samba - Apr 2004 - Possible SMBd Remote File Creation Vulnerability again?

Hi,

Five days ago (2004/03/31) someone was able to obtain a list of *all* the 
unix user names of my machine (a Redhat 9 w/ latest patches) and then 
started trying to log as a samba user (about 400 tries per user name). Upon 
noticing this strange behavior I immediately proceeded to block all ports 
related to samba, and to put the story short, fortunately or should I say 
hopefully the individual trying to get entry was not able to log into my 
machine according to other logs.

Later on while searching the Internet  for information on this problem, 
came upon the "SMBd Remote File Creation Vulnerability" published on
the
year 2001, and referring to samba versions 2.0.7 and 2.0.8.,.. Well this is 
year 2004, and I am using version "2.2.7a-security-rollup-fix.", could
this
mean that this vulnerability either was never fixed or that it is present 
again? any info will be appreciated

BTW, Just, in case I applied temporary fix suggested on the 2001 
information, by changing the log name from "%m.log" to
"log.%m"

Thanks in advance

--Ignacio

On Sun, 2004-04-04 at 23:15, Ignacio Bustamante wrote:
> Hi,
> 
> Five days ago (2004/03/31) someone was able to obtain a list of *all* the 
> unix user names of my machine (a Redhat 9 w/ latest patches) and then 
> started trying to log as a samba user (about 400 tries per user name). Upon
> noticing this strange behavior I immediately proceeded to block all ports 
> related to samba, and to put the story short, fortunately or should I say 
> hopefully the individual trying to get entry was not able to log into my 
> machine according to other logs.
> 
> Later on while searching the Internet  for information on this problem, 
> came upon the "SMBd Remote File Creation Vulnerability" published
on the
> year 2001, and referring to samba versions 2.0.7 and 2.0.8.,.. Well this is
> year 2004, and I am using version "2.2.7a-security-rollup-fix.",
could this
> mean that this vulnerability either was never fixed or that it is present 
> again? any info will be appreciated
> 
> BTW, Just, in case I applied temporary fix suggested on the 2001 
> information, by changing the log name from "%m.log" to
"log.%m"
> 
> Thanks in advance
> 
> --Ignacio
A copy of your smb.conf would have helped.  Do you have a guest account
enabled on your samba config?  It sounds like someone was able to
enumerate your userlist, which would require access to the IPC$ share,
which any user who could authenticate (even guest) should be able to
do.  I'd highly recommend as a general practice not exposing SMB or CIFS
shares to the Internet or an untrusted network, as even though Samba is
more secure than say Windows, it's still just not a good idea unless
there's a legitimate justification for it.  Even so, SFTP or some other
more secure file transfer mechanism would be a better option (or if
there are trusted users on the Internet, have them tunnel the SMB
traffic through SSH or an IPSEC tunnel).

Clint