search for: 4ff63806ddd0952f97b03608a7fdc4

...0.1.6, servername "india". The share is mounted with username "production" which is in smbpasswd: root# pdbedit -w -L production:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:43DEDBC664EA95353348102454C3BD:[U ]:LCT-5923EA2E: administration:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:4FF63806DDD0952F97B03608A7FDC4:[U ]:LCT-5923EA5E: Here is a log snippet: [2017/05/23 10:51:59.104021, 3] ../source3/smbd/service.c:774(make_connection_snum) win8-13 (ipv4:10.10.1.63:51224) connect to service IPC$ initially as user production (uid=1001, gid=1001) (pid 1686) [2017/05/23 10:51:59.104487, 3] ../source...

On Tue, 23 May 2017 08:44:42 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > Did you TV/Radio broke?? ;-) > > This really smells like some malware/cryptoware. > Seen this ones on a network, and that was a cypto trying to write to > shares. And they to that really really fast. > > Increast the samba debug logs and track if this is