Windows virus/worm triggers Samba warnings

David Mathog mathog at
Tue Sep 25 14:31:06 GMT 2001

In an earlier post I mentioned that log messages like:

     (682) process_get_backup_list_request: domain list requested for
     workgroup SAF  and I am not a domain master browser.

Can arise when a machine other than the official WINS server (the one
that Samba knows about run a WINS service.  Unfortunately, it turns out
that this is not the most common cause of this problem, which is some
sort of as yet unidentified virus/worm that has so far infected about 5
Windows machines on our campus.  By unidentified I mean that nobody
has yet told me its name - it may already have been classified by the
antivirus people.
That said, this beast managed to infect an NT server running a current
version of Norton Antivirus, survived the nightly disk scan, and kept on
trolling for victims on the campus net. The same or a similar pathogen
also infected at least one W95 machine - and those cannot run a "real"
WINS service.

So don't ignore these messages when they pile up in your log file. 
Crank logging up to
level 3 and you'll see this message preceding the one above in the
log.nmbd files:

      process_get_backup_list_request: request from FOOTER<00> IP
      to SAF<1b>.

which will tell you the name of the machine triggering the messages.  If
your experience
is like mine - at least half of those machines will be infected.  This
will show you all the culprits still in your log files:

   fgrep "get_backup_list_request: r" /var/log/samba/log.nmbd*

To date I've not seen these messages coming from any of the Windows
machines which
use files from my Samba fileserver. 


David Mathog
mathog at
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information about the samba-ntdom mailing list