Date: Mon, 21 Apr 2003 11:23:17 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Toomas Aas <toomas.aas@raad.tartu.ee> Cc: freebsd-questions@freebsd.org Subject: Re: sshd: buffer_get trying to get more bytes than in buffer Message-ID: <20030421102316.GB30592@happy-idiot-talk.infracaninophi> In-Reply-To: <200304210820.h3L8KhC30223@lv.raad.tartu.ee> References: <200304210820.h3L8KhC30223@lv.raad.tartu.ee>
next in thread | previous in thread | raw e-mail | index | archive | help
--IiVenqGWf+H9Y6IX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 21, 2003 at 11:20:21AM +0300, Toomas Aas wrote: > Hello! >=20 > I've noticed that one of my users logging in via ssh from one particular = IP > always causes this message to appear in auth.log: >=20 > Apr 20 15:43:18 heerold sshd[18766]: fatal: buffer_get: trying to get mor= e bytes 4 than in buffer 0 >=20 > The same user logs in from several different IP-s and the message only > appears when he logs in from one particular IP. This leads me to believe > that it might be just a quirk in the SSH client software he uses on this > particular PC, but I just wanted to confirm that it's not actually an > indication of Something Evil in progress. In thses sort of cases it's always a good idea to cut'n'paste the error message into Google. Apart from turning up a worrying number of sites that have a binary of 'sftp-server' and other programs from the ssh package accessible on their websites, you'll find links to this e-mail: http://www.securityfocus.com/archive/121/261925/2002-03-08/2002-03-14/2 Looks like damage to the user's authorized_keys file: Cheers, Matthew=09 --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --IiVenqGWf+H9Y6IX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+o8aUdtESqEQa7a0RAms9AJ9q3QqvnFRCKvAowLNylRMPWvpykQCgklkt 8woqXJlUkSH5B5OdGa1YopE= =ZsI0 -----END PGP SIGNATURE----- --IiVenqGWf+H9Y6IX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030421102316.GB30592>