Windows virus/worm triggers Samba warnings

NITIN PANDE npande at bajajauto.co.in
Tue Sep 25 22:15:03 GMT 2001 

And it came to pass that David Mathog wrote:

> In an earlier post I mentioned that log messages like:
>
> [2001/09/10
> 13:05:51,0]nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request
>      (682) process_get_backup_list_request: domain list requested for
>      workgroup SAF  and I am not a domain master browser.
>
> Can arise when a machine other than the official WINS server (the one
> that Samba knows about run a WINS service.  Unfortunately, it turns out
> that this is not the most common cause of this problem, which is some
> sort of as yet unidentified virus/worm that has so far infected about 5
> Windows machines on our campus.  By unidentified I mean that nobody
> has yet told me its name - it may already have been classified by the
> antivirus people.
> That said, this beast managed to infect an NT server running a current
> version of Norton Antivirus, survived the nightly disk scan, and kept on
> trolling for victims on the campus net. The same or a similar pathogen
> also infected at least one W95 machine - and those cannot run a "real"
> WINS service.
>
> So don't ignore these messages when they pile up in your log file.
> Crank logging up to
> level 3 and you'll see this message preceding the one above in the
> log.nmbd files:
>
> 2001/09/1013:05:51,3]nmbd/nmbd_incomingdgrams.c:process_get_backup_list_request(648)
>       process_get_backup_list_request: request from FOOTER<00> IP
> 131.215.184.175
>       to SAF<1b>.
>
> which will tell you the name of the machine triggering the messages.  If
> your experience
> is like mine - at least half of those machines will be infected.  This
> will show you all the culprits still in your log files:
>
>    fgrep "get_backup_list_request: r" /var/log/samba/log.nmbd*
>
> To date I've not seen these messages coming from any of the Windows
> machines which
> use files from my Samba fileserver.
>
> Regards,
>
> David Mathog
> mathog at caltech.edu
> Manager, Sequence Analysis Facility, Biology Division, Caltech

This could be that Nimda or Sircam virus.  What is the role of your infected NT Server?
Sircam sends out e-mail to other guys.
Also, on similar topic, I was wondering if someone could provide these worm signatures.
Each of these virus/worm leave a fingerprint on the files.  Maybe I could scan the files
on Samba server searching for these fingerprints on users shares.  Norton Antivirus has
a virus scanner for Solaris only.  Linux and other guys have to depend on M$ box to scan
them.  Any suggestions,
TIA, Ciao,
Nitin Pande
Mail Administrator

More information about the samba-ntdom mailing list