Sorry for replying to myself (AND top-posting!) twice in a row, but this
is become a huge concern. My first thought is that my provider changed
routers or router Ethernet ports, hence the MAC address change. They deny
this, plus I find the two MAC addresses:
00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
too close to each other for comfort. My obvious concern here is that the
recent php compromises somehow allowed an attacker to alter the ARP table
entry of the default gateway. Specific questions are as follows:
1) If this were done via a perl or php script, presumably executing
an 'arp -s' command, would it show up in the log like that? I've
never changed an ARP entry (except to delete it using 'arp -d'), so
I've only seen log entries like that due to external changes, like
somebody changing IPs on the LAN from one Ether to another.
2) Could an Ethernet card defect or re0 driver problem cause anything
like this? Other bug?
3) If this was an attacker using a local script, how the hell does he
get a php or perl script owned by UID 80 (or worst case, a user),
to do this?
Thanks again for any insight...appreciate a reply to both list and
directly.
On Wed, 10 Feb 2010, James Smallacombe wrote:
Please disregard this...sleep deprication...the IP in questions (which I
should have disfuised anyway) was not my server's IP, but that of the default
gateway...the problem was external.
On Wed, 10 Feb 2010, James Smallacombe wrote:
This freaked me out a bit, so I'm just running it past the list to make
sure this is just a hardware issue...I've never seen it before.
My dedicated server provider replaced my defective server that had been up
for 6 months after it had apparent failures of a NIC and hard drives. It
had also recently been the victim of the Zen Cart exploits (I posted about
this not long ago).
Tonight I lost connectivity to it, got in via KVM/IP and saw this in the
syslog:
Feb 10 20:42:51 mail kernel: arp: 209.17.170.1 moved from 00:17:e0:4f:b9:c0
to 00:13:e0:4f:b9:c0 on re0
My first reaction was that somebody else on the LAN had used my IP address,
which would have explained the connectivity issues. However, the IP
couldn't be pinged and I also noticed that only one number in the address
had changed...the odds of somebody else having it were long. ifconfig
showed the I/F down, no carrier.
I rebooted and then it came up with yet a third MAC address,
00:14:d1:3c:1e:31 Not really even close. Still no carrier. Provider
swaps out the Realtek NIC for a new one and it's working (for now).
Questions that come to mind: could their be a DoS perhaps from a bot or
c99shell I didn't find? Even if their was, would it be possible for the
"www" user, with no priveleges to even cause this kind of problem? I had
disabled suhosin after customers patched their Zen Carts, because it
interfered with it.
Or...could this be a bug in the re0 driver? It's just weird.
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am
http://3.am
=========================================================================
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=========================================================================
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=========================================================================
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
