[Samba] ignoring malformed3 datagram packet
Thomas Schulz
schulz at adi.com
Fri May 9 09:14:52 MDT 2014
>> On Fri, Apr 25, 2014 at 09:52:29PM -0400, Thomas Schulz wrote:
>>>> On Fri, Apr 18, 2014 at 10:44:19AM +0200, samba.20.andwin at spamgourmet.com wrote:
>>>>> Just for the record: After some investigation I've found out that
>>>>> these malformed packages originate from a service called 'NuTCRACKER'
>>>>> on the Windows clients which seems to be installed along with products
>>>>> from PTC.
>>>>
>>>> Hmmm. Sounds like an infection trying to exploit an
>>>> old bug to me.
>>>
>>> NuTCRACKER is a product that we use here. It allows programs that were
>>> initally created on Unix to be more easily ported to Windows. It provides
>>> an environment that looks much like Unix on a Windows machine.
>>>
>>> Now that I look, I see those same messages here.
>>
>> Can you get me a wireshark capture trace containing
>> these packets ? Once I've seen that I can fix nmbd
>> to treat them correctly.
>>
>> Cheers,
>>
>> Jeremy.
>
> I should be able to do that. I see that my test server that has wireshark on
> it is logging those messages. I will get to it as soon as I can.
I sent the binary wireshark file directly to Jeremy. Here is the ascii
representation that was on the wireshark screen.
0000 ff ff ff ff ff ff 00 03 47 8a 3d 42 08 00 45 00 ........ G.=B..E.
0010 02 6a e0 69 00 00 80 11 d0 eb c0 a8 02 de c0 a8 .j.i.... ........
0020 02 ff 00 8a 00 8a 02 56 36 e3 11 02 86 bd c0 a8 .......V 6.......
0030 02 de 00 8a 02 40 00 00 20 45 44 45 42 46 46 45 ..... at .. EDEBFFE
0040 4d 45 4a 45 47 45 4d 45 50 46 48 45 46 46 43 43 MEJEGEME PFHEFFCC
0050 41 43 41 43 41 43 41 41 41 00 20 45 42 45 45 45 ACACACAA A. EBEEE
0060 4a 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 JCACACAC ACACACAC
0070 41 43 41 43 41 43 41 43 41 41 41 00 ff 53 4d 42 ACACACAC AAA..SMB
0080 25 00 00 00 00 18 04 00 00 00 00 00 00 00 00 00 %....... ........
0090 00 00 00 00 00 00 ff fe 00 00 00 00 11 00 00 98 ........ ........
00a0 01 02 00 00 00 00 00 02 00 00 00 00 00 00 00 00 ........ ........
00b0 00 64 00 98 01 64 00 03 00 01 00 00 00 02 00 b7 .d...d.. ........
00c0 01 5c 4d 41 49 4c 53 4c 4f 54 5c 4d 4b 53 5c 49 .\MAILSL OT\MKS\I
00d0 6e 73 74 61 6e 63 65 43 6f 75 6e 74 65 72 00 00 nstanceC ounter..
00e0 ab 0d 00 00 16 01 00 00 63 61 75 6c 69 66 6c 6f ........ cauliflo
00f0 77 65 72 2e 61 64 69 2e 63 6f 6d 00 00 00 00 00 wer.adi. com.....
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0140 00 00 00 00 00 00 00 00 00 00 00 00 43 41 55 4c ........ ....CAUL
0150 49 46 4c 4f 57 45 52 24 40 61 64 69 2e 63 6f 6d IFLOWER$ @adi.com
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
01a0 00 00 53 44 30 36 30 39 45 34 39 35 30 35 00 00 ..SD0609 E49505..
01b0 00 40 36 2b 38 47 55 76 69 2b 63 64 6e 64 76 74 . at 6+8GUv i+cdndvt
01c0 47 78 66 46 67 68 6e 76 37 38 40 67 38 44 00 00 GxfFghnv 78 at g8D..
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
01e0 00 00 00 00 09 00 00 00 02 00 00 00 32 00 00 00 ........ ....2...
01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0270 00 00 00 00 00 00 00 00 ........
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
More information about the samba
mailing list