[Samba] smbd changeling and strange firewall logs
Rowland Penny
rowlandpenny at googlemail.com
Tue Nov 11 05:24:29 MST 2014
On 11/11/14 12:12, Lars Hanke wrote:
> Am 11.11.2014 um 12:46 schrieb Rowland Penny:
>> On 11/11/14 11:38, Lars Hanke wrote:
>>> I found in my firewall logs something that looked somewhat like a port
>>> scan originating from my AD DC. So I started to check the machine and
>>> already found something strange using ps aux:
>>>
>>> root at samba:/# samba -V
>>> Version 4.1.11-Debian
>>> root at samba:/# ps aux
>>> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
>>> [...]
>>> root 10675 0.0 2.8 457368 29620 ? S Nov04 0:03
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> root 10684 0.0 3.2 482328 34116 ? S Nov04 0:02
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> 3000026 10686 0.0 3.2 482328 34096 ? S Nov04 0:01
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> root 10688 0.0 3.2 482328 34100 ? S Nov04 0:01
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> root 17934 0.0 0.0 49884 4 ? Ss Aug06 0:00
>>> /usr/sbin/sshd
>>> [...]
>>>
>>> Of course there is no login user 3000026 and the machine does not
>>> import any user accounts from anywhere outside. Apparently the process
>>> is already running for a week. This has probably been the last upgrade.
>>>
>>> A few minutes later I see this:
>>>
>>> root 10686 0.0 3.2 482328 34096 ? S Nov04 0:01
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>>
>>> Okay, it became root again.
>>>
>>> Is there any intended behaviour in smbd, which could explain this?
>>>
>>> The original firewall fingerprint were tcp connection attempts from
>>> the AD DC to all joined workstations in port ranges from 34478 to
>>> 60746. The machine runs the DC with external Bind9. No other services
>>> beyond infrastructure to make it run. Has anyone seen this before?
>>>
>>> Regards,
>>> - lars.
>>>
>>>
>> OK, '3000026' is undoubtedly coming from 'idmap.ldb', run this on the
>> DC:
>>
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>
>> and search for '3000026', this will tell you who or what is running as
>> the xidNumber.
>
> Thanks a lot - seems like it was the machine account of the DC.
>
> Any idea concerning the 1500 tcp connects to unprivileged ports of
> joined machines?
>
Probably quite normal, see here:
http://support.microsoft.com/kb/179442#method2
Rowland
More information about the samba
mailing list