From owner-freebsd-security Mon Mar 12 14:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 94D3537B719 for ; Mon, 12 Mar 2001 14:48:16 -0800 (PST) (envelope-from razor@ldc.ro) Received: (qmail 78324 invoked by uid 666); 12 Mar 2001 22:48:13 -0000 Date: Tue, 13 Mar 2001 00:48:13 +0200 From: Alex Popa To: freebsd-security@freebsd.org Cc: freebsd-stable@freebsd.org Subject: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010313004813.A78221@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am not really sure what this means (could mean a lot of things, including bad memory on my machine), but here are the facts: The system was cvsupped and compiled on March 10th. $ uname -a FreeBSD ns.ldc.ro 4.3-BETA FreeBSD 4.3-BETA #0: Sat Mar 10 15:16:38 EET 2001 root@ns.ldc.ro:/usr/src/sys/compile/NS i386 $ ls -l /sshd.core -rw------- 1 root wheel 507904 Mar 12 16:40 /sshd.core $ ls -l /usr/sbin/sshd -r-xr-xr-x 1 root wheel 196532 Mar 10 16:07 /usr/sbin/sshd # gdb /usr/sbin/sshd /sshd.core GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (no debugging symbols found)... Core was generated by `sshd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libopie.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)... done. Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)... done. Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)... done. ---Type to continue, or q to quit--- Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done. Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)... done. #0 0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3 (gdb) bt #0 0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3 #1 0x80532e8 in getsockname () #2 0x805a9ef in getsockname () #3 0x8052fd0 in getsockname () #4 0x804d81d in getsockname () #5 0x804be95 in getsockname () (gdb) $ ident /usr/sbin/sshd /usr/sbin/sshd: $OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $ $FreeBSD: src/crypto/openssh/sshd.c,v 1.6.2.7 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $ $OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $ $FreeBSD: src/crypto/openssh/auth-passwd.c,v 1.2.2.4 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $ $FreeBSD: src/crypto/openssh/auth-rsa.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $ $FreeBSD: src/crypto/openssh/auth-rh-rsa.c,v 1.1.1.1.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $ $FreeBSD: src/crypto/openssh/pty.c,v 1.2.2.2 2000/10/28 23:00:49 kris Exp $ $OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $ $OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $ $FreeBSD: src/crypto/openssh/login.c,v 1.3.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $ $FreeBSD: src/crypto/openssh/servconf.c,v 1.3.2.10 2001/03/04 15:13:08 markm Exp $ $OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $ $OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $ $FreeBSD: src/crypto/openssh/auth.c,v 1.3.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $ $FreeBSD: src/crypto/openssh/auth1.c,v 1.3.2.5 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $ $FreeBSD: src/crypto/openssh/auth2.c,v 1.2.2.5 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $ $OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $ $FreeBSD: src/crypto/openssh/session.c,v 1.4.2.7 2001/02/04 20:21:06 green Exp $ $OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $ $FreeBSD: src/crypto/openssh/auth-pam.c,v 1.2.2.1 2001/01/12 04:25:54 green Exp $ $FreeBSD: src/crypto/openssh/auth2-skey.c,v 1.2.2.1 2001/01/12 04:25:55 green Exp $ $OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $ $OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $ $FreeBSD: src/crypto/openssh/auth-skey.c,v 1.1.1.1.2.4 2001/01/12 04:25:55 green Exp $ $OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $ $OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $ $OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $ $FreeBSD: src/crypto/openssh/rsa.c,v 1.1.1.1.2.6 2001/02/12 06:45:42 kris Exp $ $OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $ $OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $ $FreeBSD: src/crypto/openssh/mpaux.c,v 1.2.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $ $FreeBSD: src/crypto/openssh/hostfile.c,v 1.1.1.1.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $ $FreeBSD: src/crypto/openssh/authfile.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $ $OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $ $OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $ $OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $ $OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $ $OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $ $OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $ $OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $ $FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.3 2001/01/12 04:25:56 green Exp $ $OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $ $OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $ $OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $ $FreeBSD: src/crypto/openssh/canohost.c,v 1.1.1.1.2.4 2001/01/12 04:25:56 green Exp $ $OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $ $FreeBSD: src/crypto/openssh/authfd.c,v 1.2.2.4 2001/01/12 04:25:55 green Exp $ $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $ $OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $ $FreeBSD: src/crypto/openssh/key.c,v 1.4.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $ $OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $ $FreeBSD: src/crypto/openssh/compat.c,v 1.1.1.1.2.3 2001/01/12 04:25:56 green Exp $ $OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $ $OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $ $FreeBSD: src/crypto/openssh/bufaux.c,v 1.2.2.2 2000/10/28 23:00:47 kris Exp $ $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $ $OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $ /var/log/all.log has this on the incident: Mar 12 16:40:01 ns sshd[76406]: input_userauth_request: illegal user hodo Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped) Mar 12 16:40:03 ns /kernel: Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped) From the output of "strings /sshd.core" I can see the server was doing some pretty normal activity, like rejecting a user I know, that had an account on another machine, but not this one. If there is more information needed, I will try to provide it. Thank you for listening and not panicking. ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message