| View previous topic :: View next topic |
| Author |
Message |
sammy2ooo
Apprentice
Joined: 26 May 2004
Posts: 225
|
 Posted: Thu Apr 09, 2009 7:27 am Post subject: Which process is trying to establish smb connection? |
 |
|
Hello guys
I have a problem with a Linux host (10.128.2.101) which tries to authenticate against a w2k3 domain controller (10.128.2.3) using a samba name called "sambatestSSZH0101" i see about every 5 seconds a failed login attempt from this host. so i bothered ngrep for more information
| Quote: |
# ngrep 's.a.m.b.a.t.e.s.t.S.S.Z.H.0.1.0.1' -T -q
T +44.339596 10.128.2.101:49841 -> 10.128.2.3:445 [AP]
.....SMBs.....................<).`...........<)............\...}......
............................................s.a.m.b.a.t.e.s.t.S.S.Z.H.
0.1.0.1...D.O.M.A.E.0.0.1...U.n.i.x...S.a.m.b.a...
T +0.129749 10.128.2.101:49845 -> 10.128.2.3:445 [AP]
.....SMBs.....................?).8...........?)............\...}......
............................................s.a.m.b.a.t.e.s.t.S.S.Z.H.
0.1.0.1...D.O.M.A.E.0.0.1...U.n.i.x...S.a.m.b.a...
T +0.049799 10.128.2.101:49847 -> 10.128.2.3:445 [AP]
.....SMBs.....................?).H...........?)............\...}......
............................................s.a.m.b.a.t.e.s.t.S.S.Z.H.
0.1.0.1...D.O.M.A.E.0.0.1...U.n.i.x...S.a.m.b.a...
T +0.050036 10.128.2.101:49849 -> 10.128.2.3:445 [AP]
.....SMBs.....................?).............?)............\...}......
............................................s.a.m.b.a.t.e.s.t.S.S.Z.H.
0.1.0.1...D.O.M.A.E.0.0.1...U.n.i.x...S.a.m.b.a...
T +0.049750 10.128.2.101:49851 -> 10.128.2.3:445 [AP]
.....SMBs.....................@).............@)............\...}......
............................................s.a.m.b.a.t.e.s.t.S.S.Z.H.
0.1.0.1...D.O.M.A.E.0.0.1...U.n.i.x...S.a.m.b.a...
T +0.040471 10.128.2.101:49853 -> 10.128.2.3:445 [AP]
.....SMBs.....................@).x...........@)............\...}......
............................................s.a.m.b.a.t.e.s.t.S.S.Z.H.
0.1.0.1...D.O.M.A.E.0.0.1...U.n.i.x...S.a.m.b.a...
|
issuing e.g. the following makes no sense as the process no longer exists...
| Quote: |
# fuser -u -n tcp 49853
|
As you can see the source port is changing after every login attempt. How in the world can i find out what is trying to establish the connection?
This does not bring up anything too...
| Quote: |
# find / -type f -exec egrep 'samba|s.a.m.b.a' {} \;
|
So any help on this would be really appreciated as this is filling up my logs...
_________________
- Linux is sexy -
guru@linux:~> who | egrep -i 'blonde|black|brown' | talk && cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;
Last edited by sammy2ooo on Thu Apr 09, 2009 7:46 am; edited 1 time in total |
|
| Back to top |
|
 |
sammy2ooo
Apprentice
Joined: 26 May 2004
Posts: 225
|
| Posted: Thu Apr 09, 2009 7:36 am Post subject: |
|
|
This is what my smb.conf looks like
| Quote: | ]# cat /etc/samba/smb.conf | egrep -v '^;|^#|^$'
[global]
workgroup = DOMAE001
server string = Linux-Server
netbios name = SSZH0101
unix charset = ISO8859-1
preferred master = False
create mask = 0766
directory mask = 0777
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = server
password server = DOMAINCTRL
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes
[z]
comment = Data
path = /z
read only = no
public = yes
[out]
comment = FT-Output
path = /out
read only = no
public = yes
[outpub]
comment = FT-Output-Public
path = /out/pub
read only = no
public = yes
[guiclient]
comment = ft GUI-Client
path = /u/client/ft
read only = yes
guest ok = Yes
guest account = guiclient
[test-guiclient]
comment = ft GUI-Client
path = /u/client/test/ft
read only = yes
guest ok = Yes
guest account = guiclient
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
|
_________________
- Linux is sexy -
guru@linux:~> who | egrep -i 'blonde|black|brown' | talk && cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep; |
|
| Back to top |
|
|
sammy2ooo
Apprentice
Joined: 26 May 2004
Posts: 225
|
| Posted: Thu Apr 09, 2009 7:45 am Post subject: |
|
|
Corresponding log:
| Quote: |
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09.04.2009
Time: 09:43:00
User: NT AUTHORITY\SYSTEM
Computer: DOMAINCTRL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: sambatestSSZH0101
Domain: DOMAE001
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\10.128.2.101
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.128.2.101
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
|
_________________
- Linux is sexy -
guru@linux:~> who | egrep -i 'blonde|black|brown' | talk && cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep; |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri Apr 10, 2009 9:34 am Post subject: |
|
|
| this is a crude hack, but could you not do a quickie script that does a continuous netstat -anp > conns and let it run for 20 seconds before killing it? |
|
| Back to top |
|
|
sammy2ooo
Apprentice
Joined: 26 May 2004
Posts: 225
|
| Posted: Fri Apr 10, 2009 1:14 pm Post subject: |
|
|
okay, thanks for the reply, i am gonna give this a try on tuesday....but what if i find out that smbd is establishing this connection. what would be next? i mean then there must be some third host who is trying to authenticat over this machine.... but then i would see something within the "$ ngrep 's.a.m.b.a' -T -q" output, wouldn't i?
_________________
- Linux is sexy -
guru@linux:~> who | egrep -i 'blonde|black|brown' | talk && cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep; |
|
| Back to top |
|
|
sammy2ooo
Apprentice
Joined: 26 May 2004
Posts: 225
|
| Posted: Wed Apr 15, 2009 6:42 am Post subject: |
|
|
okay... so now i am sure that the binary 'smbd' is trying to authenticate user 'sambatestSSZH0101' against my domain controller... but as i said before i cant find any entry within the samba config files that references this user in any way??? 
how can i go further from this point?? what else could i check?
_________________
- Linux is sexy -
guru@linux:~> who | egrep -i 'blonde|black|brown' | talk && cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep; |
|
| Back to top |
|
|
|
Networking & Security
