samba - May 1998 - WINS isn't working correctly and I think somebody is trying to exploit a security hole...

Pardon the long log file but I'm fairly new to WINS servers and probably
don't know what I'm doing.

We've have two subnets (lets call them xxx.xxx.xxx.??? and yyy.yyy.yyy.??)
I have one samba/linux server on both networks xxx.xxx.xxx.2 and yyy.yyy.yyy.2.
xxx.xxx.xxx.2 is set up to be a domain master and yyy.yyy.yyy.2 is setup to
be a local master with xxx.xxx.xxx.2 as its master.

Things seemed to be working up until a couple of days ago and then things
started getting screwy. It seemed like our servers were no longer providing
WINS resolutions and we thought this might be because one of our employees
accidentally setup a WINS server which was winning master elections and thus
our real servers weren't.  What I found when looking at log.nmb is something
more scary possibly.  It looks as though somebody outside of our networks
is attempting to be the domain master.

Could somebody with more knowledge look through this log file and tell me
what is going on and how I can correct the situation or prevent it?

Of particular interest to me is the attempted requests from machines not
on either xxx.xxx.xxx or the yyy.yyy.yyy subnets as these seem to be
somebody trying to gain information and or access to something they
shouldn't be.

Since security already looks likes its being threatened here I have
changed the named and IP addresses in this message and the logs (except
for the IPs that are making illegal requests in case anybody wants to
go hunt them down... ;-)

(sorry for the length of the log or any wierd line wraps that happen to it)

I hope that somebody can guide as to what to do to shutout machines not
in my subnets and also give advice about anything that could help to get my
WINS resultion running correctly.

Thanks,

- Jeff

here's the log.nmb file...

04/20/1998 18:40:28 netbios nameserver version 1.9.18p3 started
Copyright Andrew Tridgell 1994-1997
04/20/1998 18:40:28 become_domain_master_browser_wins: attempting to become
domain master browser on workgroup MY.WORKGROUP.NAME, subnet UNICAST_SUBNET.
become_domain_master_browser_wins: querying WINS server at IP xxx.xxx.xxx.2 for
domain master browser name MY.WORKGROUP.NAME<1b> on workgroup
MY.WORKGROUP.NAME

04/20/1998 18:40:28 ***** Samba server xxx.xxx.xxx.2 is now a domain master
browser for workgroup MY.WORKGROUP.NAME on subnet UNICAST_SUBNET *****

become_domain_master_browser_bcast: At time 04/20/1998 18:40:28 attempting to
become domain master browser on workgroup MY.WORKGROUP.NAME on subnet
xxx.xxx.xxx.2
become_domain_master_browser_bcast: querying subnet xxx.xxx.xxx.2 for domain
master browser on workgroup MY.WORKGROUP.NAME

04/20/1998 18:40:38 ***** Samba server xxx.xxx.xxx.2 is now a domain master
browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****


04/20/1998 18:40:42 *****   Samba name server xxx.xxx.xxx.2 is now a local
master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

process_node_status_request: status request for name *<00> from IP
205.184.226.152 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
205.184.226.152 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
205.184.226.152 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_name_release_request: Attempt to release name `a__MSBROWSE__a<01>
from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being rejected as it is one of
our names.
Packet send failed to xxx.xxx.xxx.74(137) ERRNO=Connection refused
reply_netbios_packet: send_packet to IP xxx.xxx.xxx.74 port 137 failed
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<00> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
process_name_release_request: Attempt to release name
MY.WORKGROUP.NAME<1e> from IP xxx.xxx.xxx.74 on subnet xxx.xxx.xxx.2 being
rejected as it is one of our names.
sync_browse_lists: yyy.yyy.yyy.2 rejected the browse sync sessionsetup
process_node_status_request: status request for name *<00> from IP
204.30.73.175 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.175 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.175 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.31.253.207 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.31.253.207 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.31.253.207 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_local_master_announce: Server C009 at IP xxx.xxx.xxx.88 is announcing
itself as a local master browser for workgroup MY.WORKGROUP.NAME and we think we
are master. Forcing election.

04/29/1998 09:52:38 *****   Samba name server xxx.xxx.xxx.2 has stopped being a
local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2
*****


04/29/1998 09:52:52 *****   Samba name server xxx.xxx.xxx.2 is now a local
master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

process_local_master_announce: Server yyy.yyy.yyy.2 at IP yyy.yyy.yyy.2 is
announcing itself as a local master browser for workgroup MY.WORKGROUP.NAME and
we think we are master. Forcing election.

04/29/1998 11:13:28 *****   Samba name server xxx.xxx.xxx.2 has stopped being a
local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2
*****


04/29/1998 11:13:42 *****   Samba name server xxx.xxx.xxx.2 is now a local
master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2 *****

process_local_master_announce: Server SOMEMACHINE at IP xxx.xxx.xxx.74 is
announcing itself as a local master browser for workgroup MY.WORKGROUP.NAME and
we think we are master. Forcing election.

04/29/1998 12:08:34 *****   Samba name server xxx.xxx.xxx.2 has stopped being a
local master browser for workgroup MY.WORKGROUP.NAME on subnet xxx.xxx.xxx.2
*****

register_name_response: server at IP xxx.xxx.xxx.74 rejected our name
registration of MY.WORKGROUP.NAME<1d> with error code 6.
become_local_master_fail2: failed to register name MY.WORKGROUP.NAME<1d>
on subnet xxx.xxx.xxx.2. Failed to become a local master browser.
standard_fail_register: Failed to register/refresh name
MY.WORKGROUP.NAME<1d> on subnet xxx.xxx.xxx.2
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
process_browse_packet: On subnet xxx.xxx.xxx.2 ignoring browse packet command
code 11 from BOXEN<00> IP xxx.xxx.xxx.4 to MY.WORKGROUP.NAME<1e>
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
process_node_status_request: status request for name *<00> from IP
204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
204.30.73.227 on subnet REMOTE_BROADCAST_SUBNET - name not found.
query_name_response: Multiple (2) responses received for a query on subnet
xxx.xxx.xxx.2 for name MY.WORKGROUP.NAME<1d>. This response was from IP
xxx.xxx.xxx.255
sync_browse_lists: MACHINE rejected the browse sync session
process_browse_packet: On subnet xxx.xxx.xxx.2 ignoring browse packet command
code 11 from OTHER<20> IP xxx.xxx.xxx.58 to MY.WORKGROUP.NAME<1e>
process_browse_packet: On subnet xxx.xxx.xxx.2 ignoring browse packet command
code 11 from MACHINE<20> IP xxx.xxx.xxx.113 to MY.WORKGROUP.NAME<1e>
sync_browse_lists: MACHINE rejected the browse sync session
error connecting to xxx.xxx.xxx.113:139 (No route to host)
sync_browse_lists: Failed to start browse sync with C034
process_node_status_request: status request for name *<00> from IP
207.69.129.38 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
207.69.129.38 on subnet REMOTE_BROADCAST_SUBNET - name not found.
process_node_status_request: status request for name *<00> from IP
207.69.129.38 on subnet REMOTE_BROADCAST_SUBNET - name not found.

Jeff Wiegley <jeff@la.usweb.com> wrote:
> 
> Things seemed to be working up until a couple of days ago and then things
> started getting screwy. It seemed like our servers were no longer providing
> WINS resolutions and we thought this might be because one of our employees
> accidentally setup a WINS server which was winning master elections and
thus
> our real servers weren't.  What I found when looking at log.nmb is
something
> more scary possibly.  It looks as though somebody outside of our networks
> is attempting to be the domain master.
I would guess that someone has put a machine on your net that
is incorrectly set up with the address you are seeing in the 
log files. Since the broadcast addresses are set up wrong,
communication is going to be difficult between this machine
and the others, and it might think it is master browser because
all the Samba machines missed the election that went on over
the wrong addresses.

Another possibility is netbeui-only machines. I have had some
trouble with these. Because they don't understand TCP/IP they
can't see the Samba master browser, so they start elections,
which are usually won by some NT or W95 machine that understands
both Netbeui and TCP/IP. Great confusion occurs. This is an
especially common problem if you are using the WORKGROUP workgroup
because then an unconfigured W95 machine will cause the problem.

-- 
Erik Corry