Re: [opensuse-security] I think it's a virus. While nmbd running some web-sites are redirected or broken
13.06.12 18:11, Gruz написав(ла): I've realised I replied to Marcus only, so I show the messages to the maillist as they may be useful.
13.06.12 17:46, Marcus Meissner написав(ла):
1. repos:
.... quite a number :/
2. post #2 linux-7dyq:/ # rpm -q --verify samba
rpm -V samba-client
too please.
linux-7dyq:~ # rpm -V samba-client 5S.T..... c /etc/samba/smb.conf linux-7dyq:~ #
linux-7dyq:/ # Empty result.
3. I use an ADSL modem whis is also my router (DHCP server) and two linux PCs behind it. Nothing more. No specific configuration. Where is the nmbd configuration? So I can show it.
The content of:
/etc/nsswitch.conf
http://paste.opensuse.org/83269821
wind is added by me in line 33, as far as I remember. Everything else is default.
would point the nameservices to WinS if incorrectly configured.
The nmb logfile is in /var/log/samba/log.nmbd ... check if there is something funny in there.
Ciao, Marcus
I've enabled the daemon, surfed a little to meet the problme (several fisrt minutes that pravda.com.ua work ok) and met that redirect again. Here is the log for this time. Beginning from the previous stop.
====
[2012/06/13 00:34:57, 0] nmbd/nmbd.c:66(terminate) Got SIGTERM: going down... [2012/06/13 18:01:27, 0] nmbd/nmbd.c:860(main) nmbd version 3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 [2012/06/13 18:01:28, 0] nmbd/asyncdns.c:157(start_async_dns) started asyncdns process 25674 [2012/06/13 18:01:51, 0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) *****
Samba name server GRUZ is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.2
***** [2012/06/13 18:01:51, 0] nmbd/nmbd_browsesync.c:351(find_domain_master_name_query_fail) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP. Unable to sync browse lists in this workgroup. [2012/06/13 18:08:40, 0] nmbd/nmbd.c:66(terminate) Got SIGTERM: going down...
===
That is strange Unable to find the Domain Master Browser name WORKGROUP<1b> for the workgroup WORKGROUP.
What is that <1b>?
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Jun 14, 2012 at 01:56:49AM +0300, Gruz wrote:
I've enabled the daemon, surfed a little to meet the problme (several fisrt minutes that pravda.com.ua work ok) and met that redirect again. Here is the log for this time. Beginning from the previous stop.
You quoted in a private mail that pravda.com.ua changed to a redirect to a fishy meta search website. What I suspect is: - Your DNS nameresolution goes via the WORKGROUP$ browser - It either hangs (because this windows box is not online or some such), OR - The windows machine serving that is affected by a DNS entry changing virus and serves back this strange search engine. Or your local system might point to a DNS entry that belongs to such a spam company. If you stop nmbd, is the redirect still there? Check /etc/resolv.conf for the nameserver in use. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
14.06.12 09:56, Marcus Meissner написав(ла):
On Thu, Jun 14, 2012 at 01:56:49AM +0300, Gruz wrote:
I've enabled the daemon, surfed a little to meet the problme (several fisrt minutes that pravda.com.ua work ok) and met that redirect again. Here is the log for this time. Beginning from the previous stop.
You quoted in a private mail that pravda.com.ua changed to a redirect to a fishy meta search website.
What I suspect is:
- Your DNS nameresolution goes via the WORKGROUP$ browser
- It either hangs (because this windows box is not online or some such), OR
- The windows machine serving that is affected by a DNS entry changing virus and serves back this strange search engine.
Or your local system might point to a DNS entry that belongs to such a spam company.
If you stop nmbd, is the redirect still there?
Check /etc/resolv.conf for the nameserver in use.
Ciao, Marcus
If I stop nmbd the redirect is gone. That is the only way I can stop redirecting. After enabling it for a couple of minutes I don't have the redirect. pravda.com.ua is an oppositional media. I thought that it could be a government test before elections to block it. But I have another non-media, small commercial web-site radion.com.ua blocked. In a very alike way, but not the same way. The blocking stops when nmbd is stopped, so the root of the problem is the same. I have no windows machines in my LAN (2 PCs and ADSL modem-router). I tried to use google DNSes at both - my machine and the ADSL modem. When nmdb is on the redirect is still there. gruz@linux-7dyq:~> cat /etc/resolv.conf ### /etc/resolv.conf file autogenerated by netconfig! # # Before you change this file manually, consider to define the # static DNS configuration using the following variables in the # /etc/sysconfig/network/config file: # NETCONFIG_DNS_STATIC_SEARCHLIST # NETCONFIG_DNS_STATIC_SERVERS # NETCONFIG_DNS_FORWARDER # or disable DNS configuration updates via netconfig by setting: # NETCONFIG_DNS_POLICY='' # # See also the netconfig(8) manual page and other documentation. # # Note: Manual change of this file disables netconfig too, but # may get lost when this file contains comments or empty lines # only, the netconfig settings are same with settings in this # file and in case of a "netconfig update -f" call. # ### Please remove (at least) this line when you modify the file! nameserver 192.168.1.1 #nameserver 8.8.8.8 192.168.1.1 is my ADSL router. It seems that the problem is in my software rather then a remote problem as I have another machine in my LAN whish is not affected. Well, but the other machine has no nmbd process running. Mine, the affected, is OpenSuse 12.1. The other has lubuntu. I have to investigate how to run samba at lubutntu to be sure that the other machine is or is not affected. That would be a useful info. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-06-14 10:24, Gruz wrote:
14.06.12 09:56, Marcus Meissner написав(ла):
### Please remove (at least) this line when you modify the file! nameserver 192.168.1.1 #nameserver 8.8.8.8
If you activate the nameserver as 8.8.8.8 instead of your router, are you still affected? Did you post "/etc/nsswitch.conf" and "/etc/host.conf"? Ah, yes, pastebin. You have: hosts: files mdns4_minimal [NOTFOUND=return] wins dns I have, in two machines (/etc/nsswitch.conf): hosts: files mdns4_minimal [NOTFOUND=return] dns I wonder if you really need "wins" and if that could affect. If it does, still there would be the problem of why nmbd is affected. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/ZyhEACgkQIvFNjefEBxoUswCdFbOKhmRJ5kci0ghyDFSEB2d6 RkwAoIuGZSIPTQfQrVlIn05BCttFFDcY =u6FX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
14.06.12 14:25, Carlos E. R. написав(ла):
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-06-14 10:24, Gruz wrote:
14.06.12 09:56, Marcus Meissner написав(ла):
### Please remove (at least) this line when you modify the file! nameserver 192.168.1.1 #nameserver 8.8.8.8
If you activate the nameserver as 8.8.8.8 instead of your router, are you still affected?
Yes.
Did you post "/etc/nsswitch.conf" and "/etc/host.conf"?
gruz@linux-7dyq:~> cat /etc/host.conf # # /etc/host.conf - resolver configuration file # # Please read the manual page host.conf(5) for more information. # # # The following option is only used by binaries linked against # libc4 or libc5. This line should be in sync with the "hosts" # option in /etc/nsswitch.conf. # order hosts, bind # # The following options are used by the resolver library: # multi on gruz@linux-7dyq:~>
Ah, yes, pastebin. You have:
hosts: files mdns4_minimal [NOTFOUND=return] wins dns
I have, in two machines (/etc/nsswitch.conf):
hosts: files mdns4_minimal [NOTFOUND=return] dns
I wonder if you really need "wins" and if that could affect. If it does, still there would be the problem of why nmbd is affected.
I tried without wins - doesn't help.
- -- Cheers / Saludos,
Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/ZyhEACgkQIvFNjefEBxoUswCdFbOKhmRJ5kci0ghyDFSEB2d6 RkwAoIuGZSIPTQfQrVlIn05BCttFFDcY =u6FX -----END PGP SIGNATURE-----
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Carlos E. R.
-
Gruz
-
Marcus Meissner