I think it's a virus. While nmbd running some web-sites are redirected or broken

English Network/Internet
#1

Hi.

I met a problem with redirects instead of normal web-site. Later I figured out that the killing nmbd process stops malicious redirects.

History of the problem.
A Ukrainian web-site pravda.com.ua

This is how it has to look and looks for all the users:
http://static.xscreenshot.com/small/2012/06/13/14/screen_13a31999104e1e9cf27cd15270dccdae](http://view.xscreenshot.com/13a31999104e1e9cf27cd15270dccdae)

But after some surfing I’m redirected to a page like this (in all browsers)
http://static.xscreenshot.com/small/2012/06/12/14/screen_363742b654f0751dc0831c226fe2e126](http://view.xscreenshot.com/363742b654f0751dc0831c226fe2e126)

The HTML of the page is self-explaining. Something malicious.

<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
    <frame  src="http://www.pravda.com.ua/?fp=jtkF%2B1mc76IGQ7NK5ZqBtwIT8MEIzaODgeaIrD5RFOu%2BJx6RgjOxT%2FxAGW5Ea9cB%2BPKuFvNuHeOcR%2B0ap%2FVD3g%3D%3D&prvtof=fiFDNUzkbi%2BzOQuDQA8MmNLHJD82S4MdAY%2FzIyzZRUQ%3D&poru=PHuFPeyrOO9Smv6uk7v5SS5Cg4u4Bx9sRhXjev6ydafXHClPVvTtq0MiqkfzHnee&">
</frameset>
<noframes>
    <body bgcolor="#ffffff" text="#000000">
<script type="text/javascript"><!--
var _gaq = _gaq || ];
_gaq.push(
'_setAccount', 'UA-7519982-1'],
'_trackPageview']
);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
//-->
</script>

<script type="text/javascript"><!--
var _gaq = _gaq || ];
_gaq.push(
'_setAccount', 'UA-7519982-1'],
'_trackPageview']
);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
//-->
</script>

    <a onclick="_gaq.push('_trackEvent', 'Outgoing', 'www.pravda.com.ua', '/?fp=jtkF%2B1mc76IGQ7NK5ZqBtwIT8MEIzaODgeaIrD5RFOu%2BJx6RgjOxT%2FxAGW5Ea9cB%2BPKuFvNuHeOcR%2B0ap%2FVD3g%3D%3D&prvtof=1nrUlG5zXftPohBp1dC698racgtLfxQNsPbsiKN9GyY%3D&poru=4qcaoyn4X%2FOreoV7xUtwQnI8qDd3a8XMTHea9yrqtZkxkVoLlT0qvlI75OeiPUhd&']);_gaq.push('_trackEvent', 'Outgoing', 'www.pravda.com.ua', '/?fp=jtkF%2B1mc76IGQ7NK5ZqBtwIT8MEIzaODgeaIrD5RFOu%2BJx6RgjOxT%2FxAGW5Ea9cB%2BPKuFvNuHeOcR%2B0ap%2FVD3g%3D%3D&prvtof=1nrUlG5zXftPohBp1dC698racgtLfxQNsPbsiKN9GyY%3D&poru=4qcaoyn4X%2FOreoV7xUtwQnI8qDd3a8XMTHea9yrqtZkxkVoLlT0qvlI75OeiPUhd&']);"  href="http://www.pravda.com.ua/?fp=jtkF%2B1mc76IGQ7NK5ZqBtwIT8MEIzaODgeaIrD5RFOu%2BJx6RgjOxT%2FxAGW5Ea9cB%2BPKuFvNuHeOcR%2B0ap%2FVD3g%3D%3D&prvtof=1nrUlG5zXftPohBp1dC698racgtLfxQNsPbsiKN9GyY%3D&poru=4qcaoyn4X%2FOreoV7xUtwQnI8qDd3a8XMTHea9yrqtZkxkVoLlT0qvlI75OeiPUhd&">Click  here to proceed</a>.
    </body>
</noframes>

And get a popup with a youtube video (addidas stella maccartney advertising with a too thin girl). Note, the сonstitution of the girl doesn’t matter, I speak only of the technical problem. (-:

The web-site looks in lynx like this when reidrected:

                                                                                                                       
   FRAME:                                                                                                              
   http://www.pravda.com.ua/?fp=T9QKBDETz7Q6Rbg55kYk1Aj                                                                
   hS5ZyhA0gnmYEYf55FMSAvvrhp8ReWT92eG%2F5JDXPeq3NQ1HxY                                                                
   pkEhgWMu1HEhg%3D%3D&prvtof=xNVtsw7Gxhxp2mfwakh2%2BV2                                                                
   aP1gEYt1fCxDO9Nwx8Yg%3D&poru=fRlio8iNmcRbhfSmSq7sEFI                                                                
   kqCrv3Lay2qqKwxMAMFo9hTfh5b%2FOGtZEdBYpZNTy&                                                                        
                                                                                                                       
   Click here to proceed.

I got a anothe problem with another web-site, which is partially close to this problem.
radion.com.ua

This is how it has too look:
http://static.xscreenshot.com/small/2012/06/12/14/screen_0cdafd2b042072b59526af071467dd0d](http://view.xscreenshot.com/0cdafd2b042072b59526af071467dd0d)

With nmbd enabled FF gives an empty page, and Konqueror loads it partially:

http://static.xscreenshot.com/small/2012/06/12/14/screen_d6071a31f2c56f346f10c5c9c4db17e7](http://view.xscreenshot.com/d6071a31f2c56f346f10c5c9c4db17e7)

As you can see, images are broken. I tried to open an image directly

http://www.radion.com.ua/components/com_virtuemart/shop_image/category/resized/_________________4fc1f1769d9cf_124x124.png

and was redirected to a false link

http://www.radion.com.ua/?f

(it’s partially-working malicious code)

I digged out much ground, requested help form the Ukrainian community. We traceroted, digged, looked at many files like /etc/hosts and /etc/resolv.conf and so on. Only the killing processes one by one gave the result. I believe it’s a virus. Another machine in the LAN which uses Lubuntu doesn’t meet any problems. Now the nmbd service is stopped and killed. I meet no problems. But I believe this must be investigated by a professional user. That’s why I don’t remove/reinstall nmbd and so on.

Additional info:

  • the problem is for all users, including root
  • the web-sites open well and as expected via TOR and OperaTurbo
  • clamav doesn’t see any problem
  • OpenSuse 12.1

I need your assistance! I’m ready to give an ssh access to a specialist.

Thanks in advance.

#2

On 2012-06-13 14:16, gruz wrote:

> I digged out much ground, requested help form the Ukrainian community.
> We traceroted, digged, looked at many files like /etc/hosts and
> /etc/resolv.conf and so on. Only the killing processes one by one gave
> the result. I believe it’s a virus. Another machine in the LAN which
> uses Lubuntu doesn’t meet any problems. Now the nmbd service is stopped
> and killed. I meet no problems. But I believe this must be investigated
> by a professional user. That’s why I don’t remove/reinstall nmbd and so
> on.

You need to post this in the security mail list.

You can compare nmbd with the original from the rpm, to see if it has been
modified. Try:


rpm -q --verify samba

as root in a terminal. Post command and result here, using codetags.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

#3

Are you sure

rpm -q --verify samba

?
-q means quite (-:


linux-7dyq:~ # rpm -q --verify samba
linux-7dyq:~ # rpm -q --verify samba
linux-7dyq:~ # rpm  --verify samba
linux-7dyq:~ # rpm 
RPM version 4.9.1.2
Copyright (C) 1998-2002 - Red Hat, Inc.
This program may be freely redistributed under the terms of the GNU GPL

Usage: rpm -afgpcdlsiv?] -a|--all] -f|--file] -g|--group] -p|--package] --pkgid] --hdrid] --triggeredby] --whatrequires] --whatprovides] --nomanifest] -c|--configfiles] -d|--docfiles] --dump]
        -l|--list] --queryformat=QUERYFORMAT] -s|--state] --nofiledigest] --nofiles] --nodeps] --noscript] --allfiles] --allmatches] --badreloc] -e|--erase=<package>+] --excludedocs]
        --excludepath=<path>] --force] -F|--freshen=<packagefile>+] -h|--hash] --ignorearch] --ignoreos] --ignoresize] -i|--install] --justdb] --nodeps] --nofiledigest] --nocontexts] --noorder]
        --noscripts] --notriggers] --nocollections] --oldpackage] --percent] --prefix=<dir>] --relocate=<old>=<new>] --replacefiles] --replacepkgs] --test] -U|--upgrade=<packagefile>+]
        -D|--define='MACRO EXPR'] -E|--eval='EXPR'] --macros=<FILE:...>] --nodigest] --nosignature] --rcfile=<FILE:...>] -r|--root=ROOT] --dbpath=DIRECTORY] --querytags] --showrc] --quiet]
        -v|--verbose] --version] -?|--help] --usage] --scripts] --setperms] --setugids] --conflicts] --obsoletes] --provides] --requires] --suggests] --recommends] --enhances] --supplements]
        --info] --changelog] --xml] --triggers] --last] --dupes] --filesbypkg] --fileclass] --filecolor] --fscontext] --fileprovide] --filerequire] --filecaps]
linux-7dyq:~ # rpm -v --verify samba
.........  c /etc/init.d/nmb
.........  c /etc/init.d/smb
.........  c /etc/logrotate.d/samba
.........  c /etc/pam.d/samba
.........  c /etc/samba/smbusers
.........    /etc/slp.reg.d
.........    /etc/slp.reg.d/samba.reg
.........    /etc/sysconfig/SuSEfirewall2.d/services/netbios-server
.........    /etc/sysconfig/SuSEfirewall2.d/services/samba-server
.........  c /etc/xinetd.d/swat
.........    /lib64/security/pam_smbpass.so
.........    /usr/bin/smbstatus
.........    /usr/bin/smbta-util
.........    /usr/lib64/samba
.........    /usr/lib64/samba/auth
.........    /usr/lib64/samba/auth/script.so
.........    /usr/lib64/samba/config
.........    /usr/lib64/samba/de.msg
.........    /usr/lib64/samba/en.msg
.........    /usr/lib64/samba/fi.msg
.........    /usr/lib64/samba/fr.msg
.........    /usr/lib64/samba/it.msg                                                                                                                                                                                            
.........    /usr/lib64/samba/ja.msg                                                                                                                                                                                            
.........    /usr/lib64/samba/nl.msg                                                                                                                                                                                            
.........    /usr/lib64/samba/pl.msg                                                                                                                                                                                            
.........    /usr/lib64/samba/rpc                                                                                                                                                                                               
.........    /usr/lib64/samba/ru.msg                                                                                                                                                                                            
.........    /usr/lib64/samba/tr.msg                                                                                                                                                                                            
.........    /usr/lib64/samba/vfs                                                                                                                                                                                               
.........    /usr/lib64/samba/vfs/acl_tdb.so                                                                                                                                                                                    
.........    /usr/lib64/samba/vfs/acl_xattr.so                                                                                                                                                                                  
.........    /usr/lib64/samba/vfs/audit.so                                                                                                                                                                                      
.........    /usr/lib64/samba/vfs/cacheprime.so                                                                                                                                                                                 
.........    /usr/lib64/samba/vfs/cap.so                                                                                                                                                                                        
.........    /usr/lib64/samba/vfs/catia.so                                                                                                                                                                                      
.........    /usr/lib64/samba/vfs/crossrename.so                                                                                                                                                                                
.........    /usr/lib64/samba/vfs/default_quota.so                                                                                                                                                                              
.........    /usr/lib64/samba/vfs/dirsort.so                                                                                                                                                                                    
.........    /usr/lib64/samba/vfs/expand_msdfs.so                                                                                                                                                                               
.........    /usr/lib64/samba/vfs/extd_audit.so                                                                                                                                                                                 
.........    /usr/lib64/samba/vfs/fake_perms.so                                                                                                                                                                                 
.........    /usr/lib64/samba/vfs/fileid.so                                                                                                                                                                                     
.........    /usr/lib64/samba/vfs/full_audit.so                                                                                                                                                                                 
.........    /usr/lib64/samba/vfs/linux_xfs_sgid.so
.........    /usr/lib64/samba/vfs/netatalk.so
.........    /usr/lib64/samba/vfs/notify_fam.so
.........    /usr/lib64/samba/vfs/preopen.so
.........    /usr/lib64/samba/vfs/readahead.so
.........    /usr/lib64/samba/vfs/readonly.so
.........    /usr/lib64/samba/vfs/recycle.so
.........    /usr/lib64/samba/vfs/scannedonly.so
.........    /usr/lib64/samba/vfs/shadow_copy.so
.........    /usr/lib64/samba/vfs/shadow_copy2.so
.........    /usr/lib64/samba/vfs/smb_traffic_analyzer.so
.........    /usr/lib64/samba/vfs/streams_depot.so
.........    /usr/lib64/samba/vfs/streams_xattr.so
.........    /usr/lib64/samba/vfs/syncops.so
.........    /usr/lib64/samba/vfs/time_audit.so
.........    /usr/lib64/samba/vfs/xattr_tdb.so
.........    /usr/sbin/nmbd
.........    /usr/sbin/rcnmb
.........    /usr/sbin/rcsmb
.........    /usr/sbin/smbd
.........    /usr/sbin/swat
.........  d /usr/share/man/man1/smbstatus.1.gz
.........  d /usr/share/man/man5/smbpasswd.5.gz
.........  d /usr/share/man/man8/nmbd.8.gz
.........  d /usr/share/man/man8/smbd.8.gz
.........  d /usr/share/man/man8/smbta-util.8.gz
.........  d /usr/share/man/man8/swat.8.gz
.........  d /usr/share/man/man8/vfs_acl_tdb.8.gz
.........  d /usr/share/man/man8/vfs_acl_xattr.8.gz
.........  d /usr/share/man/man8/vfs_aio_fork.8.gz
.........  d /usr/share/man/man8/vfs_audit.8.gz
.........  d /usr/share/man/man8/vfs_cacheprime.8.gz
.........  d /usr/share/man/man8/vfs_cap.8.gz
.........  d /usr/share/man/man8/vfs_catia.8.gz
.........  d /usr/share/man/man8/vfs_commit.8.gz
.........  d /usr/share/man/man8/vfs_crossrename.8.gz
.........  d /usr/share/man/man8/vfs_default_quota.8.gz
.........  d /usr/share/man/man8/vfs_dirsort.8.gz
.........  d /usr/share/man/man8/vfs_extd_audit.8.gz
.........  d /usr/share/man/man8/vfs_fake_perms.8.gz
.........  d /usr/share/man/man8/vfs_fileid.8.gz
.........  d /usr/share/man/man8/vfs_full_audit.8.gz
.........  d /usr/share/man/man8/vfs_gpfs.8.gz
.........  d /usr/share/man/man8/vfs_netatalk.8.gz
.........  d /usr/share/man/man8/vfs_notify_fam.8.gz
.........  d /usr/share/man/man8/vfs_prealloc.8.gz
.........  d /usr/share/man/man8/vfs_preopen.8.gz
.........  d /usr/share/man/man8/vfs_readahead.8.gz
.........  d /usr/share/man/man8/vfs_readonly.8.gz
.........  d /usr/share/man/man8/vfs_recycle.8.gz
.........  d /usr/share/man/man8/vfs_scannedonly.8.gz
.........  d /usr/share/man/man8/vfs_shadow_copy.8.gz
.........  d /usr/share/man/man8/vfs_shadow_copy2.8.gz
.........  d /usr/share/man/man8/vfs_smb_traffic_analyzer.8.gz
.........  d /usr/share/man/man8/vfs_streams_depot.8.gz
.........  d /usr/share/man/man8/vfs_streams_xattr.8.gz
.........  d /usr/share/man/man8/vfs_time_audit.8.gz
.........  d /usr/share/man/man8/vfs_xattr_tdb.8.gz
.........    /usr/share/omc/svcinfo.d/nmb.xml
.........    /usr/share/omc/svcinfo.d/smb.xml
.........    /usr/share/samba
.........    /usr/share/samba/swat
.........    /usr/share/samba/swat/help
.........    /usr/share/samba/swat/help/welcome-no-samba-doc.html
.........    /usr/share/samba/swat/images
.........    /usr/share/samba/swat/images/globals.gif
.........    /usr/share/samba/swat/images/home.gif
.........    /usr/share/samba/swat/images/passwd.gif
.........    /usr/share/samba/swat/images/printers.gif
.........    /usr/share/samba/swat/images/samba.gif
.........    /usr/share/samba/swat/images/shares.gif
.........    /usr/share/samba/swat/images/status.gif
.........    /usr/share/samba/swat/images/viewconfig.gif
.........    /usr/share/samba/swat/images/wizard.gif
.........    /usr/share/samba/swat/include
.........    /usr/share/samba/swat/include/footer.html
.........    /usr/share/samba/swat/include/header.html
.........    /usr/share/samba/swat/lang
.........    /usr/share/samba/swat/lang/ja
.........    /usr/share/samba/swat/lang/ja/help
.........    /usr/share/samba/swat/lang/ja/help/welcome.html
.........    /usr/share/samba/swat/lang/ja/images
.........    /usr/share/samba/swat/lang/ja/include
.........    /usr/share/samba/swat/lang/ja/js
.........    /usr/share/samba/swat/lang/tr
.........    /usr/share/samba/swat/lang/tr/help
.........    /usr/share/samba/swat/lang/tr/help/welcome.html
.........    /usr/share/samba/swat/lang/tr/images
.........    /usr/share/samba/swat/lang/tr/images/globals.gif
.........    /usr/share/samba/swat/lang/tr/images/home.gif
.........    /usr/share/samba/swat/lang/tr/images/passwd.gif
.........    /usr/share/samba/swat/lang/tr/images/printers.gif
.........    /usr/share/samba/swat/lang/tr/images/samba.gif
.........    /usr/share/samba/swat/lang/tr/images/shares.gif
.........    /usr/share/samba/swat/lang/tr/images/status.gif
.........    /usr/share/samba/swat/lang/tr/images/viewconfig.gif
.........    /usr/share/samba/swat/lang/tr/include
.........    /usr/share/samba/swat/lang/tr/js
.........    /usr/share/samba/update-apparmor-samba-profile
.........    /var/lib/samba/drivers
.........    /var/lib/samba/drivers/IA64
.........    /var/lib/samba/drivers/W32ALPHA
.........    /var/lib/samba/drivers/W32MIPS
.........    /var/lib/samba/drivers/W32PPC
.........    /var/lib/samba/drivers/W32X86
.........    /var/lib/samba/drivers/WIN40
.........    /var/lib/samba/drivers/x64
.........    /var/lib/samba/netlogon
.........    /var/lib/samba/profiles
linux-7dyq:~ #
#4

On 06/13/2012 02:16 PM, gruz wrote:
> - the problem is for all users, including root

NO!!!

never ever browse as root…that is exactly how to let a rogue web site
attack!!

better, never log into the GUI/Desktop as root…

to me it sounds like the Domain Name Servers (DNS) you are using has
been hacked…that is, you try to get to pravda.com.ua which should
resolve to 212.113.33.73 but the DNS resolves to the rogue site which is
the one you showed
http://view.xscreenshot.com/363742b654f0751dc0831c226fe2e126

i would suggest you change to a known secure DNS by changing your
resolve.conf to point to Google’s public DNS at 8.8.8.8 and 8.8.4.4 as
explained in
http://forums.opensuse.org/english/get-technical-help-here/network-internet/470090-how-change-dns.html#post2420959

and, let us know if you still see the same DNS spoofing…(actually,
Carlos is correct, you probably need to post to a security list, somewhere)

well, if you are connecting to the internet via a public wi-fi, you are
at the mercy of that wi-fi operator…if you are connecting through
your own router you should configure it to use the Google machines…


dd

#5

I never brows as root. I just tested lynx at root.

You tell about the thing we have tried already. Including dig pravda.com.ua, changin DNS to google 8.8.8.8 and so on.

I use an ASDL router at my home at 2 computer behind it. Not windows machines, no Wi-Fi and so on. I’ve already posted to the security list.

#6

On 2012-06-13 14:56, gruz wrote:

> -q means quite (-:

No, query, check the manual.

Samba verifies untouched, unless something installed another samba rpm, so
you still have to compare the binary against the original.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

#7

On 06/13/2012 03:46 PM, gruz wrote:

> You tell about the thing we have tried already… changin DNS to google 8.8.8.8 and so on.

you didn’t say you had tried Google’s DNS, so i couldn’t know that…

> I use an ASDL router at my home at 2 computer behind it.

depending on your router and if you use DCHP on your machines, you may
need to load Google’s DNS in the router also…otherwise, the DCHP could
go out and grab your ISP’s Domain Name Servers, which are maybe hacked
to provide the rogue resolution…

> I’ve already posted to the security list.

you didn’t mention that either…and, i’d suggest you will get a
better answer there…(i don’t know anyone on this forum who claims to
be a security specalist/expert…for certain, i am not)

by the way, what operating system and version are you using? i ask
because on my openSUSE 11.4 “rpm -q” is neither quite nor quiet, but
rather query…but, you were close when you used -v, but since that
means --verbose, you would have been correct had you used -V which means
–verify, from my man:


VERIFY OPTIONS

The general form of an rpm verify command is

rpm {-V|--verify} [select-options] [verify-options]


dd

#8

On 2012-06-13 16:23, dd@home.dk wrote:

>> I’ve already posted to the security list.
>
> you didn’t mention that either…

I suggested that to him, and then he posted. Unfortunately he posted a link
to this thread instead of a full post - many mail list users will not open
a browser to see the links, they expect the subject matter to be in the mail.

> and, i’d suggest you will get a better
> answer there…(i don’t know anyone on this forum who claims to be a
> security specalist/expert…for certain, i am not)

Yes, that’s the idea and the official security reporting channel.

> by the way, what operating system and version are you using? i ask because
> on my openSUSE 11.4 “rpm -q” is neither quite nor quiet, but rather
> query…but, you were close when you used -v, but since that means
> --verbose, you would have been correct had you used -V which means
> --verify, from my man:

The thing is that -q is not needed, I was confused in that. But it works in
my system, I tested it before posting; and a bit differently from what I
expected:


Telcontar:~ # rpm -q --verify samba
S.5....T.  c /etc/xinetd.d/swat
Telcontar:~ #


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

#9

I didn’t post the full post, as it has images and code - such things will look bad in the mail.


linux-7dyq:~ # rpm -q --verify samba
linux-7dyq:~ # rpm --verify samba
linux-7dyq:~ # rpm -q --verify samba-client
5S.T.....  c /etc/samba/smb.conf
linux-7dyq:~ # rpm --verify samba-client
5S.T.....  c /etc/samba/smb.conf
linux-7dyq:~ # 



linux-7dyq:~ # cat /etc/samba/smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2012-05-02
[global]
        workgroup = WORKGROUP
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = No
        domain master = No
        netbios name = gruz
        security = user
        wins support = Yes
        usershare max shares = 100
        ldap suffix = 
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

## Share disabled by YaST
# [netlogon]
linux-7dyq:~ #
#10

Why then another machine from the same LAN doesn’t meet the problem?

The IP is the same as you told me.

I’ve just tried to enter the google DNSes. The same result - that iframe/redirect.

http://static.xscreenshot.com/small/2012/06/13/18/screen_78e5b3c4482190f292b1aa9e00a422b0](http://view.xscreenshot.com/78e5b3c4482190f292b1aa9e00a422b0)

#11

On 2012-06-13 17:16, gruz wrote:
>
> I didn’t post the full post, as it has images and code - such things
> will look bad in the mail.

I originally saw it as plain text, no photos, via nntp. I have seen no photos.

> Code:
> --------------------
>
> linux-7dyq:~ # rpm -q --verify samba
> linux-7dyq:~ # rpm --verify samba
> linux-7dyq:~ # rpm -q --verify samba-client
> 5S.T… c /etc/samba/smb.conf
> linux-7dyq:~ # rpm --verify samba-client
> 5S.T… c /etc/samba/smb.conf
> linux-7dyq:~ #
>
> --------------------

These things you have to post directly to the mail list. Follow the issue
there, not here. Marcus is a knowledgeable chap, but not a forum user.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

#12

I’m no expert at such things, but if it was a dns problem why would killing nmbd make the problem go away?

Even using tor wouldn’t be by passing his router’s dns servers would it?

Why nmb running doesn’t have the same effect when browsing with tor, could that be down to vidalia/tor using different ports to ‘standard’ browsers? If so, may point to browser traffic via (standard) http ports somehow getting compromised rather than dns servers

Plugging another machine into the router would rule out the issue arising from his isp’s nameservers if that behaviour wasn’t duplicated

I think I’d start off by checking whether any other processes are started with nmb that shouldn’t be there, and I’d completely remove samba, verify the problem has gone away then reinstall samba and see if the problem reappears

Keeping a service you think is compromised in the event that some unknown expert might want to remote in to look at it doesn’t seem the best idea to me, I wouldn’t let anyone I didn’t know very well and trust implicitly remote into any of my machines for any reason, to my mind that kind of thinking can get you in the kind of trouble you find yourself in now … but maybe I’m just paranoid

#13

Thanks for the reply. Noone could help me at the mailing list.

Upon an advice from the mailing list I started tcpdump to see connections. The problem went away and never comeback again. It makes me think the virus “uderstood” that it was under attention and stopped activity… Fantastic.

I still don’t know if it was a my machine problem, or my ISP traffic catch on some tricky algorythm. We have hot political life and this can be the government try to block independent media recoursces. To be used more widely at the election time.

I have no ideas what to do now…

#14

On 2012-06-18 14:36, gruz wrote:
> I have no ideas what to do now…

maybe the samba people :-?


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)