wine/teamviewer trying to connect to remote ports 139, 445

[palloy]

Ubuntu 13.04
I run "teamviewer" remote desktop server, which runs under wine, limited to LAN connections only.
Yesterday netstat started showing some low bandwidth uploading going on which I couldn't account for.
netstat -anp | grep tcp > netstat.txt
produces the output [notes added] :
=======
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:2605 0.0.0.0:* LISTEN - [bitmeter server]
tcp 0 0 0.0.0.0:5938 0.0.0.0:* LISTEN 2191/wineserver [teamviewer]
tcp 0 0 127.0.0.1:5940 0.0.0.0:* LISTEN 2191/wineserver [teamviewer]
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 1 192.168.0.4:39475 94.251.156.59:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:55910 210.48.53.237:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:50536 131.24.79.14:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:47361 94.251.156.51:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:37156 131.24.79.9:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:46299 103.120.55.239:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:35818 69.122.245.16:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:42989 131.24.79.58:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:34860 35.184.13.94:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:41916 69.122.245.46:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:51288 177.184.128.44:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:49435 3.240.229.39:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:37982 103.120.55.211:139 SYN_SENT 3051/wineserver

[... 600 more in here ...]

tcp 0 1 192.168.0.4:52240 69.122.245.54:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:40801 3.240.229.50:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:53893 35.184.13.68:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:54711 131.24.79.46:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:39351 210.48.53.226:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:57954 35.184.13.112:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:55986 69.122.245.25:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:39650 103.120.55.242:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:58005 69.122.245.14:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:51357 177.184.128.3:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:48278 177.184.128.20:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:60777 35.184.13.66:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:49044 3.240.229.10:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:55619 177.184.128.62:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:39635 184.37.153.9:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:49281 94.251.156.36:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:55242 69.122.245.52:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:56160 35.184.13.101:445 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:55041 19.59.43.199:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:37887 3.240.229.2:139 SYN_SENT 3051/wineserver
tcp 0 1 192.168.0.4:57112 131.24.79.1:445 SYN_SENT 3051/wineserver
tcp6 0 0 :::139 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
======

I don't recognise any of the IPs, or know why wine/teamviewer should be trying to contact them on those ports.

When I uninstall teamviewer and send "kill" to wineserver, the traffic stops.
Can anyone explain what's going on?

[palloy]

In fact its not to do with teamviewer - it happens with anything running under wine - ArcView and Paint Shop Pro.

[palloy]

This is a snapshot of Ubuntu SC's history (attached)

[palloy]

This is an attempt to re-phrase the problem.

Ubuntu 13.04 + ppa.launchpad.net/ubuntu-wine/ppa/ubuntu raring main

Since updates to wine on 15 Sept (see previous post) whenever wineserver is running, it is sending SYNs to lots of remote IPs on ports 139 and 445.

http://www.davekimble.org.au/problem.wineserver.txt
This is the output of

Code: Select all

sudo netstat -anp | grep tcp

done before, during and after wineserver is launched to run Paint Shop Pro v5. It doesn't matter what .exe is running or if none is. It only stops when I kill wineserver.

If this was a Windows box I would definitely say it was a virus, trying to find remote network folders
that it might be able to attack.

Can anyone help me - I can't leave wine apps running like this.

[dimesio]

If this was a Windows box I would definitely say it was a virus, trying to find remote network folders
that it might be able to attack.

http://wiki.winehq.org/FAQ#head-3cb8f05 ... 4e305a0459

[palloy]

On advice to try removing /.wine/ , it rebuilt itself, without the old apps of course, but installing apps again failed as it claimed all my setup files were corrupt, wine disappear from the top level main menu, and USC claims wine and winetricks are not installed. In other words it was totally trashed.

[dimesio]

Run a virus check on your home directory and any other directory your user has write access to. If you ever ran Wine as root/sudo (you shouldn't), run it on your whole system.

[palloy]

It was W32:Tenga (Avast) and it escaped from Wine via port 139 to all the Windows boxes on my LAN, and trashed them all. Avast could only find it with an off-line deep rootkit scan. This marks THE END of my use of Windows.