From owner-freebsd-security  Thu Nov 15 13:53:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10])
	by hub.freebsd.org (Postfix) with ESMTP id A22A237B41A
	for <security@freebsd.org>; Thu, 15 Nov 2001 13:53:35 -0800 (PST)
Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com)
	by mail2.uniserve.com with esmtp (Exim 3.13 #1)
	id 164URz-0000ds-00
	for security@FreeBSD.ORG; Thu, 15 Nov 2001 13:53:35 -0800
Message-Id: <5.1.0.14.0.20011115135330.02d6fcf8@pop.uniserve.com>
X-Sender: landons@pop.uniserve.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Thu, 15 Nov 2001 13:53:34 -0800
To: security@FreeBSD.ORG
From: Landon Stewart <landons@uniserve.com>
Subject: Re: unusual  log in var/log/messages 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Actually, isn't this typical behaviour of a host with a NIC in promiscuous 
mode?  Someone could be running a sniffer on 00:40:33:39:80:d1 and it 
responded to a ping that was sent to 137.226.141.33.

Is this probable?


At 10:41 PM 11/15/2001 +0100, Sven Wittig wrote:
>Hi,
>
>I recently discovered this entry in my messages-logfile
>
>" Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from 
>00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0"
>
>is this a kind of attack or what?
>
>Cu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message