From owner-freebsd-security Thu Jul 18 14: 8: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E48C937B400 for ; Thu, 18 Jul 2002 14:07:55 -0700 (PDT) Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F71243E6A for ; Thu, 18 Jul 2002 14:07:55 -0700 (PDT) (envelope-from Bill.Barkell@compuware.com) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for mx1.FreeBSD.org [216.136.204.125]) with SMTP; 18 Jul 2002 21:07:55 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 6826574CCB; Thu, 18 Jul 2002 17:07:20 -0400 (EDT) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id <302N4NBQ>; Thu, 18 Jul 2002 17:07:20 -0400 Message-ID: From: "Barkell, Bill" To: "'Z. Frazier'" , faSty Cc: Craig Miller , freebsd-security@FreeBSD.ORG Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 17:07:18 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not sure if I'm repeating anything here or not, but it looks like 12.236.220.1 may be a router. If so, it's possible for an attacker to poison your arp cache to make your machine think the attacker's machine is 12.236.220.1. This would cause the mac address change. Packets for the net can then be routed thru the attacker's machine, allowing him/her to view everything. One must look at mac address changes of the router address very carefully (and suspiciously). There are programs available that do this arp cache poisoning (dsniff suite and others). Bill Barkell, CISSP -----Original Message----- From: Z. Frazier [mailto:zfrazier@u.washington.edu] Sent: Thursday, July 18, 2002 4:53 PM To: faSty Cc: Craig Miller; freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report I dont have my logs in front of me, but i remember getting something similar when my ATT cable connection goes down. You are right that they disagree over who gets the IP address, the owner will switch everytime the ATT network goes down and comes back up. I am however basing most of this on what a freind told me about my similar logs. The good news is that you can parse your logs for such events and get reimbursed for the time your network was down. -zach On Thu, 18 Jul 2002, faSty wrote: > DO you have bridge on your server? > > I have that same similar and the bridge 2 ethernet port fight over who master the > primary IP address. > > -fasty > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > Thanks, > > > > --Craig > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message