Friday, March 28, 2008

FuseSMB.cache

Tuesday night I had to bring a new external server online. While checking the firewall logs I saw something interesting. There was a box on our internal network trying to ping it. So I started checking the log for just that ip address. It was pinging the whole network.

Of course it was failing since we deny pings from our users space. But it was interesting. I was left wondering if someone's box was infected and trying to map our network and spread the disease.

So looking into it more, it turned out to be a Linux Mint box in Engineering. So I had to get a copy of Linux Mint. After several attempts, I was able to finally get a copy, and took it to work yesterday. When I ran it, it wasn't doing it.

So I had the electrical engineer do a TCPDump icmp on his box (which I could have done sooner, but I wanted to see if I could replicate the traffic I was seeing). He left it running for about 2 minutes and saw that it was doing all the boxes on the network. A quick netstat -ep saw it was something called fusesmb.cache.

More looking, at it, it's a way for Samba to be mounted via fuse to the file system and replicate the function of microsoft's network neighborhood. Neat little program, but I wish it didn't ping spam the network.

EDIT*
This seems to be popular (at least comes up in google searchs, according to sitemeter a bit) for a quicker and cleaner answer go to this more recent post

No comments: