From owner-freebsd-security Sat Oct 12 22:50:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA75137B401 for ; Sat, 12 Oct 2002 22:50:07 -0700 (PDT) Received: from p7.ns777.net (p7.ns777.net [216.127.84.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C1A143EA9 for ; Sat, 12 Oct 2002 22:50:07 -0700 (PDT) (envelope-from alex.pavlovic@corp-x.com) Received: (qmail 2047 invoked from network); 13 Oct 2002 05:50:06 -0000 Received: from a0it30ycy20h9.bc.hsia.telus.net (HELO rg3xxrk05ruyqib) (66.183.61.160) by preview7.ns777.net with SMTP; 13 Oct 2002 05:50:06 -0000 From: "Alex Pavlovic" To: "FreeBSD Security" Subject: RE: Kernel log message Date: Sat, 12 Oct 2002 22:51:55 -0700 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_01C27241.F6B3E2A0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: X-MS-TNEF-Correlator: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C27241.F6B3E2A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi, There is always a possibility of someone or something performing arp manipulation in order to redirect the lan traffic. Some common techniques that come to mind are: MAC spoofing which is efficient against CAM tables found in switches ( If you are running a switched network ) and ARP spoofing / cache poisoning which might apply to you. Attacks that can be performed with these range from sniffing to proxying, MiM, DoS to escaping firewalls. Recently for example certain data has been published about intreception of ssl traffic and attack against Microsoft IE certificates. -- Alex Pavlovic Founder and CTO Corp-X Solutions http://www.corp-x.com > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] > Sent: Saturday, October 12, 2002 5:38 PM > To: FreeBSD Security > Subject: Kernel log message > > > Could someone explain to me what the following log message means: > > disco.wwallace.net kernel log messages: > > arp: 192.168.100.2 moved from 00:20:78:0d:5a:7f to > 00:00:78:0d:5a:7f on de0 > > Oct 5 08:03:57 disco /kernel: arp: 192.168.100.2 moved from > 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on de0 > > The machine in question (192.168.100.2) is a Windows 2000 machine > that has had the same NIC for years. Also, only one of the digits in the > MAC address seems to have changed. What could cause this? > > Thanks, > - William. > > ------=_NextPart_000_0000_01C27241.F6B3E2A0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" eJ8+IjcFAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANIHCgAMABYAMwAAAAYAPgEB A5AGAAAKAAAnAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADAC4AAAAAAAMANgAA AAAAHgBwAAEAAAATAAAAS2VybmVsIGxvZyBtZXNzYWdlAAACAXEAAQAAACUAAAABwm+x0R5W0hKo 1G1Fmqr0bV2+FzCrAJLXl5AAFN3G0AAKGEsgAAAAAgEdDAEAAAAeAAAAU01UUDpBTEVYLlBBVkxP VklDQENPUlAtWC5DT00AAAALAAEOAAAAAEAABg4AOtyBfHLCAQIBCg4BAAAAGAAAAAAAAADBxRyl be7oQ682oHIkBc7vwoAAAAsAHw4BAAAAAgEJEAEAAAA4BQAANAUAAMIHAABMWkZ1/6XYUAMACgBy Y3BnMTI1FjIA+Atgbg4QMDMzTwH3AqQD4wIAY2gKwHPwZXQwIAcTAoMAUAPVxxF4DlAQZnBycRNB EOfYVGFoA3ECgH0KgAjIbCA7CW8OMDUCgAqBdkkIkHdrC4BkNAxgYxsAUAsDYxICC8QgSGlOLAqi CoQKgFRoBJBliiAEACAHQHdheRshSCBwbwQQaWIDEGmAdHkgb2YgcwNwnmUCIBrwBbEcwnRoC4DO ZxvABJACEHJtHdIKwC5wGfQDgQUgdQtgdGkfAiAbAAOgBbAEgSB0b+ogCXFpCXBjBUAdsBrwsw8B IKByYQEgDeAuBgB1HNEgBaBtBGAh0QWQaP0DAHEKUBCwGgMdsB/AIsKXGvAgsR5xZB6xZToF0LxB QxywG9AckB3Sdx3AfxDgGwIBEQ3gCJACMBswZ8ULcXMFQENBTSPlAaB2bAeRAhB1JTEgIQPhdKMQ 4AeRKCBJHKB5CGD/JVIg0ClQAwAekim2JUAdEMR0dwWwayApGfQAcNElQEFSUCXoLyLAANA/IYEb 0AQAAiAmSB5wZ2i9J5FwC1AccCCxKqEuGfR2QQJAANBrBCAkRAORYv8usR4kLCEp0SbAIXERICDQ /w8RGvADUhywAwAiIR3hILCjGfQT4G94eR3RLAXQ5GlNNjBEbwXwILEHkD0ucHAd0iIwCXAbYGxs +nMiYFIFkCdxMGEeQScA+HhhbQtQIrEEkAGQC4H9GgNkH8AbsBDwBCAycAnw/RvAdQJgBAAsEgGg CGAFQL8LgCHwOGEFMB/iHJJzAyD/IfUs6B/AMYInpzZQBQAb4PMckAVASUU5kwaQDeAfwB8HkDD1 GfUZAALRMSAtBi0xBSjweCBQYXbbCQAX0GMK4wqARilCIIFxLUJDVE8Z9AhQHtAtPlgicQpAH9Ij 1TAAdHDQOi8vd0dQLgWhRbD6eEeBbUE7GgQLtBhQGgfzCzAcQDM2AUA1sSNBBUDPAzAPBEmxEzMx NkJhTKF6TwUQZwuAB0AF0AeQc/0nsGVMoxn2SwRK0QsTSwTBAgBpLTE0NAFAHEA4MTgwAUAM0FBD YiAuRgNhJZAMg2IRUG93GR0Qci0DUAngYnNk2i0RIGMIcRxgQFGQCeAAQlNELk9SRyBuWwDAAxAg sDpSf1OPXW9DxVFhBmACMDpR9gYQdKsIcDpweTYwTyFAbzJwHwXADiA2MAHQS+AgNTrcMzhDMChV UWFUVQBR9t9T5QZRViRXaDtgaiExWDf6SwSRZQMgCQAd8AeBTbL/SDxOz0/SHEABwUuFD2BJXP0I UWwlQBzGOSALUyTTGvD/JoAkYSFyAhA4AFUgHdJfKT9fUQBxWDAaCSEABPBvLidHUDfxANBlLixR IGtvXs9nsRxAHRE+HrIlkDFoOTIuTHA4bABQ0C67WlAEYHYsITRTUNA6AdAAOjc4OjBkOjX+YW2w HKAgsW1hbWFtyh/x3wEAUHJrM1lhS2A1bVBt0fozbhA3b/Booi5AacQlkP9rj2yfba9uv2/KSPYZ ghqxvyUALoFrIiAhI6If0yhJg8ty7BlkKRsDIFcYIVUg/wQgWiERUHimJEM6whDwJUBnIXJNsCKh Tkkl0Djied9ngBEQImARYDgQbzYwAiC/MGEdA3WBIYEhAE0gdAQg72TyIYElsn3gZAlwBBERIPxl bTHBIMAQ8HPwIsAQ8HU0EWR/cVckVGPiLnB18zPBHbFzPxn8AHAxsBnl7i174TgABzBtQSwaAxVR AgCJEB4AQhABAAAAMAAAADxPREVNSkpCTUROR01GSkhLQkNNRkdFR0hFQUFBLnd3QGF1c3Rpbi5y ci5jb20+AAsAAYAIIAYAAAAAAMAAAAAAAABGAAAAAAOFAAAAAAAAAwADgAggBgAAAAAAwAAAAAAA AEYAAAAAEIUAAAAAAAADAAeACCAGAAAAAADAAAAAAAAARgAAAABShQAAJ2oBAB4ACYAIIAYAAAAA AMAAAAAAAABGAAAAAFSFAAABAAAABAAAADkuMAAeAAqACCAGAAAAAADAAAAAAAAARgAAAAA2hQAA AQAAAAEAAAAAAAAAHgALgAggBgAAAAAAwAAAAAAAAEYAAAAAN4UAAAEAAAABAAAAAAAAAB4ADIAI IAYAAAAAAMAAAAAAAABGAAAAADiFAAABAAAAAQAAAAAAAAALAA2ACCAGAAAAAADAAAAAAAAARgAA AACChQAAAQAAAAsAOoAIIAYAAAAAAMAAAAAAAABGAAAAAA6FAAAAAAAAAwA8gAggBgAAAAAAwAAA AAAAAEYAAAAAEYUAAAAAAAADAD2ACCAGAAAAAADAAAAAAAAARgAAAAAYhQAAAAAAAAsAWIAIIAYA AAAAAMAAAAAAAABGAAAAAAaFAAAAAAAAAwBZgAggBgAAAAAAwAAAAAAAAEYAAAAAAYUAAAAAAAAC AfgPAQAAABAAAADBxRylbe7oQ682oHIkBc7vAgH6DwEAAAAQAAAAwcUcpW3u6EOvNqByJAXO7wIB +w8BAAAAnwAAAAAAAAA4obsQBeUQGqG7CAArKlbCAABQU1RQUlguRExMAAAAAAAAAABOSVRB+b+4 AQCqADfZbgAAAEM6XERvY3VtZW50cyBhbmQgU2V0dGluZ3NcQWRtaW5pc3RyYXRvclxMb2NhbCBT ZXR0aW5nc1xBcHBsaWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxPdXRsb29rXG91dGxvb2sucHN0AAAD AP4PBQAAAAMADTT9NwAAAgF/AAEAAAA4AAAAPE9JRURLUERHR0JMSERJS0FLREFCQUVBTENBQUEu YWxleC5wYXZsb3ZpY0Bjb3JwLXguY29tPgADAAYQPZIlCAMABxBvBAAAAwAQEAAAAAADABEQAwAA AB4ACBABAAAAZQAAAEhJLFRIRVJFSVNBTFdBWVNBUE9TU0lCSUxJVFlPRlNPTUVPTkVPUlNPTUVU SElOR1BFUkZPUk1JTkdBUlBNQU5JUFVMQVRJT05JTk9SREVSVE9SRURJUkVDVFRIRUxBTlRSQUYA AAAANZo= ------=_NextPart_000_0000_01C27241.F6B3E2A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message