[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [afnog] [Fwd: mail.one2net.co.ug security run output]
- To: "Patrick Okui" <pokui at one2net.co.ug>, afnog at afnog.org
- Subject: Re: [afnog] [Fwd: mail.one2net.co.ug security run output]
- From: "g00gler one" <list-mail at linuxmail.org>
- Date: Tue, 19 Aug 2003 16:55:48 +0800
- Content-Disposition: inline
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset="iso-8859-1"
- Delivered-To: afnog-archive at lists.eahd.or.ug
- Delivered-To: afnog at afnog.org
- List-Archive: <http://listserv4.cfi.co.ug/pipermail/afnog>
- List-Help: <mailto:afnog-request at afnog.org?subject=help>
- List-Id: The AfNOG general discussion list <afnog.afnog.org>
- List-Post: <mailto:afnog at afnog.org>
- List-Subscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=subscribe>
- List-Unsubscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=unsubscribe>
- Sender: afnog-bounces at afnog.org
----- Original Message -----
From: Patrick Okui <pokui at one2net.co.ug>
Date: 19 Aug 2003 09:44:42 +0300
To: afnog at afnog.org
Subject: [afnog] [Fwd: mail.one2net.co.ug security run output]
> Got this in my logs... I can't seem to trace the renegade MAC address.
> Any reason this would happen the 216.250.215.15 should be a broadcast
> for one of my small services shouldn't it? Any clues on how to debug
> this?
>
>
> -----Forwarded Message-----
>
> From: Charlie Root <root at mail.one2net.co.ug>
> To: root at mail.one2net.co.ug
> Subject: mail.one2net.co.ug security run output
> Date: 19 Aug 2003 03:01:03 +0300
> <snip>
>
> mail.one2net.co.ug kernel log messages:
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
> > arp: 00:50:ba:8c:57:e1 attempts to modify permanent entry for 216.250.215.15 on rl0
>
> mail.one2net.co.ug login failures:
>
> mail.one2net.co.ug refused connections:
>
> -- End of security output --
>
> the commands below give...
>
> mail# arp -a
>
> ? (216.250.215.9) at 00:d0:ba:58:ee:e0 on rl0 [ethernet]
> ns.one2net.co.ug (216.250.215.10) at 00:50:ba:85:ca:82 on rl0 [ethernet]
> ? (216.250.215.15) at ff:ff:ff:ff:ff:ff on rl0 permanent [ethernet]
>
> mail# netstat -rn
>
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default 216.250.215.9 UGSc 15 3424 rl0
> 127.0.0.1 127.0.0.1 UH 0 45082 lo0
> 216.250.215.8/29 link#1 UC 3 0 rl0
> 216.250.215.9 00:d0:ba:58:ee:e0 UHLW 16 0 rl0 617
> 216.250.215.10 00:50:ba:85:ca:82 UHLW 0 228 rl0 1191
> 216.250.215.15 ff:ff:ff:ff:ff:ff UHLWb 0 22 rl0
>
>
> __________________________________________________
> This is the Africa Network Operators' Group(AfNOG)
> technical discussion list.
> The AfNOG website is: <http://www.afnog.org>
this is an attempt to poison the arp-cache for that particular host.
or it is possible that another machine on your network has the same address or some linux box is announcing arp for all interfaces. try using tcpdump.
see http://www.bth.se/ces/ces.nsf/0/cd4076ac21f045b8c1256a690047dbb9/$FILE/Lindman.pdf
g00gler
--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze
__________________________________________________
This is the Africa Network Operators' Group(AfNOG)
technical discussion list.
The AfNOG website is: <http://www.afnog.org>