From owner-freebsd-security  Thu Jul 18 10:53:12 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 541A437B400
	for <freebsd-security@freebsd.org>; Thu, 18 Jul 2002 10:53:06 -0700 (PDT)
Received: from 119.216-123-194-0.interbaun.com (118.216-123-194-0.interbaun.com [216.123.194.118])
	by mx1.FreeBSD.org (Postfix) with SMTP id 4178343E58
	for <freebsd-security@freebsd.org>; Thu, 18 Jul 2002 10:53:00 -0700 (PDT)
	(envelope-from j.laurenson@epicmail.ca)
Received: (qmail 27931 invoked from network); 18 Jul 2002 17:57:10 -0000
Received: from unknown (HELO epicjim) (216.123.194.122)
  by 10.0.1.2 with SMTP; 18 Jul 2002 17:57:10 -0000
From: "Jim Laurenson" <j.laurenson@epicmail.ca>
To: "Craig Miller" <craig@millerfam.net>,
	"freebsd-security" <freebsd-security@freebsd.org>
Subject: RE: wierdness in my security report
Date: Thu, 18 Jul 2002 11:53:58 -0600
Message-ID: <LJEFLBLMLGPNAJOOKOHLGEJLCDAA.j.laurenson@epicmail.ca>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0036_01C22E51.CCC61F00"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.

------=_NextPart_000_0036_01C22E51.CCC61F00
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

I have found the same logs on one of my older builds (4.3 I think). The
offending MAC address was found to be a Cisco router on my ISP's network. I
found no solution for it though.

Jim Laurenson
  -----Original Message-----
  From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller
  Sent: July 18, 2002 11:47 AM
  To: freebsd-security
  Subject: wierdness in my security report


  Anyone have any ideas as to what might be causing the following to appear
in my security report?

   arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on
dc0
  > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from
00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
  > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on
dc0
  > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from
00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0

  I thought those : delimited fields would be MAC addresses, but they don't
match the MAC addresses of either of the two cards in my free-bsd box.  I
have not checked the MAC addresses of the other network cards on my network.

  Also, where does the "server /kernel" name come from.  "kernel" is not the
name I gave my kernel, so I am suspicious.

  Thanks,

  --Craig


------=_NextPart_000_0036_01C22E51.CCC61F00
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2713.1100" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DTahoma color=3D#0000ff size=3D2><SPAN =
class=3D055135217-18072002>I=20
have found the same logs on one of my older builds (4.3 I think). The =
offending=20
MAC address was found to be a Cisco router on my ISP's network. I found =
no=20
solution for it though.</SPAN></FONT></DIV>
<DIV><FONT face=3DTahoma size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DTahoma size=3D2>Jim Laurenson</FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B>=20
  owner-freebsd-security@FreeBSD.ORG=20
  [mailto:owner-freebsd-security@FreeBSD.ORG]<B>On Behalf Of </B>Craig=20
  Miller<BR><B>Sent:</B> July 18, 2002 11:47 AM<BR><B>To:</B>=20
  freebsd-security<BR><B>Subject:</B> wierdness in my security=20
  report<BR><BR></FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>Anyone have any ideas as to what =
might be causing=20
  the following to appear in my security report?</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV>&nbsp;arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to =
00:b0:64:b7:6f:a8=20
  on dc0<BR>&gt; Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved =
from=20
  00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0<BR>&gt; arp: =
12.236.220.1 moved=20
  from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0<BR>&gt; Jul 17 =
05:47:57=20
  server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20
  00:b0:64:b7:6f:54 on dc0<BR></DIV>
  <DIV><FONT face=3DArial size=3D2>I thought those : delimited fields =
would be MAC=20
  addresses, but they don't match the MAC addresses of either of the two =
cards=20
  in my free-bsd box.&nbsp; I have not checked the MAC addresses of the =
other=20
  network cards on my network.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Also, where does the "server /kernel" =
name come=20
  from.&nbsp; "kernel" is not the name I gave my kernel, so I am=20
  suspicious.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>--Craig</FONT></DIV>
  <DIV><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0036_01C22E51.CCC61F00--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message