Subject: Re: Log messages cutted
To: netbsd <netbsd@purk.ee>
From: Julio Merino <jmmv@hispabsd.org>
List: current-users
Date: 07/10/2002 22:04:50
On Wed, 10 Jul 2002 22:30:12 +0300
"netbsd" <netbsd@purk.ee> wrote:

> Hi
> 
> I don't think it is related with buffer overflow...
> seems like kernel is login ports that are firewalled.
> There is parameter that handles with that ' net.inet.tcp.log_refused=1'

No no... I know that, but look again at the messages. The text
is CUTted. For example:

tempt to TCP 192.168.1.1:596 from 192.168.1.3:61993
should be:
Connection attempt to TCP 192.168.1.1:596 from 192.168.1.3:61993

and this happens many times at unexpected places (in another
message it apperes a character before the text, that does not
belong to it.

Regards

> 
> just guessing...:)
> 
> Greetings
> 
> ----- Original Message -----
> From: "Julio Merino" <jmmv@hispabsd.org>
> To: <current-users@netbsd.org>
> Sent: Wednesday, July 10, 2002 7:28 PM
> Subject: Log messages cutted
> 
> 
> > Hello
> >
> > last day I noticed a problem when reading a /var/log/messages log. Look
> > at these:
> >
> > Jul 10 18:20:10 sun /netbsd: o TCP 192.168.1.1:471 from 192.168.1.3:64980
> > Jul 10 18:20:14 sun /netbsd: on attempt to TCP 192.168.1.1:619 from
> 192.168.1.3:63997
> > Jul 10 18:20:19 sun /netbsd: >Connection attempt to TCP 192.168.1.1:227
> from 192.168.1.3:62673
> > Jul 10 18:20:13 sun sshd[196]: error: accept: Software caused connection
> abort
> > Jul 10 18:20:24 sun /netbsd: 192.168.1.1:873 from 192.168.1.3:61747
> > Jul 10 18:20:29 sun /netbsd: 1:1539 from 192.168.1.3:61576
> >
> > This has happened while issuing a nmap to the computer. If you look
> > carefully, you can see how messages are cutted, like if some buffer
> > is overflowing.
> >
> > And looking at more logs:
> >
> > Jul  8 18:06:06 sun /netbsd: Connection attempt to TCP 192.168.1.1:1668
> from 192.168.1.3:63222
> > Jul  8 18:06:06 sun /netbsd: Connection attempt to TCP 192.168.1.1:581
> from 192.168.1.3:63221
> > Jul  8 18:06:06 sun /netbsd: tempt to TCP 192.168.1.1:596 from
> 192.168.1.3:61993
> >
> > You see. If this is a buffer overflow... argg, it can be bad. What do
> > you think?
> >
> > Well, thanks.
> >
> > --
> > HispaBSD admin - http://www.hispabsd.org
> > Julio Merino <jmmv@hispabsd.org>
> >
> >
> 


-- 
HispaBSD admin - http://www.hispabsd.org
Julio Merino <jmmv@hispabsd.org>