[Samba] smbd changeling and strange firewall logs
Lars Hanke
debian at lhanke.de
Tue Nov 11 04:38:07 MST 2014
I found in my firewall logs something that looked somewhat like a port
scan originating from my AD DC. So I started to check the machine and
already found something strange using ps aux:
root at samba:/# samba -V
Version 4.1.11-Debian
root at samba:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
[...]
root 10675 0.0 2.8 457368 29620 ? S Nov04 0:03
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 10684 0.0 3.2 482328 34116 ? S Nov04 0:02
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
3000026 10686 0.0 3.2 482328 34096 ? S Nov04 0:01
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 10688 0.0 3.2 482328 34100 ? S Nov04 0:01
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 17934 0.0 0.0 49884 4 ? Ss Aug06 0:00
/usr/sbin/sshd
[...]
Of course there is no login user 3000026 and the machine does not import
any user accounts from anywhere outside. Apparently the process is
already running for a week. This has probably been the last upgrade.
A few minutes later I see this:
root 10686 0.0 3.2 482328 34096 ? S Nov04 0:01
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Okay, it became root again.
Is there any intended behaviour in smbd, which could explain this?
The original firewall fingerprint were tcp connection attempts from the
AD DC to all joined workstations in port ranges from 34478 to 60746. The
machine runs the DC with external Bind9. No other services beyond
infrastructure to make it run. Has anyone seen this before?
Regards,
- lars.
More information about the samba
mailing list