samba - Sep 2005 - Persistent SPOOLSS_ADDPRINTEREX commands from Windows NT 4.0 computers

Hello

I need some advice from gurus. I identified several Windows NT
computers, that are persistently trying to access my samba server. They
are connecting to IPC$ with NULL information both in password and
username fields. Below you will find excerpt from samba log file.

My questions would be following. What is SPOOLSS_ADDPRINTEREX ? Can it
be some kind of worm ? If yes, how I can catch it (enable write to spool
dir, add printer wizard, etc.) ? Can somebody let me know anything about
persistently coming connections from same hosts and doing below posted
actions ? 

Thank you in advance !

[2005/09/15 22:34:44, 3] smbd/service.c:(642)
  granite (xxx.xxx.xxx.xxx) connect to service IPC$ initially as user
noaccess (uid=60002, gid=60002) (pid 29735)
[2005/09/15 22:34:44, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/15 22:34:44, 3] smbd/reply.c:(455)
  tconX service=IPC$
[2005/09/15 22:34:44, 3] smbd/process.c:(1091)
  Transaction 3 of length 106
[2005/09/15 22:34:44, 3] smbd/process.c:(886)
  switch message SMBntcreateX (pid 29735) conn 0x3bf330
[2005/09/15 22:34:44, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (60002, 60002) - sec_ctx_stack_ndx = 0
[2005/09/15 22:34:44, 3] smbd/nttrans.c:(514)
  nt_open_pipe: Known pipe spoolss opening.
[2005/09/15 22:34:44, 3] smbd/process.c:(1091)
  Transaction 4 of length 160
[2005/09/15 22:34:44, 3] smbd/process.c:(886)
  switch message SMBtrans (pid 29735) conn 0x3bf330
[2005/09/15 22:34:44, 3] smbd/ipc.c:(539)
  trans <\PIPE\> data=72 params=0 setup=2
[2005/09/15 22:34:44, 3] smbd/ipc.c:(334)
  named pipe command on <> name
[2005/09/15 22:34:44, 3] smbd/ipc.c:(294)
  Got API command 0x26 on pipe "spoolss" (pnum 76c3)
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe.c:(887)
  api_pipe_bind_req: \PIPE\spoolss -> \PIPE\spoolss
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe.c:(762)
  check_bind_req for \PIPE\spoolss
[2005/09/15 22:34:44, 3] smbd/process.c:(1091)
  Transaction 5 of length 530
[2005/09/15 22:34:44, 3] smbd/process.c:(886)
  switch message SMBtrans (pid 29735) conn 0x3bf330
[2005/09/15 22:34:44, 3] smbd/ipc.c:(539)
  trans <\PIPE\> data=442 params=0 setup=2
[2005/09/15 22:34:44, 3] smbd/ipc.c:(334)
  named pipe command on <> name
[2005/09/15 22:34:44, 3] smbd/ipc.c:(294)
  Got API command 0x26 on pipe "spoolss" (pnum 76c3)
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe_hnd.c:(542)
  free_pipe_context: destroying talloc pool of size 0
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe.c:(1538)
  api_rpcTNP: rpc command: SPOOLSS_ADDPRINTEREX
[2005/09/15 22:34:44, 3] rpc_server/srv_pipe_hnd.c:(542)
  free_pipe_context: destroying talloc pool of size 318 



With best regards
Martynas

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Buozis, Martynas wrote:

| My questions would be following. What is SPOOLSS_ADDPRINTEREX ?

It's the rpc used to create a printer on a remote CIFS
server.

| Can it be some kind of worm ?

Unlikely.  But could be.  Do these Windows clients have
legitimate reason to be connecting to your server?  Perhaps
some cached niformation from past times?







cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDKyXUIR7qMdg1EfYRAq7cAJ9Z0FDRjmDocHGMgEah+w7zO7NlpgCguO6q
OebO4JnI8h0zqkjUhEEAVaU=LliW
-----END PGP SIGNATURE-----