Security Incidents mailing list archives
ANOTHER DNS MAC ADDRESS Change w/h Unix Log File
From: mikeyv1970 () SNSWORLD NET (Michael Vaughan)
Date: Wed, 19 Jan 2000 14:32:36 -0500
Hello all, Below is the log file from a Unix server that appears to have logged the fact that an NT 4.0 DNS servers MAC address decided to change. This is the second time this has happened within a month. The first involved a change for six minutes (around midnight...no one on campus) This time...0-1 second. This is what I am initially recommending... 1) A scan of EVERY device connected to the network to determine MAC addresses. This would be done more than once of course. Compare to see if any match the detected address. 2) Use a 'sniffer' to monitor the network for this MAC address (if not initially found) henceforth...and to monitor for any 'suspicious' activity. What I am attempting to do is determine if this is simply a node MAC address conflict (possible) or a spoofing attack. Any suggestions for determining the cause? <log> Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved from 00:30:80:1f:60:5f to 00:50:04:6b:ff:bf on x10 Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved from 00:50:04:6b:ff:bf to 00:30:80:1f:60:5f on x10 </log> Thanks in advance for any help!! Respectfully, -Michael Vaughan Microsoft Certified Systems Engineer Web Site: http://www.nku.edu/~vaughan Mail: vaughan () nku edu ICQ: 20031116 -"Sic pas pacem, para bellum" -If you desire peace, prepare for war
Current thread:
- Unusual scan pattern Russell Fulton (Jan 18)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Cy Schubert - ITSD Open Systems Group (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Ex Machina [xm] (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File CyberPsychotic (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Dug Song (Jan 22)
- Re: Unusual scan pattern Granquist, Lamont (Jan 19)
- Slow scan Mixmaster (Jan 19)
- Re: Unusual scan pattern Richard Bejtlich (Jan 20)
- Re: Unusual scan pattern Kevin Houle (Jan 20)
- Re: Unusual scan pattern Russell Fulton (Jan 23)
- semi careful, very patient attacker Jon Paul, Nollmann (Jan 24)
(Thread continues...)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)