Topic: .pif .exe .cmd .lnk .bat searches on network from remote windows box

[StuC]

I would be most grateful if someone could shed light on this.
"localserver" is a sme 7.4 machine "remoteserver" is a Win2k3 server in distant land accessible by VPN

The log on the SME box has started showing these entries and I am suspicious.
Looks almost a bit "Worm like" to me (distant server has Symantec AV on and is on another windows domain it does have RDP clients)

Feb 11 18:28:47 localserver smbd[4862]:   remoteserver (192.168.x.x) couldn't find service ibayname.bat
Feb 11 18:28:48 localserver smbd[4862]:   remoteserver (192.168.x.x) couldn't find service ibayname.cmd
Feb 11 18:28:51 localserver smbd[4863]:   remoteserver (192.168.x.x) couldn't find service ibayname.exe
Feb 11 18:28:52 localserver smbd[4863]:   remoteserver (192.168.x.x) couldn't find service ibayname.com
Feb 11 18:28:55 localserver smbd[4864]:   remoteserver (192.168.x.x) couldn't find service ibayname.pif
Feb 11 18:28:56 localserver smbd[4864]:   remoteserver (192.168.x.x) couldn't find service ibayname.lnk
Feb 11 18:29:00 localserver smbd[4865]:   remoteserver (192.168.x.x) couldn't find service ibaynam

yes the last letter is missing there.
Has happened for a week now at exactly the same time (for two minutes).
I assume it may be some MS service I don't recognise but searching the forum has not really answered my quest.
And yes I know this is totally not a issue with SME server but as there are clever cookies on here with longer experience than me I figure someone might recognise the activity.

Thank you.

[Stefano]

Feb 11 18:28:47 localserver smbd[4862]:   remoteserver (192.168.x.x) couldn't find service ibayname.bat
Feb 11 18:28:48 localserver smbd[4862]:   remoteserver (192.168.x.x) couldn't find service ibayname.cmd
Feb 11 18:28:51 localserver smbd[4863]:   remoteserver (192.168.x.x) couldn't find service ibayname.exe
Feb 11 18:28:52 localserver smbd[4863]:   remoteserver (192.168.x.x) couldn't find service ibayname.com
Feb 11 18:28:55 localserver smbd[4864]:   remoteserver (192.168.x.x) couldn't find service ibayname.pif
Feb 11 18:28:56 localserver smbd[4864]:   remoteserver (192.168.x.x) couldn't find service ibayname.lnk
Feb 11 18:29:00 localserver smbd[4865]:   remoteserver (192.168.x.x) couldn't find service ibaynam

IMO something is wrong on remoteserver.. it could be AV itself (I am not a Symantec fan)

And yes I know this is totally not a issue with SME server but as there are clever cookies on here with longer experience than me I figure someone might recognise the activity.

so you should post it in "general discussion"..

ciao
Stefano

[gzartman]

Moving to General Discussion, as it is more appropriate there.

[StuC]

Thanks for the reply and moving this to the more suitable location.

I too think it is possibly a fault with the remote windows box and was hoping to leave a trail if I find the actual cause.
Searching the forum didn't provide many hits (for the various MS extensions - obviously) and as this appears on a SME log somebody may see it too.

The remote server AV is kept updated but the program version is OLD, the local admins are going to update but my feeling is this is strange on the "decidedly dodgy" side.

[Stefano]

The remote server AV is kept updated but the program version is OLD, the local admins are going to update but my feeling is this is strange on the "decidedly dodgy" side.

updated virus signatures but OLD av engine?

nothing is useless and give a false sense of security than such an av.

I would do an offline scan of remoteserver..

my 2c
ciao
Stefano

[StuC]

Tell me about it, I caused some fireworks by pointing that out too.
They were quite defensive until I sent them a vulnerability report for the AV version from years ago....

As the thing is 1100km away I'm reluctant to do too much with it, have restricted it's inbound access to our local network and will let them look when the sun comes up.

I have had one thought, dead RDP sessions are set to time out, one guy leaves here two hours before the weird activity and I'm not sure what happens to the local network shares he has open (on the SME) when an RDP session is times out. - RULED OUT (manually reset his session)

--

I have found that one RDP user had short cuts on the remote desktop to the local server ibays that are affected. This activity must be related to that but I'm not sure if it is normal for Windows to query a (closed) RDP users network short cuts for those kind of files at some time, still looks dodgy.

[elmarconi]

Code: [Select]

[root@smeserver7 ~]# grep compaq /var/log/messages | sort | uniq
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemee
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemeen.bat
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemeen.cmd
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemeen.com
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemeen.exe
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemeen.lnk
Feb  9 15:14:07 smeserver7 smbd[10404]:   compaqbreedbek (192.168.11.102) couldn't find service algemeen.pif

Experience it too occasionally.  Haven't had complaints from users though...

[StuC]

Thanks for the confirmation.
Does seem a little strange thing to do, check network shares for various files that would be high risk if they were on an email.

Can't work out if this is normal server stuff, antivirus or something odd.
I've not had any complaints, just don't like seeing stuff I don't recognise in server logs (OK more than the normal level of stuff I don't recognise)

[elmarconi]

http://www.linuxquestions.org/questions/linux-networking-3/logs-filling-up-with-smbdservice.cmakeconnection-couldnt-find-service-397227/

We stopped using defender - as soon as we stopped defender running it's scans, the messages stopped.

Will scan users machines for Defender and post back...

[StuC]

Great find, thanks for that, 99.99% sure that's it.

The server concerned does have windows defender on it, I had wondered if it was related.
I don't use defender in the UK so haven't seen it locally, I also only recently put some short cuts on one of the RDP desktops when staff were snowed in and needed to access things from home.
My initial web searches had not come up with anything conclusive due to the varied share names and normal multiple hits for samba exe cmd pif etc.

So to sum up Windows defender can leave logs that look like something is scanning Ibays for windows executables.
It doesn't need a mapped drive just a short cut on a user desktop and will normally happen at scheduled scan times (early hours).