[Samba] Huh... 2.2.8 exploit?!

Vizitiu, Ciprian CVizitiu at gbif.org
Mon Jun 30 17:44:10 GMT 2003 

> Are you really shure, that the computer was breaked through 
> samba, you 
> can be sure only if just the samba ports (137,138,139,445) 
> was opened to 
> the Internet?!

Yes, totally agree with you. Maybe my message was... No, for sure my message
was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and
latest Courier IMAP and samba. It was exposed to the Internet and was
cracked. From logs like:

Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/fault.c:fault_report(38) 
Jun 30 16:17:39 server smbd[28856]:
=============================================================== 
Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/fault.c:fault_report(39) 
Jun 30 16:17:39 server smbd[28856]:   INTERNAL ERROR: Signal 11 in pid 28856
(2.2.8) 
Jun 30 16:17:39 server smbd[28856]:   Please read the file BUGS.txt in the
distribution 
Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/fault.c:fault_report(41) 
Jun 30 16:17:39 server smbd[28856]:
=============================================================== 
Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/util.c:smb_panic(1094) 
Jun 30 16:17:39 server smbd[28856]:   PANIC: internal error 
Jun 30 16:17:39 server smbd[28856]: 
Jun 30 16:19:03 server kernel: Unable to handle kernel paging request at
virtual address 8491bb2e
Jun 30 16:19:03 server kernel:  printing eip:
Jun 30 16:19:03 server kernel: 8491bb2e
Jun 30 16:19:03 server kernel: *pde = 00000000
Jun 30 16:19:03 server kernel: Oops: 0000
Jun 30 16:19:03 server kernel: lp parport e1000 iptable_filter ip_tables
reiserfs mousedev keybdev hid input usb-ohci usbcore ext3 jbd ips sd_mod
scsi_mod  
Jun 30 16:19:03 server kernel: CPU:    0
Jun 30 16:19:03 server kernel: EIP:    0010:[<8491bb2e>]    Not tainted
Jun 30 16:19:03 server kernel: EFLAGS: 00010283

... to me *it looks* like a samba exploit. Please note that the trigger for
the whole issue was the absence of smbd file. It was deleted. And that
stopped Winbind auth from working so I started to investigate the issue then
I saw the logs and then looked at the firewall rules that I've modified
short time ago and found the real mistake. 

Is it better now?

More information about the samba mailing list