Date: Sat, 14 Sep 2002 19:57:16 -0500 From: "Andrew G. Russell IV" <arussell@tyr.agrknives.com> To: Kevin Stevens <Kevin_Stevens@pursued-with.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Mac address of hacked machine... Message-ID: <20020914195716.A11006@bifrost.agrknives.com> In-Reply-To: <9B491C74-C843-11D6-8217-003065715DA8@pursued-with.net>; from Kevin_Stevens@pursued-with.net on Sat, Sep 14, 2002 at 05:39:34PM -0700 References: <20020914192323.A10984@bifrost.agrknives.com> <9B491C74-C843-11D6-8217-003065715DA8@pursued-with.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, they are asking me for the address of the machine on their network, I gave
them the IP address, but they said that would not help, and I told them that it
had not changed in 4 weeks, so I would not believe they would have a problem
finding it on their segment. I'm glad I'm not crazy, I could not
think of a way to get "Their" mac address.
Sample follows from the cisco...
Sep 14 03:19:35 a1-33-251-204b 16142: 2w0d: %SEC-6-IPACCESSLOGP: list 120 denied udp 68.34.208.51(2213) -> 204.251.33.86(27015), 90 packets
Sep 14 03:24:36 a1-33-251-204b 16143: 2w0d: %SEC-6-IPACCESSLOGP: list 120 denied udp 68.34.208.51(2213) -> 204.251.33.86(27015), 90 packets
Sep 14 03:29:36 a1-33-251-204b 16144: 2w0d: %SEC-6-IPACCESSLOGP: list 120 denied udp 68.34.208.51(2213) -> 204.251.33.86(27015), 90 packets
from Freebsd 4.6 tcpdump
04:07:29.365959 pcp663097pcs.indpnd01.mo.comcast.net.2213 > a86-33-251-204b.hos.net.27015: [udp sum ok] udp 8 (ttl 121, id 24169, len 36)
4500 0024 5e69 0000 7911 e0b8 4422 d033
ccfb 2156 08a5 6987 0010 bb1c ffff ffff
696e 666f 0000 0000 0000 0000 0000
04:07:29.374457 pcp663097pcs.indpnd01.mo.comcast.net.2213 > a86-33-251-204b.hos.net.27015: [udp sum ok] udp 9 (ttl 121, id 24170, len 37)
4500 0025 5e6a 0000 7911 e0b6 4422 d033
ccfb 2156 08a5 6987 0011 391d ffff ffff
7275 6c65 7300 0000 0000 0000 0000
04:07:29.379823 pcp663097pcs.indpnd01.mo.comcast.net.2213 > a86-33-251-204b.hos.net.27015: [udp sum ok] udp 11 (ttl 121, id 24171, len 39)
4500 0027 5e6b 0000 7911 e0b3 4422 d033
ccfb 2156 08a5 6987 0013 e09b ffff ffff
706c 6179 6572 7300 0000 0000 0000
strings of dump... ;->
info
rules
players
I have tried extensive nmap probes, all ports are filtered, and no info that way
I'm not worried about it, but it is annoying that they won't stop it. at first I
changed my dns, and moved the machine to another address, setup rules on the cisco
no joy...
On Sat, Sep 14, 2002 at 05:39:34PM -0700, Kevin Stevens wrote:
>
> On Saturday, Sep 14, 2002, at 17:23 US/Pacific, Andrew G. Russell IV
> wrote:
>
> > I have a machine that is hitting me with "kali" packets every few
> > minutes.
> > I've contacted the ISP, but they can't help unless I supply the MAC
> > address.
> >
> > I've done tcpdump, I've arped, I suppose I don't know what I'm doing
> > on this
> > one. I've read all the HOWTOS that I can find, even linux ones...
> > I've
> > searched the archives, I guess I'm not asking the right question.
> >
> > I'm sure this will be a head smacker.
> >
> > Thanks for any help... And YES I am subscribed... ;->
> >
> > A.G.
>
> I'm not sure what MAC address they're asking for - you won't be able to
> provide the MAC for the attacking machine unless its on your own
> network segment. MACs have only local significance; once you pass a
> router they are substituted.
>
> You can see this by pinging several remote machines (www.yahoo.com, for
> example), and then looking at your arp table. You won't see a MAC for
> that IP address, only for your next-hop router. Or if you are using
> proxy-arp, you'll see the same MAC (your router's) for ALL non-local
> addresses.
>
> If you need the MAC address of your machine that is being attacked, you
> can get that from the "ether" portion of ifconfig.
>
> In short, the ISPs request seems confusing or unreasonable. Give us
> more detail.
>
> KeS
>
> BTW - I sure have spent a lot of money buying knives from you!!
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
_______________________________________________________________________________
A.G. Russell IV KC5KFD The Knife Company e-mail: ag4@theknifecompany.com
Phone 479-631-0055 FAX 479-631-8734
Old Klingon Saying -- 'oH majQa' yIn je bang, Qo' bang
-------------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020914195716.A11006>