...making Linux just a little more fun!
Deividson Okopnik [deivid.okop at gmail.com]
Hello TAG
I have an ubuntu linux machine here thats got a samba shared folder, writable by anyone.
Is there any way i can know from what IP a certain file came?
Cause one of the windoze machines on my network is spreading some virus, and I cant figure out what machine is that. It creates an autorun.inf and a .exe on my ubuntu shared folder, thats the reason I wanted to try to figure out where it came from.
Thanks Deividson
René Pfeiffer [lynx at luchs.at]
On Jun 21, 2010 at 1149 -0300, Deividson Okopnik appeared and said:
> Hello TAG > > I have an ubuntu linux machine here thats got a samba shared folder, > writable by anyone. > > Is there any way i can know from what IP a certain file came?
I do not know of any way except turning up the log/debug level. You might get a lot of noise though.
> Cause one of the windoze machines on my network is spreading some > virus, and I cant figure out what machine is that. It creates an > autorun.inf and a .exe on my ubuntu shared folder, thats the reason I > wanted to try to figure out where it came from.
In this case you can combine Samba with an anti-virus filter and check every file as soon as it.
http://michsan.blogspot.com/2008/04/installing-clamav-antivirus-on-samba-in.html
HTH, Ren?.
Ben Okopnik [ben at linuxgazette.net]
On Mon, Jun 21, 2010 at 11:49:03AM -0300, Deividson Okopnik wrote:
> Hello TAG > > I have an ubuntu linux machine here thats got a samba shared folder, > writable by anyone. > > Is there any way i can know from what IP a certain file came? > > Cause one of the windoze machines on my network is spreading some > virus, and I cant figure out what machine is that. It creates an > autorun.inf and a .exe on my ubuntu shared folder, thats the reason I > wanted to try to figure out where it came from.
I'm not all that familiar with Samba, but here are a couple of possibilities:
1) Is there any kind of a logging feature that you can enable in Samba? 2) If not, tcpdump/etherape might be of use. 3) Does this thing write those files fairly often (=$INTERVAL) and can you enable/disable the sharing for selected Winboxen? If so, then use the "divide-and-conquer" method to find the offending machine:
a) Split the number of boxen in half and disable one of the two sections. b) Wait $INTERVAL. If the files appear, the problem is in the enabled section; otherwise, it's in the disabled one. c) Move the split point half-way into the problematic section. d) Repeat a - c until you've located the infected machine.
This might take some time depending on the number of machines you're working with, but not as much as you might think: divide-and-conquer uses powers of two, so a field of $N boxen would take log2($N) intervals to test (e.g., 6 tests for 64, 10 for 1024, 20 for 1048576, and so on.)
This general technique allows you to troubleshoot any sequential system, and is well worth knowing. Amazingly, I find that most people are not familiar with it: I often end up explaining it to my students. And, no, it's not a question of not knowing the name of the technique; people are actually and literally unfamiliar with the method. That still shocks me.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Jimmy O'Regan [joregan at gmail.com]
On 21 June 2010 16:34, Ben Okopnik <ben at linuxgazette.net> wrote:
> On Mon, Jun 21, 2010 at 11:49:03AM -0300, Deividson Okopnik wrote: >> Hello TAG >> >> I have an ubuntu linux machine here thats got a samba shared folder, >> writable by anyone. >> >> Is there any way i can know from what IP a certain file came? >> >> Cause one of the windoze machines on my network is spreading some >> virus, and I cant figure out what machine is that. It creates an >> autorun.inf and a .exe on my ubuntu shared folder, thats the reason I >> wanted to try to figure out where it came from. > > I'm not all that familiar with Samba, but here are a couple of > possibilities: > > 1) Is there any kind of a logging feature that you can enable in Samba?
Yes; you can set per-machine logging in samba by using '%m' in the logfile name: log file = /var/log/samba/log.%m
(You can use '%U' for user-level logging, or combine them, etc.)
The 'log level' feature can be set to log a number of different things, and there's an overview of levels here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#xtdaudit - it doesn't specifically mention file creation, so '2' (log opens/closes) is probably a safe one to go with, temporarily.
-- <Leftmost> jimregan, that's because deep inside you, you are evil. <Leftmost> Also not-so-deep inside you.