Date: Thu, 18 Jul 2002 11:05:06 -0700 From: "Bruce A. Mah" <bmah@FreeBSD.ORG> To: "Craig Miller" <craig@millerfam.net> Cc: "freebsd-security" <freebsd-security@FreeBSD.ORG> Subject: Re: wierdness in my security report Message-ID: <200207181805.g6II56ew080057@intruder.bmah.org> In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_-1543745570P Content-Type: text/plain; charset=us-ascii If memory serves me right, "Craig Miller" wrote: > Anyone have any ideas as to what might be causing the following to = > appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on = > dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from = > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on = > dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from = > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they = > don't match the MAC addresses of either of the two cards in my free-bsd = > box. I have not checked the MAC addresses of the other network cards on = > my network. It means that the MAC layer address associated with the IP address 12.236.220.1 changed. You don't get these messages for *your* interfaces; you get them for other interfaces on networks directly connected to your (in this case, dc0) interface. If you and I have machines with interfaces on the same network, and I power mine down, replace the network interface, and reboot, you'd get this notification about my machine. You could also see this if someone was successful at hijacking my IP address. There's many other explanations, some benign and some not. See arp(4) for more details. > Also, where does the "server /kernel" name come from. "kernel" is not = > the name I gave my kernel, so I am suspicious. /kernel is the pathname to your kernel (which is not the same as the kernel configuration name). Bruce. PS. Please don't post multipart text and HTML emails to the lists. --==_Exmh_-1543745570P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE9NwNR2MoxcVugUsMRAgtfAKDUvTXWejFPeJDjIgI5pJ3wPpDgMwCgujb4 Lf+Fkalx3qyMtQp+xOOCmKM= =jylm -----END PGP SIGNATURE----- --==_Exmh_-1543745570P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207181805.g6II56ew080057>