[Samba] Bad SMB2 (sign_algo_id=1) signature for message
Michael Tokarev
mjt at tls.msk.ru
Fri Mar 1 13:03:45 UTC 2024
Hi!
I'm seeing quite some messages in log.smbd like this:
[2024/03/01 15:59:00.612141, 0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612146, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] 7E 8D E3 FE A9 44 E8 E3 A6 76 22 6A B2 A4 27 CF ~....D.. .v"j..'.
[2024/03/01 15:59:00.612166, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 2D 99 5B 40 BA B0 66 BA 12 18 38 1D B0 98 DA F4 -.[@..f. ..8.....
[2024/03/01 15:59:00.612194, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] C7 20 D2 A3 8F 8E 5B A4 88 A2 46 A1 C6 FA 86 3F . ....[. ..F....?
[2024/03/01 15:59:00.612204, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 1A 87 8B ED C2 24 9E 4A BD 15 15 F2 B0 DD 24 D8 .....$.J ......$.
[2024/03/01 15:59:00.612268, 0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612270, 0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612294, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] 1A 95 AA 9E F2 49 2E 0F 8C 82 D7 83 DB 64 A9 C7 .....I.. .....d..
[2024/03/01 15:59:00.612301, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] E6 58 44 BB 80 A5 A1 FE BA 69 E1 82 E5 6D 7B 72 .XD..... .i...m{r
[2024/03/01 15:59:00.612330, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] BE 1E BB 30 83 7B DB 8A 14 88 AD 45 46 5F 50 76 ...0.{.. ...EF_Pv
[2024/03/01 15:59:00.612338, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 25 53 2E 95 16 EB 27 59 FB 46 8B 95 70 B1 3A 39 %S....'Y .F..p.:9
[2024/03/01 15:59:00.612396, 0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612403, 0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612421, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] E5 45 8A 18 82 4F 94 ED D7 F1 1B D3 57 F6 4D 50 .E...O.. ....W.MP
[2024/03/01 15:59:00.612429, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 68 AA 9B 0B 8A 8B 66 F6 2C 89 98 EE 3D 47 EE 3C h.....f. ,...=G.<
[2024/03/01 15:59:00.612457, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] BC 98 94 AE AB 9B 31 F7 42 09 78 C3 E1 C0 D7 A4 ......1. B.x.....
[2024/03/01 15:59:00.612465, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 49 D0 35 7E 15 82 68 CE 93 02 6C F1 93 EA 7E D2 I.5~..h. ..l...~.
[2024/03/01 15:59:00.612525, 0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612533, 0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612550, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] D1 94 B3 7B 0E 17 86 0D 07 A8 9B 77 4E D0 17 4C ...{.... ...wN..L
[2024/03/01 15:59:00.612558, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 40 96 4B 98 0A FE 90 16 6B 43 2D 09 33 8C 5E 06 @.K..... kC-.3.^.
[2024/03/01 15:59:00.612586, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] B1 AA 84 F1 DA AD E9 EC 89 66 2C 47 75 F6 A1 CF ........ .f,Gu...
[2024/03/01 15:59:00.612595, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 27 C7 08 0A B2 21 B7 0A 0D 99 BA 4E DE 51 CF 03 '....!.. ...N.Q..
[2024/03/01 15:59:00.612657, 0, pid=1778616] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612670, 0, pid=1778617] libcli/smb/smb2_signing.c:639(smb2_signing_check_pdu)
Bad SMB2 (sign_algo_id=1) signature for message
[2024/03/01 15:59:00.612683, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] 08 C8 F3 E0 5A 41 2F 4A 10 5A C7 C6 E6 DC 3C 38 ....ZA/J .Z....<8
[2024/03/01 15:59:00.612696, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 53 0F 19 E8 8B 2C 42 6A 6F AF 9B 1F 97 B1 CE 5A S....,Bj o......Z
[2024/03/01 15:59:00.612719, 0, pid=1778616] lib/util/util.c:578(dump_data)
[0000] AC D9 66 B7 8E 93 3F 24 9D 05 91 F7 49 32 06 DE ..f...?$ ....I2..
[2024/03/01 15:59:00.612732, 0, pid=1778617] lib/util/util.c:578(dump_data)
[0000] 46 8B B9 4D 99 BA 84 8B 77 80 F4 66 2B 9E FE 57 F..M.... w..f+..W
(interestingly enough this happens in batches, several messages from different PIDs
at exactly the same time).
Should I be concerned? What it *can* be, anyway?
The problem is that there's no context logged, so it's impossible to find out
even which IP address is associated with these messages.
Thanks,
/mjt
More information about the samba
mailing list