Rowland Penny
2017-May-23 06:59 UTC
[Samba] Windows 10 spawning thousands of child processes on Samba 4.3.11 server
On Tue, 23 May 2017 08:44:42 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Did you TV/Radio broke?? ;-) > > This really smells like some malware/cryptoware. > Seen this ones on a network, and that was a cypto trying to write to > shares. And they to that really really fast. > > Increast the samba debug logs and track if this is client related. > That where i would start. >They were my thoughts, the connections are from guest by the look of them and removing 'map to guest = Bad User' would reset it to 'map to guest = Never' and the connections would be dropped. I think the OP needs to start looking at their clients ;-) Rowland
Asbjorn Taugbol
2017-May-23 12:13 UTC
[Samba] Windows 10 spawning thousands of child processes on Samba 4.3.11 server
On Tue, May 23, 2017 at 8:59 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 23 May 2017 08:44:42 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Did you TV/Radio broke?? ;-) > > > > This really smells like some malware/cryptoware. > > Seen this ones on a network, and that was a cypto trying to write to > > shares. And they to that really really fast. > > > > Increast the samba debug logs and track if this is client related. > > That where i would start. > > > > They were my thoughts, the connections are from guest by the look of > them and removing 'map to guest = Bad User' would reset it to 'map to > guest = Never' and the connections would be dropped. > > I think the OP needs to start looking at their clients ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Alrite, I doubt there is malware running. The nobody/nogroup processes are created when running certain applications. I've upped the log level to 3 and see some interesting stuff from Windows client "WIN8-13" where Admin user is logged in and accessing applications on the Samba share. Server IP is 10.10.1.6, servername "india". The share is mounted with username "production" which is in smbpasswd: root# pdbedit -w -L production:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:43DEDBC664EA95353348102454C3BD:[U ]:LCT-5923EA2E: administration:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:4FF63806DDD0952F97B03608A7FDC4:[U ]:LCT-5923EA5E: Here is a log snippet: [2017/05/23 10:51:59.104021, 3] ../source3/smbd/service.c:774(make_connection_snum) win8-13 (ipv4:10.10.1.63:51224) connect to service IPC$ initially as user production (uid=1001, gid=1001) (pid 1686) [2017/05/23 10:51:59.104487, 3] ../source3/smbd/msdfs.c:993(get_referred_path) get_referred_path: |administration| in dfs path \10.10.1.6\administration is not a dfs root. [2017/05/23 10:51:59.105493, 3] ../source3/smbd/dir.c:628(dptr_create) creating new dirptr 0 for path appl/SubScr, expect_close = 0 . . . [2017/05/23 10:51:59.130743, 3] ../source3/param/loadparm.c:1600(lp_add_ipc) adding IPC service [2017/05/23 10:51:59.130814, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[WIN8-13] with the new password interface [2017/05/23 10:51:59.130866, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [INDIA]\[]@[WIN8-13] [2017/05/23 10:51:59.130928, 3] ../source3/auth/auth.c:249(auth_check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2017/05/23 10:51:59.132111, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2017/05/23 10:51:59.132715, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got user=[] domain=[] workstation=[WIN8-13] len1=1 len2=0 [2017/05/23 10:51:59.132798, 3] ../source3/param/loadparm.c:3754(lp_load_ex) lp_load_ex: refreshing parameters I wonder why this guest unmapped user appears? Thanks.
Rowland Penny
2017-May-23 12:36 UTC
[Samba] Windows 10 spawning thousands of child processes on Samba 4.3.11 server
On Tue, 23 May 2017 14:13:33 +0200 Asbjorn Taugbol via samba <samba at lists.samba.org> wrote:> > I wonder why this guest unmapped user appears? >Probably because you have 'map to guest = bad user', this is from 'man smb.conf': Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account. Or to put it another way, ANYBODY can connect! Rowland
Possibly Parallel Threads
- Windows 10 spawning thousands of child processes on Samba 4.3.11 server
- Windows 10 spawning thousands of child processes on Samba 4.3.11 server
- Windows 10 spawning thousands of child processes on Samba 4.3.11 server
- Windows 10 spawning thousands of child processes on Samba 4.3.11 server
- Windows 10 spawning thousands of child processes on Samba 4.3.11 server