From owner-freebsd-security Thu Jul 18 11:46: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E45937B400 for ; Thu, 18 Jul 2002 11:46:01 -0700 (PDT) Received: from 119.216-123-194-0.interbaun.com (118.216-123-194-0.interbaun.com [216.123.194.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E0EB43E4A for ; Thu, 18 Jul 2002 11:46:00 -0700 (PDT) (envelope-from j.laurenson@epicmail.ca) Received: (qmail 28285 invoked from network); 18 Jul 2002 18:50:21 -0000 Received: from unknown (HELO epicjim) (216.123.194.122) by 10.0.1.2 with SMTP; 18 Jul 2002 18:50:21 -0000 From: "Jim Laurenson" To: "Kevin Kinsey, DaleCo, S.P." , "Craig Miller" , "freebsd-security" Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 12:47:08 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My setup included multiple machines (2 of them, one running 4.3 and ht eother running 4.4, both getting the error listed below) connected through a Docsis modem. These errors started just after the systems were built. After one of the systems became redundant I removed it from the network and the errors disappeared from the other system. Yet neither of the systems error messages were mentioning the other, just the MAC address of the Cisco router on my ISPs side. Jim Laurenson -----Original Message----- From: Kevin Kinsey, DaleCo, S.P. [mailto:kdk@daleco.biz] Sent: July 18, 2002 12:14 PM To: Jim Laurenson; Craig Miller; freebsd-security Subject: Re: wierdness in my security report Somebody, somewhere, changed something that changed a route your kernel had established. How many machines in your LAN? What are the chances one has a new NIC? KDK ----- Original Message ----- From: Jim Laurenson To: Craig Miller ; freebsd-security Sent: Thursday, July 18, 2002 12:53 PM Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message