Security Incidents mailing list archives
Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File
From: fygrave () EPR0 ORG (CyberPsychotic)
Date: Sat, 22 Jan 2000 06:03:43 +0500
~:Below is the log file from a Unix server that appears ~:to have logged the fact that an NT 4.0 DNS servers MAC ~:address decided to change. heh.. this sort of attack was demonstrated on recent SANS security conferense devoted to IDS stuff. Someone is just playing arp games to take over your namesever IP address, so the intruder would be able to control your DNS zones and such. Arp games in your LAN is a good sign that you've got some hostile people in there (could be that some machine(s) got compromiced, or just your co-workers aren't as friendly as they seem :-)) ~:1) A scan of EVERY device connected to the network to ~:determine MAC addresses. This would be done more than ~:once of course. Some switches also have `guard' option to take care of this thing. ~: ~:Any suggestions for determining the cause? ~:<log> ~:Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved ~:from 00:30:80:1f:60:5f to 00:50:04:6b:ff:bf on x10 find out what machine has 00:50:04:6b:ff:bf MAC on its NIC. Very likely this would be the box which got compromiced. Also track down arp responces and see who responded `IP 10.1.11.32 is-at 00:50:04:6b:ff:bf'. (the ethernet headers could be spoofed though). -- Key fingerprint = 4422 16FC 3C7D E10A B044 CA4F 2BE0 3943 9758 9324 http://www.kalug.lug.net/fygrave/
Current thread:
- Unusual scan pattern Russell Fulton (Jan 18)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Cy Schubert - ITSD Open Systems Group (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Ex Machina [xm] (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File CyberPsychotic (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Dug Song (Jan 22)
- Re: Unusual scan pattern Granquist, Lamont (Jan 19)
- Slow scan Mixmaster (Jan 19)
- Re: Unusual scan pattern Richard Bejtlich (Jan 20)
- Re: Unusual scan pattern Kevin Houle (Jan 20)
- Re: Unusual scan pattern Russell Fulton (Jan 23)
- semi careful, very patient attacker Jon Paul, Nollmann (Jan 24)
- <Possible follow-ups>
- Re: Unusual scan pattern Oliver Friedrichs (Jan 19)
- Unknown Port Numbers Edwin Covert (Jan 21)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)