On 11/11/14 11:38, Lars Hanke wrote:> I found in my firewall logs something that looked somewhat like a port
> scan originating from my AD DC. So I started to check the machine and
> already found something strange using ps aux:
>
> root at samba:/# samba -V
> Version 4.1.11-Debian
> root at samba:/# ps aux
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> [...]
> root 10675 0.0 2.8 457368 29620 ? S Nov04 0:03
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root 10684 0.0 3.2 482328 34116 ? S Nov04 0:02
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> 3000026 10686 0.0 3.2 482328 34096 ? S Nov04 0:01
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root 10688 0.0 3.2 482328 34100 ? S Nov04 0:01
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root 17934 0.0 0.0 49884 4 ? Ss Aug06 0:00
> /usr/sbin/sshd
> [...]
>
> Of course there is no login user 3000026 and the machine does not
> import any user accounts from anywhere outside. Apparently the process
> is already running for a week. This has probably been the last upgrade.
>
> A few minutes later I see this:
>
> root 10686 0.0 3.2 482328 34096 ? S Nov04 0:01
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> Okay, it became root again.
>
> Is there any intended behaviour in smbd, which could explain this?
>
> The original firewall fingerprint were tcp connection attempts from
> the AD DC to all joined workstations in port ranges from 34478 to
> 60746. The machine runs the DC with external Bind9. No other services
> beyond infrastructure to make it run. Has anyone seen this before?
>
> Regards,
> - lars.
>
>
OK, '3000026' is undoubtedly coming from 'idmap.ldb', run this
on the DC:
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
and search for '3000026', this will tell you who or what is running as
the xidNumber.
Rowland