On Tue, 5 May 2009, jaime.castells at convergys.com wrote:
hi Jaime,
>I have a significant number of systems, including some Red Hat, that are
>producing the following error message:
>
> buffer_consume_end: trying to get more bytes than in buffer
>
>I recognize this as an error from SSH and I have found some descriptions of
>this error that make it appear to be a failed access attempt. The really
>odd thing is that the logs show this error occurring on many servers
>roughly simultaneously and every one is repeated several times with
>intervals of a few minutes. This makes it seem like a polling across the
>network for footprinting (which is quite large, BTW) or perhaps some sort
I don't think that's the case, one can use ssh-keyscan which
does the proper thing and doesn't generate such errors.
SSH protocol uses "string" type excessively, which is 4-byte
length field followed by the data. If the length field does not
correspond to what is in the string it can end up there, for example, in
certain situations. I'm wondering if this could be caused by incorrect
keys in the authorized_keys file (have you changed anything recently
around that?) - if the message was with "disconnected" label (not
"disconnecting"). I must say I'm not absolutely sure about that, code
walk-through would be needed.
let's see if others have the same problem, which could indicate
an attack of some sort.
J.
>of malformed connection attack.
>
>Does anyone recognize this? Any feedback would be appreciated.
>
>Jaime Castells, CISSP
>
>--
>"NOTICE: The information contained in this electronic mail transmission is
>intended by Convergys Corporation for the use of the named individual or
>entity to which it is directed and may contain information that is
>privileged or otherwise confidential. If you have received this electronic
>mail transmission in error, please delete it from your system without
>copying or forwarding it, and notify the sender of the error by reply email
>or by telephone (collect), so that the sender's address records can be
>corrected."
>
>_______________________________________________
>security-discuss mailing list
>security-discuss at opensolaris.org
>
--
Jan Pechanec
