[Samba] malicious traffic

Vinay K. Gupta vgupta at appshop.com
Mon Jul 28 21:43:00 GMT 2003 

On our samba server, with snoop I am seeing following traffic,

  1   0.00000 client1-> samba-server      SMB C Code=0x32 Name=SMBtrans2 Findfirst File=????????l Error=0 
  8   0.00443      samba-server -> client1SMB R Code=0x32 Name=SMBtrans2 Error=0 
 27   0.01176 client5 -> samba-server      SMB C Code=0x10 Name=SMBchkpth File=????????1? Error=0 
 28   0.00016      samba-server -> client5 SMB R Code=0x10 Name=SMBchkpth Error=0 
 46   0.00019 client2 -> samba-server      SMB C Code=0x32 Name=SMBtrans2 Findfirst File=???????????l??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Error=0 
 53   0.00012      samba-server -> client2 SMB R Code=0x32 Name=SMBtrans2 Error=0 
 54   0.00320 client4 -> samba-server      SMB C Code=0x32 Name=SMBtrans2 Findfirst File=???????l??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Error=0 
 59   0.00005 client3 -> samba-server      SMB C Code=0x10 Name=SMBchkpth File=????????4 Error=0 
 62   0.00006      samba-server -> client3 SMB R Code=0x10 Name=SMBchkpth Error=0 
 63   0.00007      samba-server -> client4 SMB R Code=0x32 Name=SMBtrans2 Error=0 
 64   0.00279 client6 -> samba-server      SMB C Code=0x32 Name=SMBtrans2 Findfirst File=???????????????Ë??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Error=0 
 71   0.00232      samba-server -> client6 SMB R Code=0x32 Name=SMBtrans2 Error=0 
152   0.00164 client7 -> samba-server      SMB C Code=0x32 Name=SMBtrans2 Findfirst File=?????????????? Error=0 
158   0.00005 client8 -> samba-server      SMB C Code=0x32 Name=SMBtrans2 Findfirst File=??????????? Error=0 
160   0.00013      samba-server -> client7 SMB R Code=0x32 Name=SMBtrans2 Error=0 
167   0.00011      samba-server -> client8 SMB R Code=0x32 Name=SMBtrans2 Error=0 
226   0.00213 client1-> samba-server      SMB C Code=0x10 Name=SMBchkpth File=???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Error=0

A search on google indicate to one very old document saying that this may be because of W32.HLLW.Qaz trozan, I am not able to find any trozan/virus on clients PC. Has anybody seen this behavior, is it normal? Any pointers/clues for this will be appreciated.

Thanks,


Vinay

More information about the samba mailing list