[Samba] Suspicious activity on domain
abartlet at samba.org
Mon Jul 23 06:30:14 MDT 2012
On Mon, 2012-07-16 at 14:02 -0400, Ludovic Rouse-Lamarre wrote:
> Last week I have detected with Zabbix that a member of my Samba domain
> had been downloading at a rate of around 8 Mbps for two days and a half.
> When asking the person to whom belonged the machine, he didn't know he
> was downloading anything but he said he had observed his machine had
> slowed down since then. I took a tcpdump of the traffic before
> terminating his session on Windows XP. I checked and there wasn't any
> large amount of data on his hard drive as the total drive capacity was
> 80GiB and there was 30GiB free. One of the oddities for me was that the
> bandwidth was being consumed through port tcp 139 of the Samba machine.
> Normally data is downloaded on port tcp 445. Another oddity is that when
> I put together some of the names in the trace from tcpdump, I can
> reconstitute names of files on the server. Unless I'm mistaken this type
> of information shouldn't be circulating on port 139?
The services available on port 139 and 445 are essentially identical.
Neither should be exposed to the internet.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba