[Samba] external pings accross NAT (compromised?)

Christopher Joseph christopher at ideadesigners.com
Thu Aug 21 08:17:21 GMT 2003 

Hi List,

I am far from being network savvy. Despite this I have installed samba 
2.2.7a (mandrake 9.1) and the company has been using it as PDC for a 
win2k network for the last 4 months. The same machine is also running 
named, cvs, mysql, apache (moneys tight :)). We are located in serviced 
offices and are networked accross a vlan. The entire network is 
'protected' by a NAT firewall to the Internet owned by the ISP. *some* 
of our internal machines are running personal firewalls.

to the point - recently one of the machines running a personal firewall 
has been alerting because of low volume pings from external ip 
addresses. These addresses have all been, to date, within this range 
213.x.x.x . The machine (win2k) is generally pinged by a different IP 
within that range every five minutes or so - after which the fw bans it. 
I have run virus scanners on all company machines with nothing showing 
up. I have also installed ethereal and tried to watch the network 
packets after the ISP said that the only way an external address could 
resolve to our natted internal ones was if the internal one were 
contacting them first.

ethereal does not show the local machine sending out an icmp request 
first. Instead it shows that external address pings the local machine 
and all currently used internal addresses + some internal addresses that 
are no longer used but which may still be defined on the named server.

However - the only outgoing packets to the culprit ip addresses are the 
ocassional reply to icmp requests from one or two un-personal-firewalled 
machines.

Does anyone have any thoughts on what could be happening?

-- 
Christopher Joseph

-------------------
[Internet]
http://www.ideadesigners.com  [iseries & web technologies]
mailto: christopher at ideadesigners.com

[Telephone]
mobile:   +44 7966 003860
Office:   +44 1494 731814 ext. 832
Direct:	  +44 1494 731832

[Instant Message]
ICQ: 78019724
YIM = Josephc_98
MSN = christopher at ideadesigners.com

More information about the samba mailing list