Re: Cracker attack...is my system compromised?
Matthew Emmerton wrote: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 fat_man /kernel: arp: 192.168.1.2 moved from 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 This means that you've got one machine (192.168.1.4) with two network cards plugged into the same hub. These messages are FreeBSD saying hey, traffic for this IP came from one NIC (00:06:25:10:e0:03) and now it's coming from another (00:80:c6:fa:9f:21).. This is a problem with your network setup. You don't mention if this machine is the box connected via ATT on dynamic IP or not, but if ep0 is the outside interface on that box then I wouldn't worry about the Ethernet addresses of your first hop changing. I have a cable modem from Blueyonder in the UK and the first hop's ethernet address shifts several times a day which results in the sort of error messages that you are seeing. Rumour has it that this shifting ethernet address is due to some funkyness in the setup of the Cisco hardware that Blueyonder's network runs on, but there's never been any decisive answer from anyone in Blueyonder. Hope that helps. Andrew. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Cracker attack...is my system compromised?
On to my question: The past few days have seen some strange activity in my log files. You're freaking out at normal error messages. 11/25/2002 Security Report: 25 02:14:46 fat_man sendmail[16217]: gAP8Ekh16217: SYSERR: putoutmsg (www.nakorinthias.gr): error on output channel sending 220 fat_man.ascendency.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Nov 2002 02:14:46 -0600 (CST): Broken pipe All this means is that www.nakorinthias.gr dropped a SMTP session without aborting or closing first. This usually occurs when the connection times out or gets dropped. 11/24/2002 Security Report 44:59 fat_man last message repeated 2 times Nov 23 16:23:03 fat_man sshd[80281]: warning: /etc/hosts.allow, line 23: host name/name mismatch: www.craftworks.co.jp != ns.craftworks.co.jp Nov 23 16:24:32 fat_man sshd[80292]: warning: /etc/hosts.allow, line 23: host name/name mismatch: www.craftworks.co.jp != ns.craftworks.co.jp This means that a host listed in /etc/hosts.allow doesn't resolve to the same name forwards and backwards. This is a DNS problem with [www|ns].craftworks.co.jp. arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 fat_man /kernel: arp: 192.168.1.2 moved from 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 This means that you've got one machine (192.168.1.4) with two network cards plugged into the same hub. These messages are FreeBSD saying hey, traffic for this IP came from one NIC (00:06:25:10:e0:03) and now it's coming from another (00:80:c6:fa:9f:21).. This is a problem with your network setup. 11/23/2002 Daily run report fat_man.ascendency.net group diffs: 16a17 cyrus:*:60:daemon 30d30 cyrus:*:60:daemon Whats going on here? Have you cvsup'd -STABLE lately and run mergemaster, or have you reinstalled/upgraded the mail/cyrus port? This was discussed on -stable not too long ago. I just changed most of my passwords and changed the root password to an 18 digit alpha numeric string. I have SMTP-AUTH on and working all relays have been turned off. I checked my /etc/hosts, groups, passwd as well as last and everything appears to be secure. I have restricted sshd to only one particular IP. Firewalled off all unnecessary ports and removed everything possible from hosts.allow. I'm running 8.11.6 sendmail, but can't find the version of ssh. Do I need to do anything else? This appears to be a program running various probes to determine my systems security level. Am I wrong? It's nice to see that you've tightened up security, but you're freaking out wy too much. All of this is just normal error logging. -- Matt To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Cracker attack...is my system compromised?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Matthew Emmerton [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 4:48 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Cracker attack...is my system compromised? On to my question: The past few days have seen some strange activity in my log files. You're freaking out at normal error messages. 11/25/2002 Security Report: 25 02:14:46 fat_man sendmail[16217]: gAP8Ekh16217: SYSERR: putoutmsg (www.nakorinthias.gr): error on output channel sending 220 fat_man.ascendency.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Nov 2002 02:14:46 -0600 (CST): Broken pipe All this means is that www.nakorinthias.gr dropped a SMTP session without aborting or closing first. This usually occurs when the connection times out or gets dropped. 11/24/2002 Security Report 44:59 fat_man last message repeated 2 times Nov 23 16:23:03 fat_man sshd[80281]: warning: /etc/hosts.allow, line 23: host name/name mismatch: www.craftworks.co.jp != ns.craftworks.co.jp Nov 23 16:24:32 fat_man sshd[80292]: warning: /etc/hosts.allow, line 23: host name/name mismatch: www.craftworks.co.jp != ns.craftworks.co.jp This means that a host listed in /etc/hosts.allow doesn't resolve to the same name forwards and backwards. This is a DNS problem with [www|ns].craftworks.co.jp. arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 fat_man /kernel: arp: 192.168.1.2 moved from 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 This means that you've got one machine (192.168.1.4) with two network cards plugged into the same hub. These messages are FreeBSD saying hey, traffic for this IP came from one NIC (00:06:25:10:e0:03) and now it's coming from another (00:80:c6:fa:9f:21).. This is a problem with your network setup. 11/23/2002 Daily run report fat_man.ascendency.net group diffs: 16a17 cyrus:*:60:daemon 30d30 cyrus:*:60:daemon Whats going on here? Have you cvsup'd -STABLE lately and run mergemaster, or have you reinstalled/upgraded the mail/cyrus port? This was discussed on -stable not too long ago. I just changed most of my passwords and changed the root password to an 18 digit alpha numeric string. I have SMTP-AUTH on and working all relays have been turned off. I checked my /etc/hosts, groups, passwd as well as last and everything appears to be secure. I have restricted sshd to only one particular IP. Firewalled off all unnecessary ports and removed everything possible from hosts.allow. I'm running 8.11.6 sendmail, but can't find the version of ssh. Do I need to do anything else? This appears to be a program running various probes to determine my systems security level. Am I wrong? It's nice to see that you've tightened up security, but you're freaking out wy too much. All of this is just normal error logging. -- Matt Thanks for the reassurance. I guess I can rest easy now.. ... Randomly Generated Quote: My life has Chinese music torture playing in the background. Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 Comment: Message digitally signed by Mike Loiterman iQA/AwUBPeKp1GjZbUnRudGOEQKMkgCeP9fLOH4GASyMOZ4wo5ISI9lf44MAnjzi na1tinhngPPRVcMzuPWQSyRP =pcd3 -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
