00 FB 04 00 00 2E 00 00
> 8c\0x04R\0xfbN\0x02\0x00 \0x00\0xfb\0x04\0x00\0x00.\0x00\0x00
> [020] 00 00 00 00 00 01 00 00  00
> \0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00 \0x00
>
> 17:46:35.842472 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123220, win 65535,
> length 1239 NBT Session Packet: Session Message
> 17:46:35.846333 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7984550, win 65535,
> length 0
> 17:46:35.846580 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7985789, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.846692 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.846701 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x12Data: (41 bytes)
> [000] 01 00 0B 14 01 00 32 00  00 00 00 00 00 00 00 00
> \0x01\0x00\0x0b\0x14\0x01\0x002\0x00
> \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
> [010] 00 00 00 00 40 A6 59 32  32 30 30 38 2D 30 37 2D
> \0x00\0x00\0x00\0x00@\0xa6Y2 2008-07-
> [020] 32 33 5F 4C 31 2F 53 68  65                       23_L1/Sh e
>
> 17:46:35.846707 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123283, win 65535,
> length 1239 NBT Session Packet: Unknown packet type 0x66Data: (41 bytes)
> [000] 6F 72 64 2F 41 4C 5F 33  39 5F 34 31 33 5F 38 37  ord/AL_3 9_413_87
> [010] 38 5F 30 30 31 5F 41 66  69 63 68 43 70 63 2E 68  8_001_Af ichCpc.h
> [020] 74 6D 50 4B 01 02 14 0B  14
> tmPK\0x01\0x02\0x14\0x0b \0x14
>
> 17:46:35.850610 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7988709, win 65535,
> length 0
> 17:46:35.850826 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7989948, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.850954 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.850968 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x30Data: (41 bytes)
> [000] 30 38 2D 30 37 2D 32 33  5F 4C 31 2F 53 68 65 66  08-07-23 _L1/Shef
> [010] 66 6F 72 64 2F 41 4C 5F  33 39 5F 34 31 34 5F 33  ford/AL_ 39_414_3
> [020] 35 30 5F 30 30 31 5F 41  66                       50_001_A f
>
> 17:46:35.850974 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123346, win 65535,
> length 1239 NBT Session Packet: Unknown packet type 0x6EData: (41 bytes)
> [000] 61 76 67 74 2E 68 74 6D  50 4B 01 02 14 0B 14 00  avgt.htm
> PK\0x01\0x02\0x14\0x0b\0x14\0x00
> [010] 00 00 08 00 80 96 F7 38  D4 24 0A F9 18 01 00 00
> \0x00\0x00\0x08\0x00\0x80\0x96\0xf78 \0xd4$\0x0a\0xf9\0x18\0x01\0x00\0x00
> [020] 3A 02 00 00 35 00 00 00  00
> :\0x02\0x00\0x005\0x00\0x00\0x00 \0x00
>
> 17:46:35.854859 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7992868, win 65535,
> length 0
> 17:46:35.855062 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7994107, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.855187 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.855195 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x72Data: (41 bytes)
> [000] 64 2F 41 4C 5F 33 39 5F  34 31 35 5F 35 39 34 5F  d/AL_39_ 415_594_
> [010] 6E 61 76 67 74 2E 68 74  6D 50 4B 01 02 14 0B 14  navgt.ht
> mPK\0x01\0x02\0x14\0x0b\0x14
> [020] 00 00 00 08 00 80 96 F7  38
> \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7 8
>
> Thanks for your time,
> Ludovic Rouse-Lamarre
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba mailing list