Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I think I've been hacked...please help!

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Mon, 1 Apr 2002 00:26:32 -0800
On Sat, Mar 30, 2002 at 08:51:27AM -0700, Joe Warner wrote:

Hi,

I'm running FreeBSD 4.5-STABLE and I recently noticed some
unknown ARP activity on my Cable connection when I wasn't
running any programs or even logged into X.


Hmmm... It wasn't April 1st when you sent this...

[snip]


03/30-07:43:32.868036 ARP who-has 12.254.196.198 tell 12.254.196.1

03/30-07:43:41.390466 ARP who-has 12.254.196.215 tell 12.254.196.1

03/30-07:43:44.665318 ARP who-has 12.254.196.215 tell 12.254.196.1


[snip a bunch more of these]

Routers sending out ARPs for people's machines. Nothing odd.


03/30-07:46:21.869285 0:30:80:6E:AC:8C -> FF:FF:FF:FF:FF:FF type:0x800 len:0x176
12.242.19.34:67 -> 255.255.255.255:68 UDP TTL:246 TOS:0x0 ID:15134 IpLen:20 DgmLen:360 DF
Len: 340


And a DHCP server broadcasting a DHCPOFFER. Totally normal.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: