Nnbd is part of the samba PC file sharing suite. If you don't need samba, turn off "Windows Sharing" in the Sharing System Preferences pane. If you need samba, but want to restrict its activities, read up on the configuration options in the man page for smb.conf.
Sorry, I slipped right by the comment on samba. One question is: why is nmbd running at all? It isn't running on my machine.
They are to Windows worms and trojans. There are or were Windows malware that would run on a Mac providing you were running Microsoft programs. I'd be a bit concerned and scan the first twenty google pages for clues. Ignore the "Windows only" stuff if Microsoft is anywhere on your system. Especially if you're using Samba. I forget if you said you were. does mention msinit in a couple of places. And the daemon you say fires up is a Samba daemon. The good news, if you have a problem, is that it won't affect your Mac. But it may spew zombie crap to Windows machines if it's working. I'll be interested in the outcome. Please keep us posted. My worst conjecture is that you may have an infected Samba server that may be functional. I doubt it's that bad. And I don't remember whether you are using samba :-) But it sounds like msinit is firing it up.
leo
Could it be responding to automated Windows worm connection attempts?
Jim
Fair enough, it was just a thought. If your router isn't set to pass the usual Windows ports (135-139,445) then it won't be that. Heck, it might not even be that if you *were* passing those ports..! It was just a guess.
Jim
A geeky thing to try would be to run netcat to listen on whatever port it's trying to connect to, then edit your hosts file to point the host it's trying to connect to to 127.0.0.1. You can then see what it sends :)
alex
The Console application is an excellent tool for selecting and examining log files. You might see if there are any entries in the samba log or if you can find he launch of nmbd in one of the system logs. Other than that I have no idea where to look.
I do know that my router is bombarded with connection attempts to ports
1026 and 1027 (I think those are associated with Windows networking) which I attribute to zombies looking for a host to infect.
You can check IP addresses at .
If you are running OS X, see if your system has the command lsof. If so, read the man page and use it to see what file(s) are associated with the attempt to make the UDP contact.
The lsof is available on Linux, but I am too lazy to go to my wife's G5 and check for you.
jim b.
I am running a Mac G5 with 10.3.9 and have just discovered that at regular but intermittent intervals, several times an hour, the process nmbd attempts to make a UDP contact with a wide variety of addresses mostly US based, but some European, on various ports ranging from 135 to
62253.I run Firewalk X2 but have not worried in the past about what apps and processes were getting out, just incoming, but turned logging on the other day and discovered this consistent communication. I have blocked nmbd for the moment, with no apparent ill effects, but I am very curious as to the reason behind it. I don't see how I could have been hacked, but it does look suspicious.
This occurs regardless of the apps running at the time, even after rebooting and with nothing aside from system services started. I do have Virtual PC on the system, but even with it not started, or killing it from the activity monitor makes no difference to the activity. Samba is not running.
Can anybody shed some light on this? Google doesn't seem to offer much in the way of explanation.
Regards
Tony
Hi Tom
That is why I mentioned that Samba is not a part of the equation.
Even so, if it was enabled why would nmbd be sending packets all over the world? That is what has me intrigued.
Regards
Tony
I am curious about this as also. I have "Little Snitch" running on my iBook and it keeps telling me that nmbd wants to contact addresses all over the place. I have asked a few people but no one seem to really be sure what is happening. I don't have any local network but I just checked and Windows sharing was turned on, but it isn't really necessary so I have turned it off. I will wait to see if nmbd still wants to chat to everyone.
Hah, as I was typing that, the Little Snitch window popped up saying that nmbd wanted permission to talk to 59.113.15.201 on port 1026.
It is always a different address that it wants to go to and often with a different port. Why would that be? I travel a lot for my job, and it doesn't seem to matter what country I am in, it mostly wants to go to an American address or sometimes Soviet/Polish address. It has been doing it for many months.
Perhaps I need to reboot after making the windows sharing change before it takes effect? I have some familiarity with my computer and OSX but I am far from expert, so I often puzzle about things. I learned to use Unix (a little) in University, just enough to earn some credit for my degree. I should have studied harder, because I quite enjoy it.
I was just about to send when Little Snitch popped up with a new request, copied below.
The application "nmbd" wants to connect to adsl190.231.axelero.hu on UDP port 1027 (exosee)
My network utility says that this address is in Hungary.
I am really, really curious. Is someone trying to use my computer illegally?
V.
How would the worm be accessing my computer? I have a firewall and it is an Apple Macintosh iBook, not a windows system. In order for it to respond, the worm would have to pass a firewall with no ports but the bare minimum open. My firewall log doesn't seem to have refused anything within the same time periods as the nmbd attempts to get out. If anything, it would have to be a sneaky program that is hidden on my computer and trying regularly to do something. None of the addresses that it is trying to reach are in my address book, so I can't make sense of it.
The only software that I have put on my computer that isn't commercial are some puzzle and card games and I always scan them with Virex before installing them. Oh, and I have some different language dictionaries also, but they were virus/trojan checked by Virex before mounting.
This is the first time that I have seen anyone else make comment about the problem although the fellow in the Apple Computer store in Lyons said he had heard of other people with the same problem. He thought that it might be something that Microsoft was doing sneakily, but I don't think so.
V.
I rather suspect "messenger spam". All the packets I see destined for those ports are UDP packets. Unless the zombie is small enough to be contained in a single UDP packet. The Windows Messenger Service (not to be confused with Windows Messenger, the IM) works with UDP packets.
My money is on, "Yes". UDP to port 1026; and my router logs are filled with incoming UDP packets to port 1026. I have always suspected Windows Messenger Service spam. Can you find a way to examine those packets? Are there Mac packet sniffers?
This is what is so intriguing Tom. I am not at all expert but I am trying to learn. I have purchased several books on OSX and Unix and am struggling a bit, but getting more experienced. I have booted the system in verbose mode, looked at the the start-up sequence and don't see nmbd starting, but a few minutes later it is running. I look at it in the activity monitor and it says that the parent process is msinit but I can't FIND msinit. It isn't running. It is as though I have a hidden program that is mimicking another application or somehow fooling the OS, or at least fooling the Activity Monitor. The only google references to msinit are to windows exe files and they certainly wouldn't be running on a Mac. VPC wasn't running so they wouldn't be running there either.
I need to learn a lot more.
Judging by the way the addresses that it attempts to contact resolve, it has to be something nefarious. I have done a port scan and I only have three ports open, time server and dns etc. I have verbose logging on and have checked very carefully, but nothing untoward has attempted to gain access. I had thought that something was triggering nmbd but nothing seems to be. I have searched my hard drive with some of the addresses that it has tried to reach - a very very slow process, but nothing came up. I am lost. I don't know what is starting it, and I don't know where it is being feed addresses from, and I don't know its purpose. I have allowed it to send packets out a couple of times, wondering if I would log some response to it, but nothing seems to happen. I certainly don't get responses logged from any of the addresses it seeks out. I have scanned the addresses and ports that it tries to reach using the network utility and those ports are usually open.
I feel that whatever it is, it probably came as a result of Virtual PC. When I first installed Virtual PC, it was turning the Firewall off, a problem noted in several MS virtual PC discussion areas. I would try to start the firewall manually and it would put a message up that another firewall was running and then shut down. When I became aware of the problem, I disabled VPC's networking and it stopped turning the firewall off, but maybe something got into the system before I did something about it.
I have possibly been too confident that Macs and OSX are not at risk from trojans and viruses the way PCs are. An ex boyfriend always told me that Macs didn't have to worry about these thing. It would not have been the only thing that he was wrong about. ;)
V.
The standard configuration for the osx firewall doesn't do anything with udp. Is that the firewall you have in mind? You can add rules to block udp if you want to but it doesn't happen automatically.
If nmbd is listening on a udp port and some client talks to it, it will talk back. This is normal behavior and has nothing to do with worms.
As for why nmbd is running, one possibility, as you suggest, is VPC. Even if VPC itself isn't running, it's very possible that some startup or login item associated with VPC is starting background processes, possibly including nmbd. This is not unusual or anything to worry about. For example, processes that are part of iTunes and iCal typically start at login time. I haven't had VPC installed for years, so I don't know whether or not it runs anything at boot time or login time. You might want to check. Look at personal login items, as well as system startup items and (in 10.4) launchd items.
Is this network activity dangerous? Probably not. For efficiency reasons you should try to keep nmbd from running if you don't need it, but I doubt your machine is at risk.
Be sure to read this one:
Ethereal -
alex
Hi,
Well if you see a strange command connecting to net, try running Terminal, type "man (command name)" , e.g.
cable25-100:/etc ilgaz$ man nmbd
NAME nmbd - NetBIOS name server to provide NetBIOS over IP naming services to clients (snip arguments part) DESCRIPTION This program is part of the samba(7) suite.
nmbd is a server that understands and can reply to NetBIOS over IP name service requests, like those produced by SMB/CIFS clients such as Win- dows 95/98/ME, Windows NT, Windows 2000, Windows XP and LanManager clients. It also participates in the browsing protocols which make up the Windows "Network Neighborhood" view.
Have a nice day
Ilgaz
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.