Mr. Shickadance's questions

TL;DR

I'm pretty sure our small network has been infected by some sort of worm/virus. It seems to only be afflicting our Windows XP machines, however. Windows 7 machines and Linux (well, yea) computers seem to be unaffected. Anti-virus scans are showing nothing, but our domain server has logged thousands of failed login attempts on various valid and invalid user accounts, particularly the administrator. How can I stop this unidentified worm from spreading?

Symptoms

A few of our Windows XP users have reported similar problems, although not entirely identical. They all experience random shutdowns/restarts that are software initiated. On one of the computers a dialog pops up with a countdown until system restart, apparently started by NT-AUTHORITY\SYSTEM and has to do with an RPC call. This dialog in particular is exactly the same as those described in articles detailing older RPC exploit worms.

When two of the computers rebooted, they came back up at the login prompt (they are domain computers) but the user name listed was 'admin', even though they hadn't logged in as admin.

On our Windows Server 2003 machine running the domain, I noticed several thousand login attempts from various sources. They tried all different login names including Administrator, admin, user, server, owner and others.

Some of the logs listed IPs, some didn't. Of the ones that did have source IP address (for the failed logins) two of them correspond to the two Windows XP machines experiencing reboots. Just yesterday I noticed a bunch of failed login attempts from an outside IP address. A traceroute showed that outside IP address to be from a Canadian ISP. We shouldn't have an connections from there, ever (we do have VPN users though). So I am still not sure whats going on with the login attempts coming from a foriegn IP.

It seems obvious that some sort of malware is on these computers, and part of what it does is try to enumerate passwords on domain accounts to gain access.

What I've Done So Far

After realizing what was happening, my first step was to make sure everyone was running up-to-date anti-virus and did a scan. Of the computers affected, one of them ha an expired anti-virus client, but the other two were current versions of Norton and full scans of both systems turned up nothing.

The server itself regularly runs up-to-date anti-virus, and has not shown any infections.

So 3/4 of the Windows NT based computers have up-to-date anti virus, but it hasn't detected anything. However I am convinced that something is going on, mainly evidenced by the thousands of failed login attempts for various accounts.

I also noticed that the root of our main file share had pretty open permissions, so I just restricted it to read+execute for normal users. The administrator has full access of course. I am also about to have the users update their passwords (to strong ones), and I am going to rename to Administrator on the server and change its password.

I already took of the machines off of the network, one is being replaced by a new one, but I know these things can spread through networks so I still need to get to the bottom of this.

Also, the server has a NAT/Firewall setup with only certain ports open. I have yet to full investigate some of the Windows related services with ports open, as I am from a Linux background.

Now what?

So all the modern and up-to-date anti-virus hasn't detected anything, but I am absolutely convinced these computers have some sort of virus. I base this on the random restarts/instability of the XP machines combined with the thousands of login attempts originating from these machines.

What I plan on doing is backing up user files on the affected machines, and then reinstalling windows and freshly formatting the drives. I also am taking a few measures to secure the common file shares that may have been used to spread to other machines.

Knowing all this, what can I do to ensure that this worm isn't somewhere else on the network, and how can I stop it from spreading?

I know this is a drawn out question, but I am out of my depths here and could use some pointers.

Thanks for looking!

I have a small network with a couple of Windows XP machines experiencing random reboots. When the computer restarts, it comes to the login prompt with 'admin' in the username field, even though the user hasn't logged in as admin.

In my security logs on the server (Windows Server 2003) I noticed a lot of failed login attempts as Administrator. This obviously does not look good.

How can I track down and identify these login attempts? One of the machines has an out of date anti-virus (but that is about to change as I type this), but the other one has regularly been using and updating Norton.

Is there some know network attacks that look like this?

Also, how could I identify these login attempts from the workstation? Would there be a particular process running?

I have configured a Debian server with OpenVPN in bridge mode according to OpenVPN's ethernet bridging guide. As part of the guide I ran the bridge-start script which creates a bridge and tap interface. After running bridge-start and openvpn, I can't access my server from an outside network, even though I was able to before running bridge-start. After running the script I can only reach the server if I am on the same internal network. The bridge setup looks correct and has the correct IP address.

I don't think this is a firewall issue, as I don't have any iptables rules set. I can ssh into the server fine if I'm on the internal network, but from outside I get a connection timeout.

I have also verified that packets are indeed reaching the server. So my remote ssh connection fails, yet I see the SSH packets reach the server (using tshark on the server) but they seem to be ignored and the login times out.

How could my ethernet bridge cause my server to become unreachable from an outside network, yet everything works fine on the internal network?

Also, there is a near exact duplicate of this question, although it hasn't been answered and I'm trying to get some visability.

OpenVpn bridge interface does not respond to incoming packets from outer network !

I have a small Apache site which I've successfully implemented basic LDAP authentication using mod_authz_ldap. However, I am having a problem trying to implement two levels of successive authentication. Once a valid user is authenticated once, they are never prompted for secondary authentication which should be required for a specific part of the site. That is, all valid users can login, but they are never re-authenticated when only a subset of those users should access parts of the site.

For example, I required everyone who visits example.com to be authenticated as a valid LDAP user. Then I have a subversion repository at example.com/websvn which I want to restrict to only the 'development' group, a subset of the valid users.

My problem is that once a user is successfully authenticated as valid at example.com, when they navigate to example.com/websvn they are never re-prompted for authentication as a 'development' user. This happens even when the valid user is indeed not in the development group. I can test the repo authentication by freshly connecting directly to example.com/websvn, but when I first authenticate at example.com, and then visit example.com/websvn I am granted access no matter what, and never prompted for a password.

How do I properly implement a two-stage authentication like this? I want all valid users to access the main site, but only development users to have access to websvn. So valid users must be re-authenticated to check if they are in the development group.

Thanks!

I've seen similar questions related to configuring Apache to authenticate via LDAP, but this basic question still has me confused.

In my setup, I created users who all have the same primary GID, then I added users to various (supplementary/secondary) groups. I have tested these user accounts, and in most situations everything works fine - my permissions based on supplementary group membership is working. I used the smbldap-tools package to configure my users and groups, and specifically I used smbldap-usermod -G +NEW_GROUP user to add users to the supplementary groups.

If I do getent group I see those supplementary groups and their members. Good.

If I look at the LDAP entry for one of the supplementary groups, I see all the users listed just as expected.

However, when I look at each user's LDAP entry, only a gidNumber corresponding to the primary group is listed. That is, the LDAP entries for each user only list the primary group, and have no mention of secondary groups.

How does Samba/LDAP (using smbldap-tools) handle supplementary/secondary groups?

Further, how could I form a search filter to identify members of a supplementary group?

tl;dr Assuming a basic (but functioning) LDAP/PAM configuration, how come smbpasswd fails with this error message when I try to add an existing UNIX/LDAP user to Samba?

I have a basic, but working LDAP setup on a Debian server which has few accounts loaded with passwords and such, and their corresponding UNIX accounts have been created. I also have a basic PAM/NSS configuration which seems to be working.

I can login and use the accounts via LDAP. Now I want to configure a simple file share using Samba and have it authenticate users via the PAM/LDAP backend. I am at the point where I need to create Samba users using the smbpasswd utility, however this results in an error.

First, I set the LDAP password:

# smbpasswd -W

Then I tried adding a user which is already configured in LDAP:

# smbpasswd -a new_user
New SMB password:
Retype SMB password:
Failed to add entry for user new_user.

So I don't know why this command is failing. At first I figured it was because I needed to make the users in the LDAP directory be sambaSamAccounts. So I updated my user's LDIF file to look like this:

dn: cn=new_user,ou=group,dc=example,dc=com
cn: new_user
gidNumber: 1000
objectClass: top
objectClass: posixGroup

dn: uid=new_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: new_user
uidNumber: 1000
gidNumber: 1000
cn: test user
sn: new_user
mail: [email protected]
loginShell: /bin/bash
homeDirectory: /home/new_user
sambaSID: 3000
sambaDomainName: TEST-ROME

The only changes made to the above LDIF were the additions of sambaSamAccount as an objectClass and sambaSID and sambaDomainName. Eventually I want to implement a PDC, so I am pretty sure I need a sambaSamAccount anyway.

However, after all that I still get the same error.

So how can one debug this error?

SOLVED After debugging the daemon as suggested, I found that smbpasswd was executing queries with an empty base dn field, thus returning no results. This was fixed by adding the ldap suffix and ldap user suffix fields into my smb.conf. After that I realized I needed a correct way to generate sambaSIDs as well, but that is a separate issue.

I recently began learning Samba and OpenLDAP, and have become increasingly frustrated with the apparent disconnect between the old configuration (using slapd.conf) and the new one using the cn=config directory.

I can see the benefits of the new system, however so much documentation has yet to be updated that I am considering abandoning this approach in favor of the well known slapd.conf.

Do you think that this new method of configuration (cn=config) is ready for production or should most users stick to slapd.conf?

This is really a more general question, but I am asking it in a specific context. How do you troubleshoot failed Samba/LDAP logins/authentications?

I am in the process of learning Samba/LDAP. I currently have a test machine on which I have Samba and openLDAP, and I created a single posix/samba user that I want to try logging onto a network share with. From my other machine running Debian, I use the Gnome "Connect to server" function to try and load the share. I enter all the relevant information, but after entering my password the prompt keeps coming back. It repeatedly asks for my password without giving me an error.

So far I have been tailing the /var/log/syslog file and looking at the slapd output:

Aug  1 11:05:16 androserve slapd[3358]: conn=1007 fd=19 ACCEPT from IP=127.0.0.1:52280 (IP=0.0.0.0:389)
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=0 BIND dn="cn=admin,dc=androcs,dc=com" method=128
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=0 BIND dn="cn=admin,dc=androcs,dc=com" mech=SIMPLE ssf=0
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=0 RESULT tag=97 err=0 text=
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=1 SRCH attr=supportedControl
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=2 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(uid=tarcuri)(objectClass=sambaSamAccount))"
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=3 SRCH base="sambaDomainName=ANDROCS,dc=androcs,dc=com" scope=0 deref=0 filter="(objectClass=sambaDomain)"
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=3 SRCH attr=sambaPwdHistoryLength
Aug  1 11:05:16 androserve slapd[3358]: conn=1007 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=4 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=20000))"
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=4 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=5 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=20000))"
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=6 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(sambaSID=s-1-5-21-3743419441-701214183-3617868461-513)(objectClass=sambaSamAccount))"
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=6 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos
Aug  1 11:05:17 androserve slapd[3358]: bdb_equality_candidates: (sambaSID) not indexed
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=7 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-3743419441-701214183-3617868461-513))"
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=7 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=8 SRCH base="sambaDomainName=ANDROCS,dc=androcs,dc=com" scope=0 deref=0 filter="(objectClass=sambaDomain)"
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=8 SRCH attr=sambaLockoutThreshold
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug  1 11:05:17 androserve slapd[3358]: conn=1007 fd=19 closed (connection lost)`

In this case it looks like it is trying to reference a sambaGroupMapping class, which I have not configured.

How would one usually approach this problem?

Thanks!

I just did an initial Samba/LDAP configuration on a Debian Squeeze system. I added a single user to an ldap directory and installed libnss-ldap. I can now successfully login to the system using the newly created user, so it seems that Debian itself has no problem authenticating with LDAP.

I configured Samba based on a number of tutorials, but I haven't been able to connect to a share since I've configured LDAP. Here is the smb.conf:

[global]
    workgroup = ANDROCS
    passdb backend = ldapsam:ldap://127.0.0.1/

    log level = 5
    log file = /var/log/samba/log.%m
    max log size = 100

    time server = Yes

    domain logons = Yes
    preferred master = Yes
    domain master = Yes
    wins support = No

    # LDAP
    ldap admin dn = cn=admin,dc=androcs,dc=com
    ldap group suffix = ou=group
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=Computers
    ldap passwd sync = Yes
    ldap suffix = dc=androcs,dc=com
    ldap user suffix = ou=Users
    ldap ssl = off

    idmap backend = ldap:ldap://127.0.0.1
    idmap uid = 10000-20000
    idmap gid = 10000-20000


# now define some shares
[technical]
    comment = Common Engineering and Technical Material
    path = /export/technical
    force group = technical
    read only = No
    create mask = 0770
    directory mask = 0770
    browseable = No

[development]
    comment = Software Development Repositories
    path = /export/development
    force group = development
    read only = No
    create mask = 0770
    directory mask = 0770
    browseable = No

[business]
    comment = Common Business Material
    path = /export/business
    force group = business
    read only = No
    create mask = 0770
    directory mask = 0770
    browseable = No

So I try logging onto the share from another Debian system using the gnome 'Connect to server' function. Simultaneously I tail the output of the syslog, and here is the result:

Jul 29 11:27:34 androserve slapd[3038]: conn=1004 fd=13 ACCEPT from IP=127.0.0.1:53334 (IP=0.0.0.0:389)
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=0 BIND dn="cn=admin,dc=androcs,dc=com" method=128
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=0 BIND dn="cn=admin,dc=androcs,dc=com" mech=SIMPLE ssf=0
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=0 RESULT tag=97 err=0 text=
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=1 SRCH attr=supportedControl
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=2 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(uid=tarcuri)(?objectClass=sambaSamAccount))"
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 11:27:34 androserve slapd[3038]: conn=1004 fd=13 closed (connection lost)

The line the immediately sticks out to me is:

conn=1004 op=2 SRCH base="dc=androcs,dc=com" scope=2 deref=0 filter="(&(uid=tarcuri)(?objectClass=sambaSamAccount))"

In particular the objectClass. I am new to LDAP, but I configured the user as person, inetOrgPerson, posixAccount, and shadowAccount.

Does anyone know where I should start? Can I increase the logging level to get a better clue as to what is wrong?

Thanks!

OK, so I am learning and configuring openLDAP for the first time based partly on this tutorial:

http://www.rjsystems.nl/en/2100-d6-openldap-provider.php

I am trying to add a sample user, but I think I noticed a type in the tutorial. In the example ldif the author used cn: Christopher. I thought that cn should be a shorter name, similar to the uid if not exactly the same. So in my ldif I set both cn and gn (givenName), but I am getting an error about the givenName:

ldap_add: Object class violation (65)
    additional info: attribute 'givenName' not allowed

Here is my ldif:

dn: cn=tarcuri,ou=groups,dc=example,dc=com
cn: jsmith
gidNumber: 20000
objectClass: top
objectClass: posixGroup

dn: uid=tarcuri,ou=people,dc=example,dc=com
uid: jsmith
uidNumber: 20000
gidNumber: 20000
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
cn: jsmith
gn: John 
sn: Smith
loginShell: /bin/bash
homeDirectory: /home/jsmith
userPassword: john

How would I modify my ldif file to correctly set the 'givenName' because it seems like a person should be able to have a first name. It takes sn after all.

Thanks!!

UPDATE So I tried using inetOrgPerson, which includes a given name, but after using ldapsearch to check the results, I see the following:

givenName:: VGhvbWFzIA==

When it should have the given name I used in the ldif. Obviously something is happening, anyone have some insight? Note the two colons after givenName.

I am at a small company with 15-20 employees. We need to replace an old server running Windows Server 2003. We need simple groupware, email server, file sharing, and an SVN server (used by only a few developers). I am going to evaluate replacing Microsoft with Linux and other software (looking at Zimbra).

I come here because I am having difficulty deciding what kind of hardware will get the job done, be reliable, and cost-effective. First, some general questions:

Does a single Xeon E5520 processor make sense? For our use would there be any reason to consider a single i7? I was thinking a single E5520 would be good, although not many people seem to run just one of those.

What are the main differences between i7 marketed motherboards and Xeon motherboards (both socket 1366)? I understand that many Xeon motherboards are dual-socket, but I don't think we really need a dual-socket solution. Are the Xeon specific motherboards mostly different in that they are able to support two sockets? I think the i7 doesn't.

So, I was thinking that perhaps a single Xeon E5520 with around 12GB of ram would be suitable. If this isn't reasonable, why would something else be a better choice?

Also, I have yet to fully analyse the current servers performance limitations. It is a single-core AMD machine, with pretty outdated hardware. We haven't wanted to do too much with it since its previous maintainer is no longer around and the whole thing generally is a mess. However, if anyone has any recommendations of how I can evaluate it that would be great.