Bug in smbclient

John Quirk jbquirk at tpg.com.au
Sun Oct 1 17:00:12 GMT 2000


Robert Dahlem wrote:

> Ronald,
>
> On Sat, 30 Sep 2000 20:32:10 -0700, Ronald F. Guilmette wrote:
>
> >I found at least a couple of infected hosts that are indeed sharing
> >C:, [...]
>
> Unbelievable! :-)
>

This problem is part of the design of Windows 9X. I have recently closed
of these ports yet again. It seems if you update your TCP/IP setting and
do not carefully check that
you are not sharing these services it seems possible from them to be
opened back up.

I was pointed to this site "http://grc.com/default.htm" look at the
Shields Up section.

Because SAMBA uses netbios over TCP/IP it seems we are unable to close
these ports
on a windows 9X machine. Which means for windows 9x users you may be
leaking info out to the wider net.

I believe this worm is far more common than the virus protection people
have lead us to believe. Symantecs statement that infects networks is
true. This includes the internet if
you have netbios enable over TCP/IP. Which they seem to imply is not the
case.

I have been caught with this worm - I was just sitting on the net and as
it turned out with
my ports wide open and in it came... Luckily for me my virus scanner
caught it as it wrote to my hard disk so it was unable to carry out its
work.

Now I was aware of this potential hole and had run internal scans. But I
must have once
reconfigured the dailup adapter and not check properly what had been done.

This attack scared me as the damage this thing could have done was just
unthinkable.

Another thing that scares me is most users do not even know what TCP/IP
binding are. Just think of the NET with all these Windows 9X machines
looking for shares....








More information about the samba mailing list