Need help - Trying to capture a possible windows/SMB worm

Ronald F. Guilmette rfg at monkeys.com
Sat Sep 30 11:45:25 GMT 2000 

Andrew,

I would like to request soem assistance from you, for a worthwhile
public-spirited project.

Recently, in my firewall logs for my FreeBSd system here, I have
picked up what I believe to be unmistakable signs of some sort of
Windows/SMB worm that has been trying to get into my (close) port 139
from many different IP addresses within my same /16 IP address block.

After doing a bit of web searching, I found out that I may not have
been the first person to notice such a thing.  Please take a look at:

     http://www.egroups.com/message/cable/6708

This fellow also reported getting quite a few connection attempts to
his port 139 from various IP addresses within the same /16 IP address
block as his own IP address.  (Note that I am on an entirely different
network than he is, and yet I am seeing the same thing... lots of
attempted port 139 connects from various addresses with the same /16
as where *my* machine lives.)

Anyway, there are other things that have convinced me that what that
fellow and I are seeing is some sort of a Windows/SMB worm that infects
systems and then goes poking around, sequentially, at other IP addresses
within the same /16, looking for yet more machines that it can infect.
I won't tell you what these other things are at the moment.  I'll just
tell you that I _do_ have some additional evidence that this is what is
in fact happening, and that a LOT of different machines within my local
/16 seem to be infected, and seem to be trying to infect my machine here.
(They won't succeed, of course, because I have FreeBSD and I have the
IP firewalling stuff configured, and I am heavily filtering all packets
both in and out of here.)

Anyway, the bottom line is that I have been seeing a lot of port 139
connection attempts for many days in a row now, and what I would like
to do now is attempt to see what those other hosts would actually try to
do to a potentially vulnerable Windows machine if given half a chance.
And if possible, I would like to actually _capture_ a copy of the worm
that I now suspect is running rampant around the net.

This is where you come in.

I have just downloaded and installed the Samba package for FreeBSD (4.1)
and I'm ready to bring it up... with full logging of course... so that I
can try to see _exactly_ what these other systems... which I believed are
infected with some unknown agent... will try to do if I open up port 139
(and maybe 137 also).

Basically, I just want to know if you will help me to setup an smb.conf
file that will insure that I can log all activities of these other systems
(when they connect to my system) _and_ one that will not put at risk
anything of value that is currently stored on my disk.

I own this box, and I have root, so setting up new/fake accounts is no
problem, if that will help any.

So what do you say?  Will you help me in my efforts to try to trap and
identify whatever this thing is that is infecting these other systems?

If so, please give me all the guidance you can.  I setup Samba only once
in the past, and I think that that was 5 years ago or so.  I don't remember
any of it anymore, and anyway, its probably all different now.  But I'm
a competent UNIX sysadmin, so you should be able to just give me some
terse instructions and I should be able to follow them.

Thanks in advance, assuming that you are willing to help.

Ron Guilmette
Roseville, California


P.S.  Ideally, I would like to get a log of _every_ command and every
response that comes in or out of both smbd and nmbd.  And of course,
I'd like to make whatever is on the other end of the line believe that
it is looking at a vulnerable Windows system.  I suspect that this
means that I'd like to make at least a few directories writable, in
part in the hopes that this worm thing that I suspect exists will try
to transfer a copy of itself onto my disk.  If I could capture a copy
of it, that would be great.  Then I could alert all of the proper
authorities and give out copies of the thing to all anti-virus writers.

P.P.S.  I started reagrding the current smb.conf man page already, and
looking at the sample smb.conf file.  God there are a lot of options!

More information about the samba mailing list