Site Navigation

Date:      Tue, 13 Mar 2001 00:48:13 +0200
From:      Alex Popa <razor@ldc.ro>
To:        freebsd-security@freebsd.org
Cc:        freebsd-stable@freebsd.org
Subject:   4.3-BETA, sshd.core found in root directory.
Message-ID:  <20010313004813.A78221@ldc.ro>

---

next in thread | raw e-mail | index | archive | help

---

I am not really sure what this means (could mean a lot of things, 
including bad memory on my machine), but here are the facts:

The system was cvsupped and compiled on March 10th.

$ uname -a
FreeBSD ns.ldc.ro 4.3-BETA FreeBSD 4.3-BETA #0: Sat Mar 10 15:16:38 EET 2001     root@ns.ldc.ro:/usr/src/sys/compile/NS  i386

$ ls -l /sshd.core
-rw-------  1 root  wheel  507904 Mar 12 16:40 /sshd.core
$ ls -l /usr/sbin/sshd
-r-xr-xr-x  1 root  wheel  196532 Mar 10 16:07 /usr/sbin/sshd

# gdb /usr/sbin/sshd /sshd.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libopie.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
---Type <return> to continue, or q <return> to quit---
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...
done.
#0  0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3
(gdb) bt
#0  0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3
#1  0x80532e8 in getsockname ()
#2  0x805a9ef in getsockname ()
#3  0x8052fd0 in getsockname ()
#4  0x804d81d in getsockname ()
#5  0x804be95 in getsockname ()
(gdb)

$ ident /usr/sbin/sshd

/usr/sbin/sshd:
     $OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $
     $FreeBSD: src/crypto/openssh/sshd.c,v 1.6.2.7 2001/03/04 15:13:08 markm Exp $
     $OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $
     $OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-passwd.c,v 1.2.2.4 2001/03/04 15:13:08 markm Exp $
     $OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-rsa.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-rh-rsa.c,v 1.1.1.1.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $
     $FreeBSD: src/crypto/openssh/pty.c,v 1.2.2.2 2000/10/28 23:00:49 kris Exp $
     $OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $
     $OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $
     $FreeBSD: src/crypto/openssh/login.c,v 1.3.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $
     $FreeBSD: src/crypto/openssh/servconf.c,v 1.3.2.10 2001/03/04 15:13:08 markm Exp $
     $OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $
     $OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $
     $FreeBSD: src/crypto/openssh/auth.c,v 1.3.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $
     $FreeBSD: src/crypto/openssh/auth1.c,v 1.3.2.5 2001/03/04 15:13:08 markm Exp $
     $OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $
     $FreeBSD: src/crypto/openssh/auth2.c,v 1.2.2.5 2001/03/04 15:13:08 markm Exp $
     $OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $
     $OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $
     $FreeBSD: src/crypto/openssh/session.c,v 1.4.2.7 2001/02/04 20:21:06 green Exp $
     $OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-pam.c,v 1.2.2.1 2001/01/12 04:25:54 green Exp $
     $FreeBSD: src/crypto/openssh/auth2-skey.c,v 1.2.2.1 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $
     $OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $
     $FreeBSD: src/crypto/openssh/auth-skey.c,v 1.1.1.1.2.4 2001/01/12 04:25:55 green Exp $
     $OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $
     $OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $
     $OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $
     $FreeBSD: src/crypto/openssh/rsa.c,v 1.1.1.1.2.6 2001/02/12 06:45:42 kris Exp $
     $OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $
     $OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $
     $FreeBSD: src/crypto/openssh/mpaux.c,v 1.2.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $
     $FreeBSD: src/crypto/openssh/hostfile.c,v 1.1.1.1.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $
     $FreeBSD: src/crypto/openssh/authfile.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $
     $OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $
     $OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
     $OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $
     $OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $
     $OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $
     $OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $
     $OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $
     $FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.3 2001/01/12 04:25:56 green Exp $
     $OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $
     $OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $
     $OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $
     $FreeBSD: src/crypto/openssh/canohost.c,v 1.1.1.1.2.4 2001/01/12 04:25:56 green Exp $
     $OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $
     $FreeBSD: src/crypto/openssh/authfd.c,v 1.2.2.4 2001/01/12 04:25:55 green Exp $
     $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $
     $OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
     $FreeBSD: src/crypto/openssh/key.c,v 1.4.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $
     $OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $
     $FreeBSD: src/crypto/openssh/compat.c,v 1.1.1.1.2.3 2001/01/12 04:25:56 green Exp $
     $OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $
     $OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $
     $FreeBSD: src/crypto/openssh/bufaux.c,v 1.2.2.2 2000/10/28 23:00:47 kris Exp $
     $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $
     $OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $

/var/log/all.log has this on the incident:

Mar 12 16:40:01 ns sshd[76406]: input_userauth_request: illegal user hodo
Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped)
Mar 12 16:40:03 ns /kernel: Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped)

 From the output of "strings /sshd.core" I can see the server was doing
 some pretty normal activity, like rejecting a user I know, that had an
 account on another machine, but not this one.

If there is more information needed, I will try to provide it.

Thank you for listening and not panicking.

------------+------------------------------------------
Alex Popa,  |  "Artificial Intelligence is
razor@ldc.ro|         no match for Natural Stupidity"
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010313004813.A78221>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact