[Samba] Windows 10 spawning thousands of child processes on Samba 4.3.11 server

L.P.H. van Belle belle at bazuin.nl
Tue May 23 06:44:42 UTC 2017 

Did you TV/Radio broke??  ;-) 

This really smells like some malware/cryptoware. 
Seen this ones on a network, and that was a cypto trying to write to shares. 
And they to that really really fast. 

Increast the samba debug logs and track if this is client related. 
That where i would start. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 23 mei 2017 7:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows 10 spawning thousands of child 
> processes on Samba 4.3.11 server
> 
> On Mon, 22 May 2017 23:39:26 +0200
> Asbjorn Taugbol <asbjornt at gmail.com> wrote:
> 
> OK, this is your actual smb.conf:
> 
> [global]
>    workgroup = WORKGROUP
>    server string = %h server (Samba, Ubuntu)
>    dns proxy = no
>    deadtime = 90
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = standalone server
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* 
> %n\n*Retype\snew\s*\spassword:* %n\n 
> *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
>    usershare allow guests = yes
> 
> [administration]
>         comment = Administration directory
>         path = /home/administration
>         write list = @administration, at production
>         read only = No
>         create mask = 0774
>         directory mask = 0775
>         hide dot files = yes
> 
> [production]
>         comment = Production directory
>         path = /home/production
>         invalid users = administration
>         write list = @production
>         read only = No
>         veto oplock files = /*.wbt/*.spc?/
> 
> 
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
> 
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
> 
> There doesn't seem to be anything wrong there, but you could 
> try turning off guest access by commenting this line:
> 
> map to guest = bad user
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list