0

hi guys,
strange problem, I discovered samba has been deleted at no fault of my own. Just deleted.....

I noticed the firewall was switched off too which is concerning. I must have switched the firewall off to test something and never turned it back on..

When linux loads it says it cannot load the smbclient and when i do rpm -q samba it says its not installed, but i have been using it for years....

could the firewall bieng off caused this problem by an external source or have i done something wrong.... any ideas?

3
Contributors
4
Replies
5
Views
12 Years
Discussion Span
Last Post by Cain
0

I guess your system could have been compromised if the firewall was off.. I
dont know if your network is behind a firewall or not. the first place I usually
look is at other priveleged users with access. accidental sabotage from within
is a frequent occurance.
if your system/network is wide open.. turn iptables back on.

I would check the history for root and grep for 'rm'
to attempt a culprit
then check out /var/log/messages
try 'rpm -qa | grep -i smb' or 'rpm -qa | grep -i samba'

check for the existance of the smb executable.
'which smb' (as root)
we know the init script exists and your system is attempting to start it at
runtime maybe the binary is in the wring place or the permissions are wrong
on /etc/samba/smb.conf

if this file/directory is missing you may be able to recreate the directory then
run system-config-samba to recreate smb.conf. (as root naturally)

you could try this:
'man smbd' and look for a debuglevel switch (usually like -d0 or -d6
sometimes is -v ) and a foreground switch (dontfork option)

tail /var/log/messages

start samba manually as a foreground process (in debug mode, dont fork if
you can) and check out the logs and the output

Hope this helps,
Cain

0

thanks my friend. I have managed to reinstall samba and smb.
I noticed another problem, when i enter top into the shell it returns:

top:error while loading shared libraries:
bject file: No such file or directory..


I checked the log files, wiped no record of anything before I reset the server and turned the firewall back on.

The firewall I am using is firestarter..... can anyone recommend anything better that shows accepted connections too..


I am pretty sure the system was compromised - without a firewall the system was easier to hack than a hot knife through butter. My vnc password was probably the first possible password on any brute force password list. In addition I was running shared directories across the network. My only barrier was the firewall as it blocked these ports from the outside... so I thought not to worry... it wont happen.. but when I turned it off to test something..... bang

anyway.... I am going to reinstall red hat and firewall and any logging/activity viewing programs around.... can anyone recommend any... I have done some searches but I dont know whats best..


once again thanks
til

0

iptables is a nice option. You can log the connections or hand shakes which happen to your box. Try getting syslog to log to a remote server.

./thanks
ilaiy

0

Yeah iptables is probably the way to go.
I usually set them up in this order (i never use a deny statement with iptables
this way the hacker gets zero feedback and doesnt make it to a login prompt)

drop from all outside networks
log from all outside networks
drop ports from mysubdomaina (by ip e.g.)
log ports from mysubdoamina

allow my networks (by resolveable domainname e.g. *mydomain.com)
then

you can also use this with your hosts.allow and hosts.deny files
first deny anything not from your networks then allow only from your networks
by ip 10.1.1/24 or whatever the CIDR is .. you can also do it by subnetmask if im not
mistaken.
you can also set this to allow only from your resolveable networks
*.mydomain.com


enjoy
Cain

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.