Security question about suspect logfile entries

Lutz Jaenicke jaenicke at iee.TU-Berlin.DE
Wed Jun 3 15:50:05 GMT 1998


in the last days I found some entries in nmb.log on one of my servers:
process_node_status_request: status request for name *<00> from IP
0 on subnet REMOTE_BROADCAST_SUBNET - name not found.
(repeated many times)
The host on this ip is not exactly in my domain :-)
# nslookup
Default Name Server:  localhost

> set type=PTR
Name Server:  localhost

Non-authoritative answer:     name =

Authoritative answers can be found from:
44.232.195.IN-ADDR.ARPA nameserver =
44.232.195.IN-ADDR.ARPA nameserver =    internet address =       internet address =
And now my question:
- Can I consider this an attack? I found that exactly the same host accessing
  pages from our http server (which is also the samba server) at the same time.
- I mask the access to our samba servers with our subnet data. This should
  protect the data in my nmbd against such queries, doesn't it? I have tried
  with smbclient from some other subnet and couldn't receive any answer.

Best regards,
	Lutz Jaenicke
Lutz Jaenicke			       Lutz.Jaenicke at iee.TU-Berlin.DE 
TU Berlin	       http://www.iee.TU-Berlin.DE/personen/jaenicke/
Institut fuer Elektrische Energietechnik	Tel. +49 30 314-24552
Einsteinufer 11, D-10587 Berlin			Fax. +49 30 314-21133 

More information about the samba mailing list