[Samba] smbd changeling and strange firewall logs

Lars Hanke debian at lhanke.de
Tue Nov 11 05:12:09 MST 2014 

Am 11.11.2014 um 12:46 schrieb Rowland Penny:
> On 11/11/14 11:38, Lars Hanke wrote:
>> I found in my firewall logs something that looked somewhat like a port
>> scan originating from my AD DC. So I started to check the machine and
>> already found something strange using ps aux:
>>
>> root at samba:/# samba -V
>> Version 4.1.11-Debian
>> root at samba:/# ps aux
>> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
>> [...]
>> root     10675  0.0  2.8 457368 29620 ?        S    Nov04   0:03
>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>> root     10684  0.0  3.2 482328 34116 ?        S    Nov04   0:02
>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>> 3000026  10686  0.0  3.2 482328 34096 ?        S    Nov04   0:01
>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>> root     10688  0.0  3.2 482328 34100 ?        S    Nov04   0:01
>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>> root     17934  0.0  0.0  49884     4 ?        Ss   Aug06   0:00
>> /usr/sbin/sshd
>> [...]
>>
>> Of course there is no login user 3000026 and the machine does not
>> import any user accounts from anywhere outside. Apparently the process
>> is already running for a week. This has probably been the last upgrade.
>>
>> A few minutes later I see this:
>>
>> root     10686  0.0  3.2 482328 34096 ?        S    Nov04   0:01
>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>
>> Okay, it became root again.
>>
>> Is there any intended behaviour in smbd, which could explain this?
>>
>> The original firewall fingerprint were tcp connection attempts from
>> the AD DC to all joined workstations in port ranges from 34478 to
>> 60746. The machine runs the DC with external Bind9. No other services
>> beyond infrastructure to make it run. Has anyone seen this before?
>>
>> Regards,
>>  - lars.
>>
>>
> OK, '3000026' is undoubtedly coming from 'idmap.ldb', run this on the DC:
>
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>
> and search for '3000026', this will tell you who or what is running as
> the xidNumber.

Thanks a lot - seems like it was the machine account of the DC.

Any idea concerning the 1500 tcp connects to unprivileged ports of 
joined machines?

More information about the samba mailing list