[Samba] Windows 10 spawning thousands of child processes on Samba 4.3.11 server
Asbjorn Taugbol
asbjornt at gmail.com
Tue May 23 12:13:33 UTC 2017
On Tue, May 23, 2017 at 8:59 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 23 May 2017 08:44:42 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Did you TV/Radio broke?? ;-)
> >
> > This really smells like some malware/cryptoware.
> > Seen this ones on a network, and that was a cypto trying to write to
> > shares. And they to that really really fast.
> >
> > Increast the samba debug logs and track if this is client related.
> > That where i would start.
> >
>
> They were my thoughts, the connections are from guest by the look of
> them and removing 'map to guest = Bad User' would reset it to 'map to
> guest = Never' and the connections would be dropped.
>
> I think the OP needs to start looking at their clients ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Alrite,
I doubt there is malware running. The nobody/nogroup processes are created
when running certain applications.
I've upped the log level to 3 and see some interesting stuff from Windows
client "WIN8-13" where Admin user is logged in and accessing applications
on the Samba share. Server IP is 10.10.1.6, servername "india". The share
is mounted with username "production" which is in smbpasswd:
root# pdbedit -w -L
production:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:43DEDBC664EA95353348102454C3BD:[U
]:LCT-5923EA2E:
administration:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:4FF63806DDD0952F97B03608A7FDC4:[U
]:LCT-5923EA5E:
Here is a log snippet:
[2017/05/23 10:51:59.104021, 3]
../source3/smbd/service.c:774(make_connection_snum)
win8-13 (ipv4:10.10.1.63:51224) connect to service IPC$ initially as user
production (uid=1001, gid=1001) (pid 1686)
[2017/05/23 10:51:59.104487, 3]
../source3/smbd/msdfs.c:993(get_referred_path)
get_referred_path: |administration| in dfs path \10.10.1.6\administration
is not a dfs root.
[2017/05/23 10:51:59.105493, 3] ../source3/smbd/dir.c:628(dptr_create)
creating new dirptr 0 for path appl/SubScr, expect_close = 0
.
.
.
[2017/05/23 10:51:59.130743, 3]
../source3/param/loadparm.c:1600(lp_add_ipc)
adding IPC service
[2017/05/23 10:51:59.130814, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user []\[]@[WIN8-13]
with the new password interface
[2017/05/23 10:51:59.130866, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [INDIA]\[]@[WIN8-13]
[2017/05/23 10:51:59.130928, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: guest authentication for user [] succeeded
[2017/05/23 10:51:59.132111, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2017/05/23 10:51:59.132715, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[WIN8-13] len1=1 len2=0
[2017/05/23 10:51:59.132798, 3]
../source3/param/loadparm.c:3754(lp_load_ex)
lp_load_ex: refreshing parameters
I wonder why this guest unmapped user appears?
Thanks.
More information about the samba
mailing list