samba - Jul 2012 - Suspicious activity on domain

Hello,

Last week I have detected with Zabbix that a member of my Samba domain 
had been downloading at a rate of around 8 Mbps for two days and a half. 
When asking the person to whom belonged the machine, he didn't know he 
was downloading anything but he said he had observed his machine had 
slowed down since then. I took a tcpdump of the traffic before 
terminating his session on Windows XP. I checked and there wasn't any 
large amount of data on his hard drive as the total drive capacity was 
80GiB and there was 30GiB free. One of the oddities for me was that the 
bandwidth was being consumed through port tcp 139 of the Samba machine. 
Normally data is downloaded on port tcp 445. Another oddity is that when 
I put together some of the names in the trace from tcpdump, I can 
reconstitute names of files on the server. Unless I'm mistaken this type 
of information shouldn't be circulating on port 139?

Here is the version of Samba:
Samba version 3.4.9

Here is a sample of the trace from tcpdump:
17:46:35.838212 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123157, win 65535, 
length 1239 NBT Session Packet: Unknown packet type 0x38Data: (41 bytes)
[000] D5 F1 4E 73 4E 02 00 00  FB 04 00 00 2E 00 00 00  
\0xd5\0xf1NsN\0x02\0x00\0x00 \0xfb\0x04\0x00\0x00.\0x00\0x00\0x00
[010] 00 00 00 00 01 00 00 00  00 00 64 40 43 32 32 30  
\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0x00 \0x00\0x00d at C220
[020] 30 38 2D 30 37 2D 32 33  5F                       08-07-23 _

17:46:35.842050 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7980391, win 65535, 
length 0
17:46:35.842313 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7981630, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.842446 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.842460 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x70Data: (41 bytes)
[000] 63 50 4B 01 02 14 0B 14  00 00 00 08 00 80 96 F7  
cPK\0x01\0x02\0x14\0x0b\0x14 \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7
[010] 38 63 04 52 FB 4E 02 00  00 FB 04 00 00 2E 00 00  
8c\0x04R\0xfbN\0x02\0x00 \0x00\0xfb\0x04\0x00\0x00.\0x00\0x00
[020] 00 00 00 00 00 01 00 00  00                       
\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00 \0x00

17:46:35.842472 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123220, win 65535, 
length 1239 NBT Session Packet: Session Message
17:46:35.846333 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7984550, win 65535, 
length 0
17:46:35.846580 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7985789, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.846692 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.846701 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x12Data: (41 bytes)
[000] 01 00 0B 14 01 00 32 00  00 00 00 00 00 00 00 00  
\0x01\0x00\0x0b\0x14\0x01\0x002\0x00 
\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
[010] 00 00 00 00 40 A6 59 32  32 30 30 38 2D 30 37 2D  
\0x00\0x00\0x00\0x00@\0xa6Y2 2008-07-
[020] 32 33 5F 4C 31 2F 53 68  65                       23_L1/Sh e

17:46:35.846707 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123283, win 65535, 
length 1239 NBT Session Packet: Unknown packet type 0x66Data: (41 bytes)
[000] 6F 72 64 2F 41 4C 5F 33  39 5F 34 31 33 5F 38 37  ord/AL_3 9_413_87
[010] 38 5F 30 30 31 5F 41 66  69 63 68 43 70 63 2E 68  8_001_Af ichCpc.h
[020] 74 6D 50 4B 01 02 14 0B  14                       
tmPK\0x01\0x02\0x14\0x0b \0x14

17:46:35.850610 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7988709, win 65535, 
length 0
17:46:35.850826 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7989948, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.850954 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.850968 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x30Data: (41 bytes)
[000] 30 38 2D 30 37 2D 32 33  5F 4C 31 2F 53 68 65 66  08-07-23 _L1/Shef
[010] 66 6F 72 64 2F 41 4C 5F  33 39 5F 34 31 34 5F 33  ford/AL_ 39_414_3
[020] 35 30 5F 30 30 31 5F 41  66                       50_001_A f

17:46:35.850974 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123346, win 65535, 
length 1239 NBT Session Packet: Unknown packet type 0x6EData: (41 bytes)
[000] 61 76 67 74 2E 68 74 6D  50 4B 01 02 14 0B 14 00  avgt.htm 
PK\0x01\0x02\0x14\0x0b\0x14\0x00
[010] 00 00 08 00 80 96 F7 38  D4 24 0A F9 18 01 00 00  
\0x00\0x00\0x08\0x00\0x80\0x96\0xf78 \0xd4$\0x0a\0xf9\0x18\0x01\0x00\0x00
[020] 3A 02 00 00 35 00 00 00  00                       
:\0x02\0x00\0x005\0x00\0x00\0x00 \0x00

17:46:35.854859 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7992868, win 65535, 
length 0
17:46:35.855062 IP GBY-PC-125.xyzcivitas.com.1026 > 
pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7994107, win 
64296, length 63 NBT Session Packet: Session Message
17:46:35.855187 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length 
1460 NBT Session Packet: Session Message
17:46:35.855195 IP pdc-canix.xyzcivitas.com.netbios-ssn > 
GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length 
1460 NBT Session Packet: Unknown packet type 0x72Data: (41 bytes)
[000] 64 2F 41 4C 5F 33 39 5F  34 31 35 5F 35 39 34 5F  d/AL_39_ 415_594_
[010] 6E 61 76 67 74 2E 68 74  6D 50 4B 01 02 14 0B 14  navgt.ht 
mPK\0x01\0x02\0x14\0x0b\0x14
[020] 00 00 00 08 00 80 96 F7  38                       
\0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7 8

Thanks for your time,
Ludovic Rouse-Lamarre

On Mon, 2012-07-16 at 14:02 -0400, Ludovic Rouse-Lamarre
wrote:
> Hello,
> 
> Last week I have detected with Zabbix that a member of my Samba domain 
> had been downloading at a rate of around 8 Mbps for two days and a half. 
> When asking the person to whom belonged the machine, he didn't know he 
> was downloading anything but he said he had observed his machine had 
> slowed down since then. I took a tcpdump of the traffic before 
> terminating his session on Windows XP. I checked and there wasn't any 
> large amount of data on his hard drive as the total drive capacity was 
> 80GiB and there was 30GiB free. One of the oddities for me was that the 
> bandwidth was being consumed through port tcp 139 of the Samba machine. 
> Normally data is downloaded on port tcp 445. Another oddity is that when 
> I put together some of the names in the trace from tcpdump, I can 
> reconstitute names of files on the server. Unless I'm mistaken this
type
> of information shouldn't be circulating on port 139?
The services available on port 139 and 445 are essentially identical.
Neither should be exposed to the internet.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

Just a guess. The user's virus scanner decided to scan your server.

On 7/16/12, Ludovic Rouse-Lamarre <ludovic.rouse-lamarre at
xyzcivitas.com> wrote:
> Hello,
>
> Last week I have detected with Zabbix that a member of my Samba domain
> had been downloading at a rate of around 8 Mbps for two days and a half.
> When asking the person to whom belonged the machine, he didn't know he
> was downloading anything but he said he had observed his machine had
> slowed down since then. I took a tcpdump of the traffic before
> terminating his session on Windows XP. I checked and there wasn't any
> large amount of data on his hard drive as the total drive capacity was
> 80GiB and there was 30GiB free. One of the oddities for me was that the
> bandwidth was being consumed through port tcp 139 of the Samba machine.
> Normally data is downloaded on port tcp 445. Another oddity is that when
> I put together some of the names in the trace from tcpdump, I can
> reconstitute names of files on the server. Unless I'm mistaken this
type
> of information shouldn't be circulating on port 139?
>
> Here is the version of Samba:
> Samba version 3.4.9
>
> Here is a sample of the trace from tcpdump:
> 17:46:35.838212 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123157, win 65535,
> length 1239 NBT Session Packet: Unknown packet type 0x38Data: (41 bytes)
> [000] D5 F1 4E 73 4E 02 00 00  FB 04 00 00 2E 00 00 00
> \0xd5\0xf1NsN\0x02\0x00\0x00 \0xfb\0x04\0x00\0x00.\0x00\0x00\0x00
> [010] 00 00 00 00 01 00 00 00  00 00 64 40 43 32 32 30
> \0x00\0x00\0x00\0x00\0x01\0x00\0x00\0x00 \0x00\0x00d at C220
> [020] 30 38 2D 30 37 2D 32 33  5F                       08-07-23 _
>
> 17:46:35.842050 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7980391, win 65535,
> length 0
> 17:46:35.842313 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7981630, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.842446 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.842460 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123220, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x70Data: (41 bytes)
> [000] 63 50 4B 01 02 14 0B 14  00 00 00 08 00 80 96 F7
> cPK\0x01\0x02\0x14\0x0b\0x14 \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7
> [010] 38 63 04 52 FB 4E 02 00  00 FB 04 00 00 2E 00 00
> 8c\0x04R\0xfbN\0x02\0x00 \0x00\0xfb\0x04\0x00\0x00.\0x00\0x00
> [020] 00 00 00 00 00 01 00 00  00
> \0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00 \0x00
>
> 17:46:35.842472 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123220, win 65535,
> length 1239 NBT Session Packet: Session Message
> 17:46:35.846333 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7984550, win 65535,
> length 0
> 17:46:35.846580 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7985789, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.846692 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.846701 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123283, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x12Data: (41 bytes)
> [000] 01 00 0B 14 01 00 32 00  00 00 00 00 00 00 00 00
> \0x01\0x00\0x0b\0x14\0x01\0x002\0x00
> \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
> [010] 00 00 00 00 40 A6 59 32  32 30 30 38 2D 30 37 2D
> \0x00\0x00\0x00\0x00@\0xa6Y2 2008-07-
> [020] 32 33 5F 4C 31 2F 53 68  65                       23_L1/Sh e
>
> 17:46:35.846707 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123283, win 65535,
> length 1239 NBT Session Packet: Unknown packet type 0x66Data: (41 bytes)
> [000] 6F 72 64 2F 41 4C 5F 33  39 5F 34 31 33 5F 38 37  ord/AL_3 9_413_87
> [010] 38 5F 30 30 31 5F 41 66  69 63 68 43 70 63 2E 68  8_001_Af ichCpc.h
> [020] 74 6D 50 4B 01 02 14 0B  14
> tmPK\0x01\0x02\0x14\0x0b \0x14
>
> 17:46:35.850610 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7988709, win 65535,
> length 0
> 17:46:35.850826 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7989948, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.850954 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.850968 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123346, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x30Data: (41 bytes)
> [000] 30 38 2D 30 37 2D 32 33  5F 4C 31 2F 53 68 65 66  08-07-23 _L1/Shef
> [010] 66 6F 72 64 2F 41 4C 5F  33 39 5F 34 31 34 5F 33  ford/AL_ 39_414_3
> [020] 35 30 5F 30 30 31 5F 41  66                       50_001_A f
>
> 17:46:35.850974 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [P.], ack 123346, win 65535,
> length 1239 NBT Session Packet: Unknown packet type 0x6EData: (41 bytes)
> [000] 61 76 67 74 2E 68 74 6D  50 4B 01 02 14 0B 14 00  avgt.htm
> PK\0x01\0x02\0x14\0x0b\0x14\0x00
> [010] 00 00 08 00 80 96 F7 38  D4 24 0A F9 18 01 00 00
> \0x00\0x00\0x08\0x00\0x80\0x96\0xf78 \0xd4$\0x0a\0xf9\0x18\0x01\0x00\0x00
> [020] 3A 02 00 00 35 00 00 00  00
> :\0x02\0x00\0x005\0x00\0x00\0x00 \0x00
>
> 17:46:35.854859 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [.], ack 7992868, win 65535,
> length 0
> 17:46:35.855062 IP GBY-PC-125.xyzcivitas.com.1026 >
> pdc-canix.xyzcivitas.com.netbios-ssn: Flags [P.], ack 7994107, win
> 64296, length 63 NBT Session Packet: Session Message
> 17:46:35.855187 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length
> 1460 NBT Session Packet: Session Message
> 17:46:35.855195 IP pdc-canix.xyzcivitas.com.netbios-ssn >
> GBY-PC-125.xyzcivitas.com.1026: Flags [.], ack 123409, win 65535, length
> 1460 NBT Session Packet: Unknown packet type 0x72Data: (41 bytes)
> [000] 64 2F 41 4C 5F 33 39 5F  34 31 35 5F 35 39 34 5F  d/AL_39_ 415_594_
> [010] 6E 61 76 67 74 2E 68 74  6D 50 4B 01 02 14 0B 14  navgt.ht
> mPK\0x01\0x02\0x14\0x0b\0x14
> [020] 00 00 00 08 00 80 96 F7  38
> \0x00\0x00\0x00\0x08\0x00\0x80\0x96\0xf7 8
>
> Thanks for your time,
> Ludovic Rouse-Lamarre
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Michael Wood <esiotrot at gmail.com>