From owner-freebsd-questions  Sat Mar 16  7:39:11 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from www.dratman.com (pcp108019pcs.echryh01.nj.comcast.net [68.45.89.210])
	by hub.freebsd.org (Postfix) with ESMTP id 529FB37B400
	for <freebsd-questions@freebsd.org>; Sat, 16 Mar 2002 07:39:07 -0800 (PST)
Received: from [192.168.1.27] (router.dratman.com [192.168.1.1])
	by www.dratman.com (8.11.1/8.11.1) with ESMTP id g2GFd6J20001
	for <freebsd-questions@freebsd.org>; Sat, 16 Mar 2002 10:39:06 -0500 (EST)
	(envelope-from ralph@maxsoft.com)
Mime-Version: 1.0
X-Sender: ralph99@popmail.voicenet.com
Message-Id: <v04210109b8b9158a6b60@[192.168.1.27]>
Date: Sat, 16 Mar 2002 10:39:06 -0500
To: freebsd-questions@freebsd.org
From: Ralph Dratman <ralph@maxsoft.com>
Subject: Worrisome log messages about sshd and httpd
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Any and all,

My system (4.2-RELEASE) normally runs very well and is extremely stable.

Yesterday the following appeared in my security email:

=====================
www.dratman.com kernel log messages:
> 0xc2adac88
> pid 16214 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 16215 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 16216 (sshd), uid 0: exited on signal 11 (core dumped)
>... (more of the same)
> pid 16229 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 16230 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 16237 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 16891 (locate.code), uid 65534 on /: file system full
=====================

and dmesg gave me more nice material, again repeated many times:

=====================
vnode_pager_getpages: I/O read error
vm_fault: pager read error, pid 5827 (ftpd)
vnode_pager: *** WARNING *** stale FS getpages
No strategy for buffer at 0xc2adac88
: 0xc7b89ec0: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF)
         tag VT_PROCFS, type 6, pid 5827, mode 180, flags 0
: 0xc7b89ec0: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF)
         tag VT_PROCFS, type 6, pid 5827, mode 180, flags 0
vnode_pager_getpages: I/O read error
vm_fault: pager read error, pid 5827 (ftpd)
vnode_pager: *** WARNING *** stale FS getpages
No strategy for buffer at 0xc2adac88
: 0xc7bf6080: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF)
         tag VT_PROCFS, type 5, pid 5827, mode 180, flags 0
: 0xc7bf6080: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF)
         tag VT_PROCFS, type 5, pid 5827, mode 180, flags 0
vnode_pager_getpages: I/O read error
vm_fault: pager read error, pid 5827 (ftpd)
pid 94028 (httpd), uid 65534: exited on signal 11
pid 94003 (httpd), uid 65534: exited on signal 11
pid 93975 (httpd), uid 65534: exited on signal 11
pid 93974 (httpd), uid 65534: exited on signal 11
pid 93973 (httpd), uid 65534: exited on signal 11
pid 54584 (httpd), uid 0: exited on signal 11 (core dumped)
pid 181 (httpd), uid 0: exited on signal 10 (core dumped)
pid 16214 (sshd), uid 0: exited on signal 11 (core dumped)
pid 16215 (sshd), uid 0: exited on signal 11 (core dumped)
pid 16216 (sshd), uid 0: exited on signal 11 (core dumped)
pid 16236 (sshd), uid 0: exited on signal 11 (core dumped)
pid 16237 (sshd), uid 0: exited on signal 11 (core dumped)
pid 16891 (locate.code), uid 65534 on /: file system full
=====================

Am I seeing some kind of buffer-overflow attack? Can anyone suggest 
what might be happening here?

The system is still alive as of this morning and otherwise seems to 
be functioning normally.

Thanks in advance for any thoughts or insights.

Regards,

Ralph Dratman

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message