WINS isn't working correctly and I think somebody is trying to exploit a security hole...

Jeff Wiegley jeff at la.usweb.com
Fri May 1 01:53:37 GMT 1998 

Pardon the long log file but I'm fairly new to WINS servers and probably
don't know what I'm doing.

We've have two subnets (lets call them xxx.xxx.xxx.??? and yyy.yyy.yyy.??)
I have one samba/linux server on both networks xxx.xxx.xxx.2 and yyy.yyy.yyy.2.
xxx.xxx.xxx.2 is set up to be a domain master and yyy.yyy.yyy.2 is setup to
be a local master with xxx.xxx.xxx.2 as its master.

Things seemed to be working up until a couple of days ago and then things
started getting screwy. It seemed like our servers were no longer providing
WINS resolutions and we thought this might be because one of our employees
accidentally setup a WINS server which was winning master elections and thus
our real servers weren't.  What I found when looking at log.nmb is something
more scary possibly.  It looks as though somebody outside of our networks
is attempting to be the domain master.

Could somebody with more knowledge look through this log file and tell me
what is going on and how I can correct the situation or prevent it?

Of particular interest to me is the attempted requests from machines not
on either xxx.xxx.xxx or the yyy.yyy.yyy subnets as these seem to be
somebody trying to gain information and or access to something they
shouldn't be.

Since security already looks likes its being threatened here I have
changed the named and IP addresses in this message and the logs (except
for the IPs that are making illegal requests in case anybody wants to
go hunt them down... ;-)

(sorry for the length of the log or any wierd line wraps that happen to it)

I hope that somebody can guide as to what to do to shutout machines not
in my subnets and also give advice about anything that could help to get my
WINS resultion running correctly.

Thanks,

- Jeff

here's the log.nmb file...

04/20/1998 18:40:28 netbios nameserver version 1.9.18p3 started
Copyright Andrew Tridgell 1994-1997
04/20/1998 18:40:28 become_domain_master_browser_wins: attempting to become domain master browser on workgroup MY.WORKGROUP.NAME, subnet UNICAST_SUBNET.
become_domain_master_browser_wins: querying WINS server at IP xxx.xxx.xxx.2 for domain master browser name MY.WORKGROUP.NAME<1b> on workgroup MY.WORKGROUP.NAME

04/20/1998 18:40:28 ***** Samba server xxx.xxx.xxx.2 is now a domain master browser for workgroup MY.WORKGROUP.NAME on subnet UNICAST_SUBNET *****

become_domain_master_browser_bcast: At time 04/20/1998 18:40:28 attempting to become domain master browser on workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2
become_domain_master_browser_bcast: querying subnet xxx.xxx.xxx.2 for domain master browser on workgroup MY.WORKGROUP.NAME

04/20/1998 18:40:38 ***** Samba server xxx.xxx.xxx.2 is now a domain master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****


04/20/1998 18:40:42 *****   Samba name server xxx.xxx.xxx.2 is now a local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

process_node_status_request: status request for name *<00> from IP 205.184.226.152 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 205.184.226.152 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 205.184.226.152 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_name_release_request: Attempt to release name `a__MSBROWSE__a<01> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
Packet send failed to xxx.xxx.xxx.74(137) ERRNO=Connection refused
reply_netbios_packet: send_packet to IP xxx.xxx.xxx.74 port 137 failed
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
process_name_release_request: Attempt to release name MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of our names.
sync_browse_lists: yyy.yyy.yyy.2 rejected the browse sync sessionsetup
process_node_status_request: status request for name *<00> from IP 204.30.73.175 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.175 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.175 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.31.253.207 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.31.253.207 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.31.253.207 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_local_master_announce: Server C009 at IP xxx.xxx.xxx.88 is announcing itself as a local master browser for workgroup MY.WORKGROUP.NAME and we think we are master. Forcing election.

04/29/1998 09:52:38 *****   Samba name server xxx.xxx.xxx.2 has stopped being a local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****


04/29/1998 09:52:52 *****   Samba name server xxx.xxx.xxx.2 is now a local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

process_local_master_announce: Server yyy.yyy.yyy.2 at IP yyy.yyy.yyy.2 is announcing itself as a local master browser for workgroup MY.WORKGROUP.NAME and we think we are master. Forcing election.

04/29/1998 11:13:28 *****   Samba name server xxx.xxx.xxx.2 has stopped being a local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****


04/29/1998 11:13:42 *****   Samba name server xxx.xxx.xxx.2 is now a local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

process_local_master_announce: Server SOMEMACHINE at IP xxx.xxx.xxx.74 is announcing itself as a local master browser for workgroup MY.WORKGROUP.NAME and we think we are master. Forcing election.

04/29/1998 12:08:34 *****   Samba name server xxx.xxx.xxx.2 has stopped being a local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

register_name_response: server at IP xxx.xxx.xxx.74 rejected our name registration of MY.WORKGROUP.NAME<1d> with error code 6.
become_local_master_fail2: failed to register name MY.WORKGROUP.NAME<1d> on subnet xxx.xxx.xxx.2. Failed to become a local master browser.
standard_fail_register: Failed to register/refresh name MY.WORKGROUP.NAME<1d> on subnet xxx.xxx.xxx.2
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
process_browse_packet: On subnet xxx.xxx.xxx.2 ignoring browse packet command code 11 from BOXEN<00> IP xxx.xxx.xxx.4 to MY.WORKGROUP.NAME<1e>
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
process_node_status_request: status request for name *<00> from IP 204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
query_name_response: Multiple (2) responses received for a query on subnet xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP xxx.xxx.xxx.255
sync_browse_lists: MACHINE rejected the browse sync session
process_browse_packet: On subnet xxx.xxx.xxx.2 ignoring browse packet command code 11 from OTHER<20> IP xxx.xxx.xxx.58 to MY.WORKGROUP.NAME<1e>
process_browse_packet: On subnet xxx.xxx.xxx.2 ignoring browse packet command code 11 from MACHINE<20> IP xxx.xxx.xxx.113 to MY.WORKGROUP.NAME<1e>
sync_browse_lists: MACHINE rejected the browse sync session
error connecting to xxx.xxx.xxx.113:139 (No route to host)
sync_browse_lists: Failed to start browse sync with C034
process_node_status_request: status request for name *<00> from IP 207.69.129.38 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 207.69.129.38 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP 207.69.129.38 on subnet REMOTE_BROADCAST_SUBNET - name not found.

More information about the samba mailing list