On Tuesday, October 15, 2002, at 04:58 PM, Ray Olszewski wrote:
> First, they are not Ethernet addresses; they are IP addresses, written > in hex. Doh! I should have figured that out. Now I remember reading that as well. > With no real info about your LAN setup (especially, what host, if any, > uses IP address 192.200.9.50) or the routing table on boswell, I can't > offer any good guesses as to why you are getting redirects. > > Other discussion currently on this list seems to reflect the suspicion > that they are associated with a MS-SQL exploit of some sort (does your > OSX server run MS-SQL, perchance? does a Mac-OSX version of MS-SQL > even exist?), but I've not seen it myself, nor have I seen any clear > explanation of why this exploit might be using icmp redirects (they > *can* be used for man-in-the-middle attacks by changing the routing of > packets from routers that are willing to act on them, but the one > example we've actually seen of an icmp packet from a server known to > be running MS-SQL was destination unreachable, not redirect). Now it's getting interesting... 192.200.9.50 is a windows 2000 machine we use for testing. > Some other things to consider are ... > > though you say "no firewall rules, etc.", I infer from the > "(incorrectly addressed) internal network" comment that the system > does NAT the LAN. > am I correct in infering that eth0 is your LAN interface? We are behind NAT, but the oxygen machine is not the router. It really is just handling dns and dhcp. Thanks for getting me on track, I'll start looking into the windows machine. -steve ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
