From owner-freebsd-security Thu Nov 15 20:50:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 6DA3E37B405 for ; Thu, 15 Nov 2001 20:50:30 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id XAA00864; Thu, 15 Nov 2001 23:51:28 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id XAA21989; Thu, 15 Nov 2001 23:50:26 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Thu, 15 Nov 2001 23:50:26 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: peter.lai@uconn.edu Cc: Greg , security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages In-Reply-To: <20011115233053.F80130@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Peter C. Lai wrote: > I have seen this continously when someone is trying to spoof a router. > I have tested this by spoofing a router, but I think it can > also be generalized to any pair of hosts with the same IP and > neither wants to let it go (which is what is being done when one > spoofs a host). Sure. But since it's an arp the spoofer has to be on your local subnet. You can examine the spanning tree data in your switches to find out which switch port the machine with that mac address is connected to. -Mitch > On Thu, Nov 15, 2001 at 10:21:44PM -0500, Mitch Collinsworth wrote: > > > > On Thu, 15 Nov 2001, Greg Wirth wrote: > > > > > I also see these from time to time, and have never pinned down > > > exactly what it means. I've never found any damage or abuse > > > during or after these messages. I would really like to know. > > > The times always match, and happen at random times. > > > Versions don't seem to matter, as it has happened since 3.3 > > > > > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > > > 00:40:c7:81:22:04 to 00:04:ac:1a:4e:e7 on dc0 > > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > > > 00:04:ac:1a:4e:e7 to 00:40:c7:81:22:04 on dc0 > > > > Have you checked to find out which system(s) are involved? It has > > to be someone on the same subnet with you. > > > > -Mitch > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | > Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 > 203.206.3784 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message