Tux

...making Linux just a little more fun!

Knowing from what pc a certain file came

Deividson Okopnik [deivid.okop at gmail.com]


Mon, 21 Jun 2010 11:49:03 -0300

Hello TAG

I have an ubuntu linux machine here thats got a samba shared folder, writable by anyone.

Is there any way i can know from what IP a certain file came?

Cause one of the windoze machines on my network is spreading some virus, and I cant figure out what machine is that. It creates an autorun.inf and a .exe on my ubuntu shared folder, thats the reason I wanted to try to figure out where it came from.

Thanks Deividson


Top    Back


René Pfeiffer [lynx at luchs.at]


Mon, 21 Jun 2010 17:32:23 +0200

On Jun 21, 2010 at 1149 -0300, Deividson Okopnik appeared and said:

> Hello TAG
> 
> I have an ubuntu linux machine here thats got a samba shared folder,
> writable by anyone.
> 
> Is there any way i can know from what IP a certain file came?

I do not know of any way except turning up the log/debug level. You might get a lot of noise though.

> Cause one of the windoze machines on my network is spreading some
> virus, and I cant figure out what machine is that. It creates an
> autorun.inf and a .exe on my ubuntu shared folder, thats the reason I
> wanted to try to figure out where it came from.

In this case you can combine Samba with an anti-virus filter and check every file as soon as it.

http://michsan.blogspot.com/2008/04/installing-clamav-antivirus-on-samba-in.html

HTH, Ren?.


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Mon, 21 Jun 2010 11:34:18 -0400

On Mon, Jun 21, 2010 at 11:49:03AM -0300, Deividson Okopnik wrote:

> Hello TAG
> 
> I have an ubuntu linux machine here thats got a samba shared folder,
> writable by anyone.
> 
> Is there any way i can know from what IP a certain file came?
> 
> Cause one of the windoze machines on my network is spreading some
> virus, and I cant figure out what machine is that. It creates an
> autorun.inf and a .exe on my ubuntu shared folder, thats the reason I
> wanted to try to figure out where it came from.

I'm not all that familiar with Samba, but here are a couple of possibilities:

1) Is there any kind of a logging feature that you can enable in Samba? 2) If not, tcpdump/etherape might be of use. 3) Does this thing write those files fairly often (=$INTERVAL) and can you enable/disable the sharing for selected Winboxen? If so, then use the "divide-and-conquer" method to find the offending machine:

a) Split the number of boxen in half and disable one of the two sections. b) Wait $INTERVAL. If the files appear, the problem is in the enabled section; otherwise, it's in the disabled one. c) Move the split point half-way into the problematic section. d) Repeat a - c until you've located the infected machine.

This might take some time depending on the number of machines you're working with, but not as much as you might think: divide-and-conquer uses powers of two, so a field of $N boxen would take log2($N) intervals to test (e.g., 6 tests for 64, 10 for 1024, 20 for 1048576, and so on.)

This general technique allows you to troubleshoot any sequential system, and is well worth knowing. Amazingly, I find that most people are not familiar with it: I often end up explaining it to my students. And, no, it's not a question of not knowing the name of the technique; people are actually and literally unfamiliar with the method. That still shocks me.

-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Jimmy O'Regan [joregan at gmail.com]


Mon, 21 Jun 2010 17:50:10 +0100

On 21 June 2010 16:34, Ben Okopnik <ben at linuxgazette.net> wrote:

> On Mon, Jun 21, 2010 at 11:49:03AM -0300, Deividson Okopnik wrote:
>> Hello TAG
>>
>> I have an ubuntu linux machine here thats got a samba shared folder,
>> writable by anyone.
>>
>> Is there any way i can know from what IP a certain file came?
>>
>> Cause one of the windoze machines on my network is spreading some
>> virus, and I cant figure out what machine is that. It creates an
>> autorun.inf and a .exe on my ubuntu shared folder, thats the reason I
>> wanted to try to figure out where it came from.
>
> I'm not all that familiar with Samba, but here are a couple of
> possibilities:
>
> 1) Is there any kind of a logging feature that you can enable in Samba?

Yes; you can set per-machine logging in samba by using '%m' in the logfile name: log file = /var/log/samba/log.%m

(You can use '%U' for user-level logging, or combine them, etc.)

The 'log level' feature can be set to log a number of different things, and there's an overview of levels here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#xtdaudit - it doesn't specifically mention file creation, so '2' (log opens/closes) is probably a safe one to go with, temporarily.

-- <Leftmost> jimregan, that's because deep inside you, you are evil. <Leftmost> Also not-so-deep inside you.


Top    Back