Re: Strange ARP scan...

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Tue, 13 Mar 2001, Chris Hobbs wrote:

> A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my
> network with ARP requests this morning.

Just to be clear... this is your Linux box, or it's outside of your realm
of responsibility?

The ARP requests appeared to be
> covering the entire 10.0.0.0/8 address space, and appeared, from my
> capture, to be organized. /24 ranges were scanned alternately in
> ascending and descending order. Here's a sample of the packets (from
> Etherpeek):
>
> 108   00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
> 10.42.188.50 = ?

I don't know of any particularly useful reason to do ARP scanning by
itself.  However, if the attacker's subnet mask indicates that those
machine are on the same subnet, then it has to ARP for them before it can
do any further communication.  Did you see any ARP replies?  If not, then
the section you caught doesn't have any machines at those IP addresses,
and you'd just see the ARP requests.  One it finds a machine, I suspect
you'll see that it's trying to do some sort of port scan.

So yes, I would assume that machine is compromised, and investigate as
such.  Is it, by chance, an unpatched Red Hat 6.0-7.0 machine?

                                        Ryan