> Are you really shure, that the computer was breaked through > samba, you > can be sure only if just the samba ports (137,138,139,445) > was opened to > the Internet?!
Yes, totally agree with you. Maybe my message was... No, for sure my message was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and latest Courier IMAP and samba. It was exposed to the Internet and was cracked. From logs like: Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(38) Jun 30 16:17:39 server smbd[28856]: =============================================================== Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(39) Jun 30 16:17:39 server smbd[28856]: INTERNAL ERROR: Signal 11 in pid 28856 (2.2.8) Jun 30 16:17:39 server smbd[28856]: Please read the file BUGS.txt in the distribution Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(41) Jun 30 16:17:39 server smbd[28856]: =============================================================== Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/util.c:smb_panic(1094) Jun 30 16:17:39 server smbd[28856]: PANIC: internal error Jun 30 16:17:39 server smbd[28856]: Jun 30 16:19:03 server kernel: Unable to handle kernel paging request at virtual address 8491bb2e Jun 30 16:19:03 server kernel: printing eip: Jun 30 16:19:03 server kernel: 8491bb2e Jun 30 16:19:03 server kernel: *pde = 00000000 Jun 30 16:19:03 server kernel: Oops: 0000 Jun 30 16:19:03 server kernel: lp parport e1000 iptable_filter ip_tables reiserfs mousedev keybdev hid input usb-ohci usbcore ext3 jbd ips sd_mod scsi_mod Jun 30 16:19:03 server kernel: CPU: 0 Jun 30 16:19:03 server kernel: EIP: 0010:[<8491bb2e>] Not tainted Jun 30 16:19:03 server kernel: EFLAGS: 00010283 ... to me *it looks* like a samba exploit. Please note that the trigger for the whole issue was the absence of smbd file. It was deleted. And that stopped Winbind auth from working so I started to investigate the issue then I saw the logs and then looked at the firewall rules that I've modified short time ago and found the real mistake. Is it better now? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba