RE: [Samba] Huh... 2.2.8 exploit?!

Mon, 30 Jun 2003 10:43:28 -0700 

> Are you really shure, that the computer was breaked through 
> samba, you 
> can be sure only if just the samba ports (137,138,139,445) 
> was opened to 
> the Internet?!

Yes, totally agree with you. Maybe my message was... No, for sure my message
was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and
latest Courier IMAP and samba. It was exposed to the Internet and was
cracked. From logs like:

Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/fault.c:fault_report(38) 
Jun 30 16:17:39 server smbd[28856]:
=============================================================== 
Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/fault.c:fault_report(39) 
Jun 30 16:17:39 server smbd[28856]:   INTERNAL ERROR: Signal 11 in pid 28856
(2.2.8) 
Jun 30 16:17:39 server smbd[28856]:   Please read the file BUGS.txt in the
distribution 
Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/fault.c:fault_report(41) 
Jun 30 16:17:39 server smbd[28856]:
=============================================================== 
Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0]
lib/util.c:smb_panic(1094) 
Jun 30 16:17:39 server smbd[28856]:   PANIC: internal error 
Jun 30 16:17:39 server smbd[28856]: 
Jun 30 16:19:03 server kernel: Unable to handle kernel paging request at
virtual address 8491bb2e
Jun 30 16:19:03 server kernel:  printing eip:
Jun 30 16:19:03 server kernel: 8491bb2e
Jun 30 16:19:03 server kernel: *pde = 00000000
Jun 30 16:19:03 server kernel: Oops: 0000
Jun 30 16:19:03 server kernel: lp parport e1000 iptable_filter ip_tables
reiserfs mousedev keybdev hid input usb-ohci usbcore ext3 jbd ips sd_mod
scsi_mod  
Jun 30 16:19:03 server kernel: CPU:    0
Jun 30 16:19:03 server kernel: EIP:    0010:[<8491bb2e>]    Not tainted
Jun 30 16:19:03 server kernel: EFLAGS: 00010283

... to me *it looks* like a samba exploit. Please note that the trigger for
the whole issue was the absence of smbd file. It was deleted. And that
stopped Winbind auth from working so I started to investigate the issue then
I saw the logs and then looked at the firewall rules that I've modified
short time ago and found the real mistake. 

Is it better now?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to