[Samba] smbd changeling and strange firewall logs

Rowland Penny rowlandpenny at googlemail.com
Tue Nov 11 05:24:29 MST 2014 

On 11/11/14 12:12, Lars Hanke wrote:
> Am 11.11.2014 um 12:46 schrieb Rowland Penny:
>> On 11/11/14 11:38, Lars Hanke wrote:
>>> I found in my firewall logs something that looked somewhat like a port
>>> scan originating from my AD DC. So I started to check the machine and
>>> already found something strange using ps aux:
>>>
>>> root at samba:/# samba -V
>>> Version 4.1.11-Debian
>>> root at samba:/# ps aux
>>> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START TIME COMMAND
>>> [...]
>>> root     10675  0.0  2.8 457368 29620 ?        S    Nov04 0:03
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> root     10684  0.0  3.2 482328 34116 ?        S    Nov04 0:02
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> 3000026  10686  0.0  3.2 482328 34096 ?        S    Nov04 0:01
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> root     10688  0.0  3.2 482328 34100 ?        S    Nov04 0:01
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>> root     17934  0.0  0.0  49884     4 ?        Ss   Aug06 0:00
>>> /usr/sbin/sshd
>>> [...]
>>>
>>> Of course there is no login user 3000026 and the machine does not
>>> import any user accounts from anywhere outside. Apparently the process
>>> is already running for a week. This has probably been the last upgrade.
>>>
>>> A few minutes later I see this:
>>>
>>> root     10686  0.0  3.2 482328 34096 ?        S    Nov04 0:01
>>> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>>>
>>> Okay, it became root again.
>>>
>>> Is there any intended behaviour in smbd, which could explain this?
>>>
>>> The original firewall fingerprint were tcp connection attempts from
>>> the AD DC to all joined workstations in port ranges from 34478 to
>>> 60746. The machine runs the DC with external Bind9. No other services
>>> beyond infrastructure to make it run. Has anyone seen this before?
>>>
>>> Regards,
>>>  - lars.
>>>
>>>
>> OK, '3000026' is undoubtedly coming from 'idmap.ldb', run this on the 
>> DC:
>>
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>
>> and search for '3000026', this will tell you who or what is running as
>> the xidNumber.
>
> Thanks a lot - seems like it was the machine account of the DC.
>
> Any idea concerning the 1500 tcp connects to unprivileged ports of 
> joined machines?
>
Probably quite normal, see here: 
http://support.microsoft.com/kb/179442#method2

Rowland

More information about the samba mailing list