From owner-freebsd-security Thu Jul 18 13:12:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78C9B37B400 for ; Thu, 18 Jul 2002 13:12:54 -0700 (PDT) Received: from tenchi.dreamlabs.com (tenchi.dreamlabs.com [216.220.37.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA71843E42 for ; Thu, 18 Jul 2002 13:12:53 -0700 (PDT) (envelope-from mitayai@dreamlabs.com) Received: from localhost (localhost [127.0.0.1]) by tenchi.dreamlabs.com (Postfix) with ESMTP id E69E4390B6B; Thu, 18 Jul 2002 16:12:46 -0400 (EDT) Received: from shadow (unknown [24.103.70.150]) by tenchi.dreamlabs.com (Postfix) with ESMTP id C5683390B6A; Thu, 18 Jul 2002 16:12:29 -0400 (EDT) Reply-To: From: "Will Mitayai Keeso Rowe" To: "'Jim Laurenson'" , "'Craig Miller'" , "'freebsd-security'" Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 16:12:25 -0400 Organization: DreamLabs.Com Message-ID: <007901c22e97$771f13e0$6400a8c0@shadow> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS snapshot-20020300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org MAC addresses are prefixed (usually) based on manufacturer. I use http://www.coe.uky.edu/~stu/nic/nic.cfm to help me identify problem machines based on the MAC address... i usually know what cards are in what machines. So... 00b064 is assigned to Cisco Systems, Inc. Now, a caveat: MAC addresses can be spoofed. I used to do it with my cable provider (who assigned IP leases based on MAC address) all the time to make sure I got the same IP address assigned even though I plugged the cable into different machines. -Mit -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Jim Laurenson Sent: July 18, 2002 1:54 PM To: Craig Miller; freebsd-security Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message