On Sat, 2002-12-21 at 01:00, Fabiano Felix wrote: > Hi all, > > I need a biggest help... I have the following environment: > - SuSE 8.0 with all patches; > - Samba (2.2.3a RPM-SuSE) + LDAP; > - OpenLDAP2 (2.0.23 RPM-SuSE); > - smbldap-tools (0.7 - TGZ). > > All was functioning perfectly, but suddenly one of the Samba shares > presented problems: the files/directories are corrupted!!! No changes > are made in configuration, and appear the following datas in to the > shared directory:
I would really be looking either at a kernel/fs fault, or malicious administrative access. Samba doesn't rename files on it's own - there just isn't the code do do it. And furthermore, Samba always conducts operations as the connecting user (you didn't have 'admin users =' set did you?) unless configured specificly otherwise. > Before: > > pub:/home/DATA # l | more > total 100 > drwxr-xr-x 24 root root 4096 Dec 20 09:37 ./ > drwxr-xr-x 123 root root 4096 Dec 20 08:59 ../ > drwxr-xr-x 2 root users 4096 Dec 20 09:37 Biblioteca/ > drwxrwxrwx 2 root users 4096 Dec 20 09:37 Boletim de > Ocorr�ncia/ > drwxr-xr-x 2 root users 4096 Dec 20 09:37 CargaMaquinaTS/ > drwxr-xr-x 2 root users 4096 Dec 20 09:37 Darf/ > drwxr-xr-x 3 root users 4096 Dec 20 09:37 Dot/ > drwxr-xr-x 2 root users 4096 Dec 20 09:37 EspecComerciais/ > drwxrwxrwx 5 root users 8192 Dec 20 09:37 Etiquetas > Exportacao/ > drwxrwx--- 2 root exportpa 4096 Dec 20 09:37 ExportPayment/ > drwxr-xr-x 2 root users 4096 Dec 20 09:37 ExportSample/ > drwxr-xr-x 3 root users 4096 Dec 20 09:36 Mdb/ > drwxr-xr-x 2 root users 4096 Dec 20 09:37 Moedas/ > drwxrwxrwx 2 root users 4096 Dec 20 10:55 NFs/ > drwxrwx--- 2 root opsyst2 4096 Dec 20 09:33 Opsyst2/ > drwxrwxrwx 2 root users 4096 Dec 20 09:37 Pulso/ > > > > After: > > pub:/home/DATA.OLD # l | more > total 47084 > drwxr-xr-x 11580 root users 356352 Dec 19 12:11 ./ > drwxr-xr-x 123 root root 4096 Dec 20 08:59 ../ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 0/ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 1/ > drwxr-xr-x 2 root users 4096 Dec 19 11:06 100/ > drwxr-xr-x 2 root users 4096 Dec 19 11:03 > 101248cd8e964bc7f14d8e8e9782e152/ > drwxr-xr-x 2 root users 4096 Dec 19 11:02 10149fd642f3b/ > drwxr-xr-x 2 root users 4096 Dec 19 10:55 > 1020168bca14819b5b9265c8483b895e/ > drwxr-xr-x 2 root users 4096 Dec 19 11:07 > 1023149d8bc19422f5165f76c3b812f1/ > drwxr-xr-x 2 root users 4096 Dec 19 10:55 10265ed/ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 1027765b55d/ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 102b62a/ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 > 103c414240f1587767c5bcf43b4/ > drwxr-xr-x 2 root users 4096 Dec 19 10:55 103d681b755da/ > drwxr-xr-x 2 root users 4096 Dec 19 10:54 104/ > drwxr-xr-x 2 root users 4096 Dec 19 10:57 > 1044b9756a8048a37a45ec7984784ac0/ > drwxr-xr-x 2 root users 4096 Dec 19 10:55 > 1049667d4878eb8449937da544c093b4/ > drwxr-xr-x 2 root users 4096 Dec 19 10:54 > 104a76c5568dcc86def788c04b9d6586/ > drwxr-xr-x 2 root users 4096 Dec 19 10:54 > 1051ae47d9d43de38035a1f8b267f413/ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 > 10529e126094efa79b40cb8/ > drwxr-xr-x 2 root users 4096 Dec 19 10:58 > 105d84323ce26fc0e4fa6c37ce9bc639/ > drwxr-xr-x 2 root users 4096 Dec 19 11:05 > 105e54e644294cf6e7a6f7b7b/ > drwxr-xr-x 2 root users 4096 Dec 19 10:54 > 105f92644e71ab42a9bc496f55f4e136/ > drwxr-xr-x 2 root users 4096 Dec 19 10:57 1063c92c93da8/ > drwxr-xr-x 2 root users 4096 Dec 19 10:58 > 106bbc5ab65a3c68484ad214207c4ce/ > drwxr-xr-x 2 root users 4096 Dec 19 11:02 > 106dbc2191441caaf219843b44c322fd/ > drwxr-xr-x 2 root users 4096 Dec 19 10:53 > 10799deecbeba388406a666efd1a6c2/ > drwxr-xr-x 2 root users 4096 Dec 19 10:56 107b8925ef5f16e/ > drwxr-xr-x 2 root users 4096 Dec 19 11:02 > 10823d1afa11aeba3d3a93127eb1a798/ > drwxr-xr-x 2 root users 4096 Dec 19 10:58 > 108857646aa141893a58f3eec/ > drwxr-xr-x 2 root users 4096 Dec 19 10:59 > 10a2a2bc918bfba9c1476cf4added0c/ > drwxr-xr-x 2 root users 4096 Dec 19 10:54 > 10aaa05c5730e583ba4c681415bfd939/ > > > It is only a part of the directory list (it is biggest), I could observe > that the generate directories are in numeric order (hexa). Was modified > too the owner of the files, being that the user that take ownership > doesn't was connected at moment. I could observe too that only the > "public" directories was affected (directories with rx permissions for > everyone). > The shared directory is an ext3+lvm (in the same mount point, there are > others samba shares that isn't affected). The log.smbd doesn't present > any error. I would carefully examine your system logs, and login records to determine what programs were actually running at the time, if there were actually connections to the Samba share etc. If it was not for the fact that only root could write to those dirs, I would have suspected one of the various windows worms (some of them have been known to crawl networks damaging data) - but in your case I'm a bit stumped. I would not rule out system compromise, but kernel errors seems to more likely problem to me. > PLEASE, can someone help me????? > > Regards, > > Fabiano I hope this gives you some ideas where to start looking. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
