[Samba] Persistent SPOOLSS_ADDPRINTEREX commands from Windows NT 4.0 computers

Buozis, Martynas martynas at ti.com
Fri Sep 16 13:50:30 GMT 2005 

Hello

I need some advice from gurus. I identified several Windows NT
computers, that are persistently trying to access my samba server. They
are connecting to IPC$ with NULL information both in password and
username fields. Below you will find excerpt from samba log file.

My questions would be following. What is SPOOLSS_ADDPRINTEREX ? Can it
be some kind of worm ? If yes, how I can catch it (enable write to spool
dir, add printer wizard, etc.) ? Can somebody let me know anything about
persistently coming connections from same hosts and doing below posted
actions ? 

Thank you in advance !

[2005/09/15 22:34:44, 3] smbd/service.c:(642)
  granite (xxx.xxx.xxx.xxx) connect to service IPC$ initially as user
noaccess (uid=60002, gid=60002) (pid 29735)
[2005/09/15 22:34:44, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/15 22:34:44, 3] smbd/reply.c:(455)
  tconX service=IPC$
[2005/09/15 22:34:44, 3] smbd/process.c:(1091)
  Transaction 3 of length 106
[2005/09/15 22:34:44, 3] smbd/process.c:(886)
  switch message SMBntcreateX (pid 29735) conn 0x3bf330
[2005/09/15 22:34:44, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (60002, 60002) - sec_ctx_stack_ndx = 0
[2005/09/15 22:34:44, 3] smbd/nttrans.c:(514)
  nt_open_pipe: Known pipe spoolss opening.
[2005/09/15 22:34:44, 3] smbd/process.c:(1091)
  Transaction 4 of length 160
[2005/09/15 22:34:44, 3] smbd/process.c:(886)
  switch message SMBtrans (pid 29735) conn 0x3bf330
[2005/09/15 22:34:44, 3] smbd/ipc.c:(539)
  trans <\PIPE\> data=72 params=0 setup=2
[2005/09/15 22:34:44, 3] smbd/ipc.c:(334)
  named pipe command on <> name
[2005/09/15 22:34:44, 3] smbd/ipc.c:(294)
  Got API command 0x26 on pipe "spoolss" (pnum 76c3)
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe.c:(887)
  api_pipe_bind_req: \PIPE\spoolss -> \PIPE\spoolss
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe.c:(762)
  check_bind_req for \PIPE\spoolss
[2005/09/15 22:34:44, 3] smbd/process.c:(1091)
  Transaction 5 of length 530
[2005/09/15 22:34:44, 3] smbd/process.c:(886)
  switch message SMBtrans (pid 29735) conn 0x3bf330
[2005/09/15 22:34:44, 3] smbd/ipc.c:(539)
  trans <\PIPE\> data=442 params=0 setup=2
[2005/09/15 22:34:44, 3] smbd/ipc.c:(334)
  named pipe command on <> name
[2005/09/15 22:34:44, 3] smbd/ipc.c:(294)
  Got API command 0x26 on pipe "spoolss" (pnum 76c3)
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe_hnd.c:(542)
  free_pipe_context: destroying talloc pool of size 0
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe.c:(1538)
  api_rpcTNP: rpc command: SPOOLSS_ADDPRINTEREX
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe_hnd.c:(542)
  free_pipe_context: destroying talloc pool of size 318 



With best regards
Martynas

More information about the samba mailing list