[Samba] Suspicious activity on domain

Mon Jul 16 12:02:58 MDT 2012

Hello,

Last week I have detected with Zabbix that a member of my Samba domain 
had been downloading at a rate of around 8 Mbps for two days and a half. 
When asking the person to whom belonged the machine, he didn't know he 
was downloading anything but he said he had observed his machine had 
slowed down since then. I took a tcpdump of the traffic before 
terminating his session on Windows XP. I checked and there wasn't any 
large amount of data on his hard drive as the total drive capacity was 
80GiB and there was 30GiB free. One of the oddities for me was that the 
bandwidth was being consumed through port tcp 139 of the Samba machine. 
Normally data is downloaded on port tcp 445. Another oddity is that when 
I put together some of the names in the trace from tcpdump, I can 
reconstitute names of files on the server. Unless I'm mistaken this type 
of information shouldn't be circulating on port 139?

Here is the version of Samba:
Samba version 3.4.9

Here is a sample of the trace from tcpdump:
17:46:35.838212 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123157, win 65535, 
length 1239 NBT Session Packet: Unknown packet type 0x38Data: (41 bytes)
[000] D5 F1 4E 73 4E 02 00 00  FB 04 00 00 2E 00 00 00  
\0xd5\0xf1NsN\0x02\0x00\0x00 \0xfb\0x04\0x00\0x00.\0x00\0x00\0x00
[010] 00 00 00 00 01 00 00 00  00 00 64 40 43 32 32 30  
\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0x00 \0x00\0x00d at C220
[020] 30 38 2D 30 37 2D 32 33  5F                       08-07-23 _

17:46:35.842050 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7980391, win 65535, 
length 0
17:46:35.842313 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7981630, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.842446 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.842460 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x70Data: (41 bytes)
[000] 63 50 4B 01 02 14 0B 14  00 00 00 08 00 80 96 F7  
cPK\0x01\0x02\0x14\0x0b\0x14 \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7
[010] 38 63 04 52 FB 4E 02 00  00 FB 04 00 00 2E 00 00  
8c\0x04R\0xfbN\0x02\0x00 \0x00\0xfb\0x04\0x00\0x00.\0x00\0x00
[020] 00 00 00 00 00 01 00 00  00                       
\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00 \0x00

17:46:35.842472 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123220, win 65535, 
length 1239 NBT Session Packet: Session Message
17:46:35.846333 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7984550, win 65535, 
length 0
17:46:35.846580 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7985789, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.846692 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.846701 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x12Data: (41 bytes)
[000] 01 00 0B 14 01 00 32 00  00 00 00 00 00 00 00 00  
\0x01\0x00\0x0b\0x14\0x01\0x002\0x00 
\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
[010] 00 00 00 00 40 A6 59 32  32 30 30 38 2D 30 37 2D  
\0x00\0x00\0x00\0x00@\0xa6Y2 2008-07-
[020] 32 33 5F 4C 31 2F 53 68  65                       23_L1/Sh e

17:46:35.846707 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123283, win 65535, 
length 1239 NBT Session Packet: Unknown packet type 0x66Data: (41 bytes)
[000] 6F 72 64 2F 41 4C 5F 33  39 5F 34 31 33 5F 38 37  ord/AL_3 9_413_87
[010] 38 5F 30 30 31 5F 41 66  69 63 68 43 70 63 2E 68  8_001_Af ichCpc.h
[020] 74 6D 50 4B 01 02 14 0B  14                       
tmPK\0x01\0x02\0x14\0x0b \0x14

17:46:35.850610 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7988709, win 65535, 
length 0
17:46:35.850826 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7989948, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.850954 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.850968 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x30Data: (41 bytes)
[000] 30 38 2D 30 37 2D 32 33  5F 4C 31 2F 53 68 65 66  08-07-23 _L1/Shef
[010] 66 6F 72 64 2F 41 4C 5F  33 39 5F 34 31 34 5F 33  ford/AL_ 39_414_3
[020] 35 30 5F 30 30 31 5F 41  66                       50_001_A f

17:46:35.850974 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123346, win 65535, 
length 1239 NBT Session Packet: Unknown packet type 0x6EData: (41 bytes)
[000] 61 76 67 74 2E 68 74 6D  50 4B 01 02 14 0B 14 00  avgt.htm 
PK\0x01\0x02\0x14\0x0b\0x14\0x00
[010] 00 00 08 00 80 96 F7 38  D4 24 0A F9 18 01 00 00  
\0x00\0x00\0x08\0x00\0x80\0x96\0xf78 \0xd4$\0x0a\0xf9\0x18\0x01\0x00\0x00
[020] 3A 02 00 00 35 00 00 00  00                       
:\0x02\0x00\0x005\0x00\0x00\0x00 \0x00

17:46:35.854859 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7992868, win 65535, 
length 0
17:46:35.855062 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7994107, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.855187 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.855195 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x72Data: (41 bytes)
[000] 64 2F 41 4C 5F 33 39 5F  34 31 35 5F 35 39 34 5F  d/AL_39_ 415_594_
[010] 6E 61 76 67 74 2E 68 74  6D 50 4B 01 02 14 0B 14  navgt.ht 
mPK\0x01\0x02\0x14\0x0b\0x14
[020] 00 00 00 08 00 80 96 F7  38                       
\0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7 8

Thanks for your time,
Ludovic Rouse-Lamarre