Windows virus/worm triggers Samba warnings
npande at bajajauto.co.in
Tue Sep 25 22:15:03 GMT 2001
And it came to pass that David Mathog wrote:
> In an earlier post I mentioned that log messages like:
> (682) process_get_backup_list_request: domain list requested for
> workgroup SAF and I am not a domain master browser.
> Can arise when a machine other than the official WINS server (the one
> that Samba knows about run a WINS service. Unfortunately, it turns out
> that this is not the most common cause of this problem, which is some
> sort of as yet unidentified virus/worm that has so far infected about 5
> Windows machines on our campus. By unidentified I mean that nobody
> has yet told me its name - it may already have been classified by the
> antivirus people.
> That said, this beast managed to infect an NT server running a current
> version of Norton Antivirus, survived the nightly disk scan, and kept on
> trolling for victims on the campus net. The same or a similar pathogen
> also infected at least one W95 machine - and those cannot run a "real"
> WINS service.
> So don't ignore these messages when they pile up in your log file.
> Crank logging up to
> level 3 and you'll see this message preceding the one above in the
> log.nmbd files:
> process_get_backup_list_request: request from FOOTER<00> IP
> to SAF<1b>.
> which will tell you the name of the machine triggering the messages. If
> your experience
> is like mine - at least half of those machines will be infected. This
> will show you all the culprits still in your log files:
> fgrep "get_backup_list_request: r" /var/log/samba/log.nmbd*
> To date I've not seen these messages coming from any of the Windows
> machines which
> use files from my Samba fileserver.
> David Mathog
> mathog at caltech.edu
> Manager, Sequence Analysis Facility, Biology Division, Caltech
This could be that Nimda or Sircam virus. What is the role of your infected NT Server?
Sircam sends out e-mail to other guys.
Also, on similar topic, I was wondering if someone could provide these worm signatures.
Each of these virus/worm leave a fingerprint on the files. Maybe I could scan the files
on Samba server searching for these fingerprints on users shares. Norton Antivirus has
a virus scanner for Solaris only. Linux and other guys have to depend on M$ box to scan
them. Any suggestions,
More information about the samba-ntdom