[opensuse-security] I think it's a virus. While nmbd running some web-sites are redirected or broken
Here is the post with the images and additional info: http://forums.opensuse.org/forums/english/get-technical-help-here/network-in... -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, On Wednesday 13 June 2012 15:01:38 Gruz wrote:
Here is the post with the images and additional info:
http://forums.opensuse.org/forums/english/get-technical-help-here/network-i nternet/476052-i-think-its-virus-while-nmbd-running-some-web-sites-redirecte d-broken.html#post2469100
thank you for the pointer. Post #2 suggests basically what we would recommend too. Apart from that it would also be helpful to see which repositories are being used and if nmbd was configured to resolve names via external windows domains which in turn could be mis-configured or compromised. (I've just learned from Marcus that this could be possible.) Thanks, Matthias -- Matthias Weckbecker, Junior Security Engineer, SUSE Security Team SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany Tel: +49-911-74053-0; http://suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
13.06.12 16:32, Matthias Weckbecker написав(ла):
Hi,
On Wednesday 13 June 2012 15:01:38 Gruz wrote:
Here is the post with the images and additional info:
http://forums.opensuse.org/forums/english/get-technical-help-here/network-i nternet/476052-i-think-its-virus-while-nmbd-running-some-web-sites-redirecte d-broken.html#post2469100
thank you for the pointer.
Post #2 suggests basically what we would recommend too. Apart from that it would also be helpful to see which repositories are being used and if nmbd was configured to resolve names via external windows domains which in turn could be mis-configured or compromised. (I've just learned from Marcus that this could be possible.)
Thanks, Matthias
1. repos: http://paste.opensuse.org/98716283 I cannot pase it, it treats me as spammer: linux-7dyq:/etc/zypp/repos.d # cat * [Documentation:Tools] name=Documentation:Tools enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/Documentation:/Tools/openSUSE_12.1... type=rpm-md keeppackages=0 [Education] name=Education enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/Education/openSUSE_12.1/ type=rpm-md [Factory] name=Factory enabled=1 autorefresh=0 baseurl=http://download.opensuse.org/repositories/openSUSE:/Factory:/Contrib/openSUS... type=rpm-md [Gallochri(for lingot)] name=Gallochri(for lingot) enabled=1 autorefresh=0 baseurl=http://download.opensuse.org/repositories/home:/gallochri/openSUSE_12.1/ type=rpm-md [Graphics Project] name=Graphics Project enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/graphics/openSUSE_12.1/ type=rpm-md [home:froksen] name=home:froksen enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/home:/froksen/openSUSE_12.1/ type=rpm-md keeppackages=0 [home:mrdocs] name=home:mrdocs enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/home:/mrdocs/openSUSE_12.1/ type=rpm-md [home:saigkill] name=home:saigkill enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/home:/saigkill/openSUSE_12.1/ type=rpm-md keeppackages=0 [nvidia] name=nvidia enabled=1 autorefresh=1 baseurl=ftp://download.nvidia.com/opensuse/12.1/ type=rpm-md [packman openSUSE_12.1] name=packman openSUSE_12.1 enabled=1 autorefresh=1 baseurl=http://ftp.uni-erlangen.de/pub/mirrors/packman/suse/openSUSE_12.1/ type=rpm-md [packman openSUSE_Tumbleweed] name=packman openSUSE_Tumbleweed enabled=1 autorefresh=1 baseurl=http://ftp.uni-erlangen.de/pub/mirrors/packman/suse/openSUSE_Tumbleweed type=rpm-md [PHP Extensions] name=PHP Extensions enabled=1 autorefresh=0 baseurl=http://download.opensuse.org/repositories/server:/php:/extensions/openSUSE_1... type=rpm-md [repo-debug] name=openSUSE-12.1-Debug enabled=0 autorefresh=1 baseurl=http://download.opensuse.org/debug/distribution/12.1/repo/oss/ path=/ type=NONE keeppackages=0 [repo-debug-update] name=openSUSE-12.1-Update-Debug enabled=0 autorefresh=1 baseurl=http://download.opensuse.org/debug/update/12.1/ path=/ type=NONE keeppackages=0 [repo-non-oss] name=openSUSE-12.1-Non-Oss enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/distribution/12.1/repo/non-oss/ type=yast2 keeppackages=0 [repo-oss] name=openSUSE-12.1-Oss enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/distribution/12.1/repo/oss/ type=yast2 keeppackages=0 [repo-source] name=openSUSE-12.1-Source enabled=0 autorefresh=1 baseurl=http://download.opensuse.org/source/distribution/12.1/repo/oss/ path=/ type=NONE keeppackages=0 [repo-update] name=openSUSE-12.1-Update enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/update/12.1/ type=rpm-md keeppackages=0 [security] name=security enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/security/openSUSE_12.1/ type=rpm-md keeppackages=0 [X11:Utilities] name=X11:Utilities enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/X11:/Utilities/openSUSE_12.1/ type=rpm-md keeppackages=0 linux-7dyq:/etc/zypp/repos.d # 2. post #2 linux-7dyq:/ # rpm -q --verify samba linux-7dyq:/ # Empty result. 3. I use an ADSL modem whis is also my router (DHCP server) and two linux PCs behind it. Nothing more. No specific configuration. Where is the nmbd configuration? So I can show it. 4. Some time ago I logged in to KDE as root to run PlayOnlinux from root. It was a test, because at my user it was giving an permission error. I didn't run anything except PlayOnlinux itself. I don't think it's a problem, but I think I must inform. And the problem started not from that time as far as I remembet. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Jun 13, 2012 at 04:55:42PM +0300, Gruz wrote:
13.06.12 16:32, Matthias Weckbecker написав(ла):
Hi,
On Wednesday 13 June 2012 15:01:38 Gruz wrote:
Here is the post with the images and additional info:
http://forums.opensuse.org/forums/english/get-technical-help-here/network-i nternet/476052-i-think-its-virus-while-nmbd-running-some-web-sites-redirecte d-broken.html#post2469100
thank you for the pointer.
Post #2 suggests basically what we would recommend too. Apart from that it would also be helpful to see which repositories are being used and if nmbd was configured to resolve names via external windows domains which in turn could be mis-configured or compromised. (I've just learned from Marcus that this could be possible.)
Thanks, Matthias
1. repos:
.... quite a number :/
2. post #2 linux-7dyq:/ # rpm -q --verify samba
rpm -V samba-client too please.
linux-7dyq:/ # Empty result.
3. I use an ADSL modem whis is also my router (DHCP server) and two linux PCs behind it. Nothing more. No specific configuration. Where is the nmbd configuration? So I can show it.
The content of: /etc/nsswitch.conf would point the nameservices to WinS if incorrectly configured. The nmb logfile is in /var/log/samba/log.nmbd ... check if there is something funny in there. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Gruz -
Marcus Meissner -
Matthias Weckbecker