browser issue? hacking issue? HHEELLPP!!!

Ariel Mella samba at nebula-sa.com.ar
Thu Nov 15 12:43:20 GMT 2001 

Tony:
maybe you can put a 3 or 4 log level.. and separate the logs by machine?? to
identify wich IP and machine netbios name is triying to connect.. i honestly
with a quick view say that maybe could be a virus like nimba to try to
connect with nobody user...


----- Original Message -----
From: "Tony Ricker" <rickera2 at SLU.EDU>
To: "Samba NT-Dom" <samba-ntdom at lists.samba.org>
Sent: Thursday, November 15, 2001 5:15 PM
Subject: browser issue? hacking issue? HHEELLPP!!!


>
> All,
>     I have a question that I think I narrowed down the the issue, but
> still have not seen the answer. In the logs, I see the following....
>
> Snip.....
> Oct 29 18:32:59 sifl smbd[8811]:   authorise_login: rejected invalid
> user nobody
> Oct 29 18:32:59 sifl smbd[8811]:   authorise_login: rejected invalid
> user nobody
> Oct 29 18:44:59 sifl smbd[8814]:   authorise_login: rejected invalid
> user nobody
> Oct 29 18:44:59 sifl smbd[8814]:   authorise_login: rejected invalid
> user nobody
> Oct 29 18:56:59 sifl smbd[8817]:   authorise_login: rejected invalid
> user nobody
> Oct 29 18:56:59 sifl smbd[8817]:   authorise_login: rejected invalid
> user nobody
> .....End snip
>
> Know that this happens pretty much every hour of every day, with some
> thrown in at odd times. Notice that these are 12 minutes apart, which
> had me wondering. After looking
> into it, I found out that every 12 minutes a master browser will send a
> server announcement every 12 minutes for (3) 12 minute periods. Thinking
> harder... But I still have no
> ideas as to what the user nobody is trying to authenticate. In ny
> smb.conf (2.2.2 on Redhat 7.1) here is the relative info....
>
> preferred master=yes
> master browser=yes
> local master=yes
> domain master=yes
> domain logons=yes
>
> Anyone have this issue before? If so, any ideas as to what is happening?
> I my research, I have found (correct if I am wrong) that the user nobody
> is used if a user does no
> authenticate correctly, and samba will try and use the nobody account,
> also if a share is double clicked in network 'hood, it will try and
> authenticate using the user nobody. I
> am at a lost as to what is happening and could use any and all
> help/damnations. If anyone needs more info, please let me know.
>
> Cheers,
>
> Tony
> -------------------------------
> Tony Ricker
> Technology Coordinator
> SLUCare - P.M.O.
> St. Louis University
> Phone:  314.977.6844
> E-mail: rickera2 at slu.edu
> -------------------------------
> "In the beginners mind, there
> are many possibilities. In the
> experts mind, there are few"
> - Shunryu Suzuki
> -------------------------------
> "Think Different"
>
>
> --
> -------------------------------
> Tony Ricker
> Technology Coordinator
> SLUCare - P.M.O.
> St. Louis University
> Phone:  314.977.6844
> E-mail: rickera2 at slu.edu
> -------------------------------
> "In the beginners mind, there
> are many possibilities. In the
> experts mind, there are few"
> - Shunryu Suzuki
> -------------------------------
> "Think Different"
>
>
>
>

More information about the samba-ntdom mailing list