From owner-freebsd-security Thu Jul 18 11:14: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDCE337B400 for ; Thu, 18 Jul 2002 11:14:06 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAFDA43E6A for ; Thu, 18 Jul 2002 11:14:05 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco [12.145.226.149] by mail.gbronline.com (SMTPD32-7.11) id A57ED280222; Thu, 18 Jul 2002 13:14:22 -0500 Message-ID: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "Jim Laurenson" , "Craig Miller" , "freebsd-security" References: Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 13:13:46 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Somebody, somewhere, changed something that changed a route your kernel had established. How many machines in your LAN? What are the chances one has a new NIC? KDK ----- Original Message ----- From: Jim Laurenson To: Craig Miller ; freebsd-security Sent: Thursday, July 18, 2002 12:53 PM Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message