[Samba] DISASTER - Samba corrupts shared directory data -
URGENTLY
Andrew Bartlett
abartlet at samba.org
Sun Dec 29 03:44:04 GMT 2002
On Sat, 2002-12-21 at 01:00, Fabiano Felix wrote:
> Hi all,
>
> I need a biggest help... I have the following environment:
> - SuSE 8.0 with all patches;
> - Samba (2.2.3a RPM-SuSE) + LDAP;
> - OpenLDAP2 (2.0.23 RPM-SuSE);
> - smbldap-tools (0.7 - TGZ).
>
> All was functioning perfectly, but suddenly one of the Samba shares
> presented problems: the files/directories are corrupted!!! No changes
> are made in configuration, and appear the following datas in to the
> shared directory:
I would really be looking either at a kernel/fs fault, or malicious
administrative access. Samba doesn't rename files on it's own - there
just isn't the code do do it. And furthermore, Samba always conducts
operations as the connecting user (you didn't have 'admin users =' set
did you?) unless configured specificly otherwise.
> Before:
>
> pub:/home/DATA # l | more
> total 100
> drwxr-xr-x 24 root root 4096 Dec 20 09:37 ./
> drwxr-xr-x 123 root root 4096 Dec 20 08:59 ../
> drwxr-xr-x 2 root users 4096 Dec 20 09:37 Biblioteca/
> drwxrwxrwx 2 root users 4096 Dec 20 09:37 Boletim de
> Ocorrência/
> drwxr-xr-x 2 root users 4096 Dec 20 09:37 CargaMaquinaTS/
> drwxr-xr-x 2 root users 4096 Dec 20 09:37 Darf/
> drwxr-xr-x 3 root users 4096 Dec 20 09:37 Dot/
> drwxr-xr-x 2 root users 4096 Dec 20 09:37 EspecComerciais/
> drwxrwxrwx 5 root users 8192 Dec 20 09:37 Etiquetas
> Exportacao/
> drwxrwx--- 2 root exportpa 4096 Dec 20 09:37 ExportPayment/
> drwxr-xr-x 2 root users 4096 Dec 20 09:37 ExportSample/
> drwxr-xr-x 3 root users 4096 Dec 20 09:36 Mdb/
> drwxr-xr-x 2 root users 4096 Dec 20 09:37 Moedas/
> drwxrwxrwx 2 root users 4096 Dec 20 10:55 NFs/
> drwxrwx--- 2 root opsyst2 4096 Dec 20 09:33 Opsyst2/
> drwxrwxrwx 2 root users 4096 Dec 20 09:37 Pulso/
>
>
>
> After:
>
> pub:/home/DATA.OLD # l | more
> total 47084
> drwxr-xr-x 11580 root users 356352 Dec 19 12:11 ./
> drwxr-xr-x 123 root root 4096 Dec 20 08:59 ../
> drwxr-xr-x 2 root users 4096 Dec 19 10:53 0/
> drwxr-xr-x 2 root users 4096 Dec 19 10:53 1/
> drwxr-xr-x 2 root users 4096 Dec 19 11:06 100/
> drwxr-xr-x 2 root users 4096 Dec 19 11:03
> 101248cd8e964bc7f14d8e8e9782e152/
> drwxr-xr-x 2 root users 4096 Dec 19 11:02 10149fd642f3b/
> drwxr-xr-x 2 root users 4096 Dec 19 10:55
> 1020168bca14819b5b9265c8483b895e/
> drwxr-xr-x 2 root users 4096 Dec 19 11:07
> 1023149d8bc19422f5165f76c3b812f1/
> drwxr-xr-x 2 root users 4096 Dec 19 10:55 10265ed/
> drwxr-xr-x 2 root users 4096 Dec 19 10:53 1027765b55d/
> drwxr-xr-x 2 root users 4096 Dec 19 10:53 102b62a/
> drwxr-xr-x 2 root users 4096 Dec 19 10:53
> 103c414240f1587767c5bcf43b4/
> drwxr-xr-x 2 root users 4096 Dec 19 10:55 103d681b755da/
> drwxr-xr-x 2 root users 4096 Dec 19 10:54 104/
> drwxr-xr-x 2 root users 4096 Dec 19 10:57
> 1044b9756a8048a37a45ec7984784ac0/
> drwxr-xr-x 2 root users 4096 Dec 19 10:55
> 1049667d4878eb8449937da544c093b4/
> drwxr-xr-x 2 root users 4096 Dec 19 10:54
> 104a76c5568dcc86def788c04b9d6586/
> drwxr-xr-x 2 root users 4096 Dec 19 10:54
> 1051ae47d9d43de38035a1f8b267f413/
> drwxr-xr-x 2 root users 4096 Dec 19 10:53
> 10529e126094efa79b40cb8/
> drwxr-xr-x 2 root users 4096 Dec 19 10:58
> 105d84323ce26fc0e4fa6c37ce9bc639/
> drwxr-xr-x 2 root users 4096 Dec 19 11:05
> 105e54e644294cf6e7a6f7b7b/
> drwxr-xr-x 2 root users 4096 Dec 19 10:54
> 105f92644e71ab42a9bc496f55f4e136/
> drwxr-xr-x 2 root users 4096 Dec 19 10:57 1063c92c93da8/
> drwxr-xr-x 2 root users 4096 Dec 19 10:58
> 106bbc5ab65a3c68484ad214207c4ce/
> drwxr-xr-x 2 root users 4096 Dec 19 11:02
> 106dbc2191441caaf219843b44c322fd/
> drwxr-xr-x 2 root users 4096 Dec 19 10:53
> 10799deecbeba388406a666efd1a6c2/
> drwxr-xr-x 2 root users 4096 Dec 19 10:56 107b8925ef5f16e/
> drwxr-xr-x 2 root users 4096 Dec 19 11:02
> 10823d1afa11aeba3d3a93127eb1a798/
> drwxr-xr-x 2 root users 4096 Dec 19 10:58
> 108857646aa141893a58f3eec/
> drwxr-xr-x 2 root users 4096 Dec 19 10:59
> 10a2a2bc918bfba9c1476cf4added0c/
> drwxr-xr-x 2 root users 4096 Dec 19 10:54
> 10aaa05c5730e583ba4c681415bfd939/
>
>
> It is only a part of the directory list (it is biggest), I could observe
> that the generate directories are in numeric order (hexa). Was modified
> too the owner of the files, being that the user that take ownership
> doesn't was connected at moment. I could observe too that only the
> "public" directories was affected (directories with rx permissions for
> everyone).
> The shared directory is an ext3+lvm (in the same mount point, there are
> others samba shares that isn't affected). The log.smbd doesn't present
> any error.
I would carefully examine your system logs, and login records to
determine what programs were actually running at the time, if there were
actually connections to the Samba share etc.
If it was not for the fact that only root could write to those dirs, I
would have suspected one of the various windows worms (some of them have
been known to crawl networks damaging data) - but in your case I'm a bit
stumped. I would not rule out system compromise, but kernel errors
seems to more likely problem to me.
> PLEASE, can someone help me?????
>
> Regards,
>
> Fabiano
I hope this gives you some ideas where to start looking.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021229/045f9aee/attachment.bin
More information about the samba
mailing list