From owner-freebsd-questions Wed Dec 4 12:36:49 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 068CF37B401 for ; Wed, 4 Dec 2002 12:36:48 -0800 (PST) Received: from blueyonder.co.uk (pcow034o.blueyonder.co.uk [195.188.53.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EF4B43EAF for ; Wed, 4 Dec 2002 12:36:41 -0800 (PST) (envelope-from andrew@cream.org) Received: from pcow034o.blueyonder.co.uk ([127.0.0.1]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75); Wed, 4 Dec 2002 20:36:37 +0000 Received: from cream.org (unverified [213.48.109.91]) by pcow034o.blueyonder.co.uk (Content Technologies SMTPRS 4.2.9) with ESMTP id ; Wed, 4 Dec 2002 20:36:15 +0000 Message-ID: <3DE396EB.8080006@cream.org> Date: Tue, 26 Nov 2002 15:44:43 +0000 From: Andrew Boothman User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: mloiterman@ameritech.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Cracker attack...is my system compromised? References: <005c01c294d2$977fe6e0$0302a8c0@mike> <021701c294d4$c3583270$1200a8c0@gsicomp.on.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Matthew Emmerton wrote: >>>arp: 192.168.1.1 moved >>>from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 >>>fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to >>>00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from >>>00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 >>>fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to >>>00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from >>>00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 >>>fat_man /kernel: arp: 192.168.1.2 moved from >>>00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 >>>moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 >>>18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from >>>00:06:25:10:e0:03 to >>>00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from >>>00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 >>>fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to >>>00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from >>>00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 >>>fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to >>>00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from >>>00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 >>>fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to >>>00:06:25:10:e0:03 on ep0 >> > > This means that you've got one machine (192.168.1.4) with two network cards > plugged into the same hub. These messages are FreeBSD saying "hey, traffic > for this IP came from one NIC (00:06:25:10:e0:03) and now it's coming from > another (00:80:c6:fa:9f:21).". This is a problem with your network setup. You don't mention if this machine is the box connected via AT&T on dynamic IP or not, but if ep0 is the outside interface on that box then I wouldn't worry about the Ethernet addresses of your first hop changing. I have a cable modem from Blueyonder in the UK and the first hop's ethernet address shifts several times a day which results in the sort of error messages that you are seeing. Rumour has it that this shifting ethernet address is due to some funkyness in the setup of the Cisco hardware that Blueyonder's network runs on, but there's never been any decisive answer from anyone in Blueyonder. Hope that helps. Andrew. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message