On Mon, 2012-07-16 at 14:02 -0400, Ludovic Rouse-Lamarre wrote: > Hello, > > Last week I have detected with Zabbix that a member of my Samba domain > had been downloading at a rate of around 8 Mbps for two days and a half. > When asking the person to whom belonged the machine, he didn't know he > was downloading anything but he said he had observed his machine had > slowed down since then. I took a tcpdump of the traffic before > terminating his session on Windows XP. I checked and there wasn't any > large amount of data on his hard drive as the total drive capacity was > 80GiB and there was 30GiB free. One of the oddities for me was that the > bandwidth was being consumed through port tcp 139 of the Samba machine. > Normally data is downloaded on port tcp 445. Another oddity is that when > I put together some of the names in the trace from tcpdump, I can > reconstitute names of files on the server. Unless I'm mistaken this type > of information shouldn't be circulating on port 139?
The services available on port 139 and 445 are essentially identical. Neither should be exposed to the internet. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
