From owner-freebsd-security  Thu Jul 18 11:29:53 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E6D9637B400
	for <freebsd-security@freebsd.org>; Thu, 18 Jul 2002 11:29:46 -0700 (PDT)
Received: from hotmail.com (oe21.law7.hotmail.com [216.33.236.125])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 911A343E42
	for <freebsd-security@freebsd.org>; Thu, 18 Jul 2002 11:29:46 -0700 (PDT)
	(envelope-from elerrordlmilenio@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 18 Jul 2002 11:29:46 -0700
X-Originating-IP: [196.40.43.74]
From: "El Error del Milenio" <elerrordlmilenio@hotmail.com>
To: "Craig Miller" <craig@millerfam.net>,
	"freebsd-security" <freebsd-security@freebsd.org>
References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop>
Subject: Re: wierdness in my security report
Date: Thu, 18 Jul 2002 12:30:05 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_005C_01C22E56.D8C8D220"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Message-ID: <OE21SfmC4QMJ80DI0Rr00001aa0@hotmail.com>
X-OriginalArrivalTime: 18 Jul 2002 18:29:46.0563 (UTC) FILETIME=[17DE3130:01C22E89]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.

------=_NextPart_000_005C_01C22E56.D8C8D220
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I'm also having:

> arp: 10.0.0.147 moved from 00:e0:7d:a9:c8:3c to 00:b0:d0:a5:4d:e0 on =
rl0
> Jul  1 15:29:26 bella /kernel: arp: 10.0.0.147 moved from =
00:e0:7d:a9:c8:3c to 00:b0:d0:a5:4d:e0 on rl0

I thought it was because of dhcp addresses changing, but now I am in =
doubt, since my kernel is not named "kernel" either.

  ----- Original Message -----=20
  From: Craig Miller=20
  To: freebsd-security=20
  Sent: Thursday, July 18, 2002 11:47 AM
  Subject: wierdness in my security report


  Anyone have any ideas as to what might be causing the following to =
appear in my security report?

   arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 =
on dc0
  > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from =
00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
  > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 =
on dc0
  > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from =
00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0

  I thought those : delimited fields would be MAC addresses, but they =
don't match the MAC addresses of either of the two cards in my free-bsd =
box.  I have not checked the MAC addresses of the other network cards on =
my network.

  Also, where does the "server /kernel" name come from.  "kernel" is not =
the name I gave my kernel, so I am suspicious.

  Thanks,

  --Craig


------=_NextPart_000_005C_01C22E56.D8C8D220
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I'm also having:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&gt; arp: 10.0.0.147 moved from 00:e0:7d:a9:c8:3c to =
00:b0:d0:a5:4d:e0 on=20
rl0<BR>&gt; Jul&nbsp; 1 15:29:26 bella /kernel: arp: 10.0.0.147 moved =
from=20
00:e0:7d:a9:c8:3c to 00:b0:d0:a5:4d:e0 on rl0<BR></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-fareast-font-family: =
'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: ES; =
mso-bidi-language: AR-SA">I=20
thought it was because of dhcp addresses changing, but now I am in =
doubt, since=20
my kernel is not named "kernel" either.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dcraig@millerfam.net =
href=3D"mailto:craig@millerfam.net">Craig=20
  Miller</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dfreebsd-security@freebsd.org=20
  href=3D"mailto:freebsd-security@freebsd.org">freebsd-security</A> =
</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, July 18, 2002 =
11:47=20
  AM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> wierdness in my =
security=20
  report</DIV>
  <DIV><BR></DIV>
  <DIV><FONT face=3DArial size=3D2>Anyone have any ideas as to what =
might be causing=20
  the following to appear in my security report?</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV>&nbsp;arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to =
00:b0:64:b7:6f:a8=20
  on dc0<BR>&gt; Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved =
from=20
  00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0<BR>&gt; arp: =
12.236.220.1 moved=20
  from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0<BR>&gt; Jul 17 =
05:47:57=20
  server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20
  00:b0:64:b7:6f:54 on dc0<BR></DIV>
  <DIV><FONT face=3DArial size=3D2>I thought those : delimited fields =
would be MAC=20
  addresses, but they don't match the MAC addresses of either of the two =
cards=20
  in my free-bsd box.&nbsp; I have not checked the MAC addresses of the =
other=20
  network cards on my network.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Also, where does the "server /kernel" =
name come=20
  from.&nbsp; "kernel" is not the name I gave my kernel, so I am=20
  suspicious.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>--Craig</FONT></DIV>
  <DIV><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_005C_01C22E56.D8C8D220--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message