Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File

[fygrave () EPR0 ORG (CyberPsychotic)]

~:Below is the log file from a Unix server that appears
~:to have logged the fact that an NT 4.0 DNS servers MAC
~:address decided to change.

heh.. this sort of attack was demonstrated on recent SANS security
conferense devoted to IDS stuff. Someone is just playing arp games to take
over your namesever IP address, so the intruder would be able to control
your DNS zones and such.
Arp games in your LAN is a good sign that you've got some hostile people
in there (could be that some machine(s) got compromiced, or just your
co-workers aren't as friendly as they seem :-))

~:1) A scan of EVERY device connected to the network to
~:determine MAC addresses. This would be done more than
~:once of course.

Some switches also have `guard' option to take care of this thing.

~:
~:Any suggestions for determining the cause?

~:<log>
~:Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved
~:from 00:30:80:1f:60:5f to 00:50:04:6b:ff:bf on x10

find out what machine has 00:50:04:6b:ff:bf MAC on its NIC. Very likely
this would be the box which got compromiced. Also track down arp
responces and see who responded `IP 10.1.11.32 is-at 00:50:04:6b:ff:bf'.
(the ethernet headers could be spoofed though).


--
     Key fingerprint = 4422 16FC 3C7D E10A B044  CA4F 2BE0 3943 9758 9324
                                        http://www.kalug.lug.net/fygrave/