yikes! MAC address changed ??

Matthew Seaman m.seaman at black-earth.co.uk
Thu Feb 11 11:38:49 UTC 2010 

On 11/02/2010 11:00, James Smallacombe wrote:
> Sorry for replying to myself (AND top-posting!) twice in a row, but this
> is become a huge concern.  My first thought is that my provider changed
> routers or router Ethernet ports, hence the MAC address change.  They
> deny this, plus I find the two MAC addresses:
> 
> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
> 
> too close to each other for comfort.  My obvious concern here is that
> the recent php compromises somehow allowed an attacker to alter the ARP
> table entry of the default gateway.  Specific questions are as follows:

They're not just close: it's a single bit change between the two MACs

> 1) If this were done via a perl or php script, presumably executing
>    an 'arp -s' command, would it show up in the log like that?  I've
>    never changed an ARP entry (except to delete it using 'arp -d'), so
>    I've only seen log entries like that due to external changes, like
>    somebody changing IPs on the LAN from one Ether to another.

You'ld need root level access to change something like that, no matter
if it was from the shell or via some scripting language.  If an attacker
has the capability to do that to you, then it's *game* *over* -- wipe
the box and start again.  Of course, that's a pretty bizarre thing for
an attacker to do.  It draws attention to itself by disrupting your
network communications and there isn't any obvious advantage to be
gained by doing that.  [There might be if the MAC was changed to
collide with another one on the same network segment but I believe that
is not the case here.]

It's not 'arp -s' that is used to change the MAC address on an
interface, but ifconfig(8) -- something like this:

    # ifconfig re0 ether 00:17:e0:4f:b9:c0

In fact, you can use this to help diagnose your potential hardware
problem.  Try changing the 2nd byte of the MAC to some other arbitrary
values.  If you find that 0x4 bit always toggled to zero, it's pretty
definitively a hardware problem.  Note: log into the console or via
different network interface befre trying this or you'll kick yourself
off the machine.

> 2) Could an Ethernet card defect or re0 driver problem cause anything
>    like this?  Other bug?

Yes -- this is the most likely cause.  Hardware problems.  The MAC
address is built into the network card using an EEPROM or such like,
and those can conceivably go bad.  Replace the NIC and see if the
problems go away.

> 3) If this was an attacker using a local script, how the hell does he
>    get a php or perl script owned by UID 80 (or worst case, a user),
>    to do this?

You don't.  You need root access to change the MAC on a network
interface.  Same as for changing the IP number on the interface.
Check /etc/rc.conf -- if there aren't ifconfig commands in there
to modify the ether or link address, and if the modified MAC survives
a system reboot, then it's almost certainly hardware going kaput.
Even if the MAC does recover on reboot, it still might be flakey
hardware.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.              7 Priory Courtyard, Flat 3
Black Earth Consulting                       Ramsgate
                                             Kent, CT11 9PW
Free and Open Source Solutions               Tel: +44 (0)1843 580647

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100211/0b3a0c96/signature.pgp

More information about the freebsd-questions mailing list