From owner-freebsd-security  Mon Oct 14 21: 5:59 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D44537B401
	for <freebsd-security@FreeBSD.ORG>; Mon, 14 Oct 2002 21:05:57 -0700 (PDT)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 10B2943E3B
	for <freebsd-security@FreeBSD.ORG>; Mon, 14 Oct 2002 21:05:55 -0700 (PDT)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id OAA06050;
	Tue, 15 Oct 2002 14:05:47 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Tue, 15 Oct 2002 14:05:47 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: William Wallace <ww@austin.rr.com>
Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject: RE: Kernel log message
In-Reply-To: <ODEMJJBMDNGMFJHKBCMFCEJHEAAA.ww@austin.rr.com>
Message-ID: <Pine.BSF.3.96.1021015135711.5096A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 14 Oct 2002, William Wallace wrote:

 > Thanks to all who replied.  Just as an additional interesting piece of
 > information:  Because the machine in question was in a state that made it
 > easy to simply wipe it out and re-install everything from scratch, I decided
 > to do just that.  Upon reinstalling the OS and rebooting, I got a kernel log
 > message in my FreeBSD server that indicated the "opposite" MAC address
 > change.  It changed from "00:00:78:0d:5a:7f" back to "00:20:78:0d:5a:7f",

That's still a one-bit error.  In my humble experience, one-bit errors
are almost invariably hardware.  If so, then I guess this is off-topic. 

 > which is what it was originally.  I'm suspicious now of some kind of
 > malicious software or something, but it's going to be hard to determine what
 > exactly made that happen.

Did you try cleaning the NIC in question, and the computer it lives in?

[..]

 > >The machine in question (192.168.100.2) is a Windows 2000 machine that has
 > >had the same NIC for years.  Also, only one of the digits in the MAC
 > >address seems to have changed.  What could cause this?
 > >
 > 
 > 1) The NIC card could be dieing. "same NIC for years"
 > 2) Transmission error of some sort on you LAN
 > 3) Problem w/ a packet switch.

Still smells like hardware to me too; fluff and dust can engender such.

Cheers, Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message