Windows virus/worm triggers Samba warnings
mathog at mendel.bio.caltech.edu
Tue Sep 25 14:31:06 GMT 2001
In an earlier post I mentioned that log messages like:
(682) process_get_backup_list_request: domain list requested for
workgroup SAF and I am not a domain master browser.
Can arise when a machine other than the official WINS server (the one
that Samba knows about run a WINS service. Unfortunately, it turns out
that this is not the most common cause of this problem, which is some
sort of as yet unidentified virus/worm that has so far infected about 5
Windows machines on our campus. By unidentified I mean that nobody
has yet told me its name - it may already have been classified by the
That said, this beast managed to infect an NT server running a current
version of Norton Antivirus, survived the nightly disk scan, and kept on
trolling for victims on the campus net. The same or a similar pathogen
also infected at least one W95 machine - and those cannot run a "real"
So don't ignore these messages when they pile up in your log file.
Crank logging up to
level 3 and you'll see this message preceding the one above in the
process_get_backup_list_request: request from FOOTER<00> IP
which will tell you the name of the machine triggering the messages. If
is like mine - at least half of those machines will be infected. This
will show you all the culprits still in your log files:
fgrep "get_backup_list_request: r" /var/log/samba/log.nmbd*
To date I've not seen these messages coming from any of the Windows
use files from my Samba fileserver.
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech
More information about the samba-ntdom