[Samba] Suspicious activity on domain

[Andrew Bartlett]

On Mon, 2012-07-16 at 14:02 -0400, Ludovic Rouse-Lamarre wrote:
> Hello,
> 
> Last week I have detected with Zabbix that a member of my Samba domain 
> had been downloading at a rate of around 8 Mbps for two days and a half. 
> When asking the person to whom belonged the machine, he didn't know he 
> was downloading anything but he said he had observed his machine had 
> slowed down since then. I took a tcpdump of the traffic before 
> terminating his session on Windows XP. I checked and there wasn't any 
> large amount of data on his hard drive as the total drive capacity was 
> 80GiB and there was 30GiB free. One of the oddities for me was that the 
> bandwidth was being consumed through port tcp 139 of the Samba machine. 
> Normally data is downloaded on port tcp 445. Another oddity is that when 
> I put together some of the names in the trace from tcpdump, I can 
> reconstitute names of files on the server. Unless I'm mistaken this type 
> of information shouldn't be circulating on port 139?

The services available on port 139 and 445 are essentially identical.
Neither should be exposed to the internet.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org