Date: Tue, 26 Nov 2002 15:44:43 +0000 From: Andrew Boothman <andrew@cream.org> To: mloiterman@ameritech.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Cracker attack...is my system compromised? Message-ID: <3DE396EB.8080006@cream.org> References: <005c01c294d2$977fe6e0$0302a8c0@mike> <021701c294d4$c3583270$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Emmerton wrote: >>>arp: 192.168.1.1 moved >>>from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 >>>fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to >>>00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from >>>00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 >>>fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to >>>00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from >>>00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 >>>fat_man /kernel: arp: 192.168.1.2 moved from >>>00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 >>>moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 >>>18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from >>>00:06:25:10:e0:03 to >>>00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from >>>00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 >>>fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to >>>00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from >>>00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 >>>fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to >>>00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from >>>00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 >>>fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to >>>00:06:25:10:e0:03 on ep0 >> > > This means that you've got one machine (192.168.1.4) with two network cards > plugged into the same hub. These messages are FreeBSD saying "hey, traffic > for this IP came from one NIC (00:06:25:10:e0:03) and now it's coming from > another (00:80:c6:fa:9f:21).". This is a problem with your network setup. You don't mention if this machine is the box connected via AT&T on dynamic IP or not, but if ep0 is the outside interface on that box then I wouldn't worry about the Ethernet addresses of your first hop changing. I have a cable modem from Blueyonder in the UK and the first hop's ethernet address shifts several times a day which results in the sort of error messages that you are seeing. Rumour has it that this shifting ethernet address is due to some funkyness in the setup of the Cisco hardware that Blueyonder's network runs on, but there's never been any decisive answer from anyone in Blueyonder. Hope that helps. Andrew. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DE396EB.8080006>