Skip navigation

Strange spam on SMB Access the logs

826 Views 5 Replies Latest reply: Nov 8, 2011 2:12 AM by VincensoXFIN RSS
VincensoXFIN Level 1 Level 1 (40 points)
Currently Being Moderated
Nov 7, 2011 6:24 AM

Hello !

 

Lately I have been experiencing some strange spam on my SMB logs. Here is an example

 

/SourceCache/samba/samba-235.7/samba/source/auth/auth.c:check_ntlm_password(319)

  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER

 

 

I'ts repeative and it seems to be coming from Windows clients I dont even have on my system, here is a longer part.

 

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/reply.c:reply_special(332)

  netbios connect: name1=SIBELIUSOPISTO  name2=MCRVERKA      

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/reply.c:reply_special(339)

  netbios connect: local=sibeliusopisto remote=mcrverka, name type = 0

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/sesssetup.c:setup_new_vc_sessi on(1273)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/lib/module.c:do_smb_load_module(64)

  Module '/usr/lib/samba/auth/odsam.dylib' loaded

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/sesssetup.c:setup_new_vc_sessi on(1273)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/auth/auth.c:check_ntlm_password(319 )

  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER

 

I happen to know that MCRVERKA is a windows server (I think) run by another company in the same building, and in samme network. My server is running in two network subnets, 172.17.6 and 172.17.144 and these are coming from the 144 network, witch is common network for all companies in the building. There are many other computers too doing the same spam to my computer, some are even Macs from my own network and other macs from other companies.

 

Any idea what is causing this, and how could I resolve this and end the endless spam?

Mac Pro, Mac OS X (10.6.7), Server
  • Esther Mofet Level 1 Level 1 (130 points)
    Currently Being Moderated
    Nov 7, 2011 8:13 AM (in response to VincensoXFIN)

    "...another company in the same building, and in same network..."

     

    Well, there's your problem: people who don't have any business looking at your file server are, naturally, looking at it because they can see it.

     

    Why in the world are you running a single network shared between different companies?

  • MrHoffman Calculating status...
    Currently Being Moderated
    Nov 7, 2011 8:17 AM (in response to VincensoXFIN)

    Not the answer to your question...  But that log would scare me. 

     

    Not because of the netbios chatter, but because your file system is apparently accessible to remote servers.

     

    Is there a particular reason why your file system is accessible to remote systems? 

     

    Exposing your server's file system to untrusted networks is generally considered a Bad Idea, as (and ignoring this Windows netbios log-file chatter) there are and will be attacks, and there have been file system vulnerabilities in the past.  

     

    A more typical installation uses a gateway-firewall box, and uses server-based or (less desirably) pass-through VPN access to connect to resources on your local network including CIFS/SMB.

  • MrHoffman Level 6 Level 6 (11,720 points)
    Currently Being Moderated
    Nov 7, 2011 5:44 PM (in response to VincensoXFIN)

    Are those seven computers on the 172.17.144.0/24 "open" network, or on the 172.17.6.0/24 "private" network?

     

    Is the chatter from the 172.17.6.0/24 "open" network?

     

    Locate a server-grade firewall-router at 172.17.144.whatever (in place of your Mac), and make that the sole connection into 172.17.6.0/24 network.  Move the Mac entirely onto the 172.17.6.0/24 "private" network.  (Better: work with whomever is managing the existing router that's probably between these networks.)

     

    If your seven computers are on the 172.17.144.0/24 network, now configure those seven systems with VPN access or firewall rules, and permit access through the firewall.  (Or work with whomever is managing the connection between 172.17.144.0/24 and 172.17.6.0/24.)

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.