Re: Linux machine hit by ransomware
On 2025-07-09 12:26, Šarūnas Burdulis wrote:
On 7/9/25 1:39 PM, Rick Macdonald wrote:
...
I checked, and sure enough, smb.conf had world-writeable permissions.
I've seen where some Kodi web pages suggest this. I've had it this
way for many years, but now I have made it read-only.
In samba logs you might be able to see which hosts did what and when
on which shares.
I had looked at the logs previously, but nothing much there other than
START messages. I bumped the debuglevel to 2 just now, and see something
strange, although I think it's OK.
I t seems something is opening every file in my Media share:
[2025/07/09 13:16:23.016560, 2] ../../source3/smbd/open.c:1678(open_file)
nobody opened file Video/XXX.mkv read=No write=No (numopen=2)
[2025/07/09 13:16:23.016737, 2]
../../source3/smbd/close.c:830(close_normal_file)
nobody closed file Video/XXX.mkv (numopen=0) NT_STATUS_OK
$ psall smb
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1720 0.0 0.1 83616 22712 ? Ss 10:18 0:00
/usr/sbin/smbd --foreground --no-process-group
root 1741 0.0 0.0 81540 9012 ? S 10:18 0:00
/usr/sbin/smbd --foreground --no-process-group
root 1742 0.0 0.0 81556 5960 ? S 10:18 0:00
/usr/sbin/smbd --foreground --no-process-group
nobody 37191 5.6 0.1 114132 21344 ? S 13:02 1:01
/usr/sbin/smbd --foreground --no-process-group
I exited the Kodi instance running on my server, and it stopped.
[2025/07/09 13:23:29.193749, 2]
../../source3/smbd/smb2_service.c:933(close_cnum)
(ipv4:X.X.X.X:X) closed connection to service MySharedStuff
I wonder if this was just Kodi going nuts refreshing thumbnails trying
to scrape metadata? The media files are all defined to kodi as
smb:/x.x.x.x. The thumbnails are in ~/.kodi, and there are many updated
today.
With the debug on, playing a video from kodi does get logged, so I can
watch it for awhile. Unfortunately, it doesn't log the IP of the machine.
Rick
Reply to: