0

I am using ubuntu on my laptop with a EDGE connection. I have no computers on my LAN.

First time this happened as a coincidence when i left a folder shared after office on my laptop and found it infected. After that i have tried to reproduce the issue and everytime this happens:

  • If i share a folder with samba and Guest Read+Write (777) permissions, after some time (varies, sometime a couple hours, sometime more than that) i start seeing strange files as shown below:

    -r-xr--r-- 1 nobody nogroup 0 2010-08-19 23:19 ctf

    -rw-r--r-- 1 nobody nogroup 337103 2004-08-04 00:10 dnpdwh.exe

    -r-xr--r-- 1 nobody nogroup 0 2010-08-20 05:45 khx

    -r-xr--r-- 1 nobody nogroup 0 2010-08-19 20:14 khy

    -rw-r--r-- 1 nobody nogroup 596628 2008-04-14 22:01 mzbxsv.exe

    -rw-r--r-- 1 nobody nogroup 510302 2004-08-04 19:50 uxnpfo.exe

I can always delete them but they keep popping back, i don't know from where they come or even why.

[EDIT]: Issue was Samba listening on public IP and then with 777 i was inviting the un-initiated to my system who though it was windows and thus dropping by viruses. Fixed with modifying samba configuration to:

  interfaces = 127.0.0.0/8 eth0    
  bind interfaces only = yes

in 

/etc/samba/smb.conf

followed by 

/etc/init.d/smbd restart

Problem was evident from log entries in /var/log/samba/log.IP_HERE

It was also evident as Samba was using nobody and nogroup to write files in Publicly writable shares.

Shoaibi
  • 809
  • 1
  • 10
  • 28
  • someone accessing your shared folder and putting them in there ? is your laptop resharing that connection aswell ? – Prix Aug 20 '10 at 07:59
  • i also doubt that but i am not sharing my connection with anyone over eth or wlan. – Shoaibi Aug 20 '10 at 08:15
  • have u checked the content of any of the files ? `nano ctf` also what directory is those file in. You better run rkhunter on your system for safety – Prix Aug 20 '10 at 08:19
  • ctf and other 0sized files are empty, while running file on the *.exe files tell "PE32 executable for MS Windows (GUI) Intel 80386 32-bit". Yes, i can try rkhunter or just avoid sharing folders with 777 but question is from where do these files come from and how. – Shoaibi Aug 20 '10 at 08:29
  • oh my bad didnt noticed it had no data from your post eheh... do you use wine or some windows emulator by any chance ? The file names presented by you are pretty random and it would be hard to tell... like i said earlly my best guess would be someone putting those at your shared folder... are the files create always with the same names? – Prix Aug 20 '10 at 08:34
  • I did use wine years ago on this laptop and then uninstalled it. yes, the kh* files are very common, i let them be and they would cross with each other to produce kha-khz – Shoaibi Aug 20 '10 at 08:40
  • hehehe this is rather funny... and it only happens when the samba is share with 777, can you try to policy your firewall to not accept connection from outside to samba ? only accept the 127.0.0.1 on the samba ports and delete the files and let me know if they show up again but please do the nmap and chkrootkit first... this way we will make sure you have not backdoors and that the files are being created within your system and not by anyone outside it. – Prix Aug 20 '10 at 08:44
  • Don't forget to try the firewall part i said above since you already done the recommendations bellow. – Prix Aug 20 '10 at 10:44
  • 1
    Hehehe so i was on the right track since the begin eheheh :) glad you fixed it – Prix Aug 21 '10 at 00:28

1 Answers1

1

MMM i few things i would recommend to you:

  • look for signs of strange processes, with chkrootkit ( http://www.chkrootkit.org )

  • Do a portscan with nmap from a different machine to make sure nothing strage is open or that you have anything else secure.

  • Check your firewall rules and do changes if you see it is too wide to outsiders

  • Verify your samba conf and limit it by the known ips you have if you don't share the data with anyone else, this will keep any outsiders from using it.

  • Not sure if this would be a problem to you but you can aswell set samba to use passwords to access/create the data, that is ofc assuming the files are being created by a 3rd party and not within your own system, but then checking if your system has been rootkited as pointed above would be the best.

Prix
  • 4,881
  • 3
  • 24
  • 25