From owner-freebsd-security Thu Jul 18 11: 5:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AE2437B406 for ; Thu, 18 Jul 2002 11:05:10 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1CA543E58 for ; Thu, 18 Jul 2002 11:05:07 -0700 (PDT) (envelope-from bmah@employees.org) Received: from bmah.dyndns.org ([12.233.149.189]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020718180507.PLHM6023.sccrmhc02.attbi.com@bmah.dyndns.org>; Thu, 18 Jul 2002 18:05:07 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.5/8.12.5) with ESMTP id g6II56eU080058; Thu, 18 Jul 2002 11:05:06 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.5/8.12.5/Submit) id g6II56ew080057; Thu, 18 Jul 2002 11:05:06 -0700 (PDT) Message-Id: <200207181805.g6II56ew080057@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020506 with nmh-1.0.4 To: "Craig Miller" Cc: "freebsd-security" Subject: Re: wierdness in my security report In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> Comments: In-reply-to "Craig Miller" message dated "Thu, 18 Jul 2002 10:47:21 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1543745570P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 18 Jul 2002 11:05:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-1543745570P Content-Type: text/plain; charset=us-ascii If memory serves me right, "Craig Miller" wrote: > Anyone have any ideas as to what might be causing the following to = > appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on = > dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from = > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on = > dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from = > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they = > don't match the MAC addresses of either of the two cards in my free-bsd = > box. I have not checked the MAC addresses of the other network cards on = > my network. It means that the MAC layer address associated with the IP address 12.236.220.1 changed. You don't get these messages for *your* interfaces; you get them for other interfaces on networks directly connected to your (in this case, dc0) interface. If you and I have machines with interfaces on the same network, and I power mine down, replace the network interface, and reboot, you'd get this notification about my machine. You could also see this if someone was successful at hijacking my IP address. There's many other explanations, some benign and some not. See arp(4) for more details. > Also, where does the "server /kernel" name come from. "kernel" is not = > the name I gave my kernel, so I am suspicious. /kernel is the pathname to your kernel (which is not the same as the kernel configuration name). Bruce. PS. Please don't post multipart text and HTML emails to the lists. --==_Exmh_-1543745570P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE9NwNR2MoxcVugUsMRAgtfAKDUvTXWejFPeJDjIgI5pJ3wPpDgMwCgujb4 Lf+Fkalx3qyMtQp+xOOCmKM= =jylm -----END PGP SIGNATURE----- --==_Exmh_-1543745570P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message