strange things happening with ping - am I hacked?

Bob Bishop rb at gid.co.uk
Fri Aug 10 15:35:33 UTC 2012 

Hi,

On 10 Aug 2012, at 15:47, Christoph P.U. Kukulies wrote:

> I have some machines in a companys' network that are interconnected
> with a piece of coaxial cable (ethernet 10base2). This trunk goes through a
> switch that acts also as a media converter and connects to the Internet router.
> 
> For a while now I'm having trouble with this 10base2 trunk

It might just be packets getting corrupted, just a few replies get back with address field corruption. 

> and I dropped in another FreeBSD
> machine to move the services I'm running to the newer (9.0) machine.
> At the moment the two FreeBSD boxes (one 9.0, the other 5.1) are on the net.
> Both have a DIVERT kernel and act as gateways between the in house network and the Internet (natd).
> 
> Now strange things happen:
> When I ping from the 9.0 machine to another machine (a Windows XP) in the network,
> I don't get an immediate response from the ping but after some, day 20s or so I get:
> 
> (I prefer to not use the real addresses in the source or destination)
> forum2# ping 80.90.34.226
> forum2# tcpdump -i ed0 -l ip proto ICMP
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ed0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id 50777, seq 49408, length 8
> 
> or:
> 
> 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id 50777, seq 49408, length 8
> 16:17:01.920480 IP 80.90.34.228 > 203.178.148.19: ICMP echo reply, id 9061, seq 48393, length 8
> ^C
> 2 packets captured
> 473 packets received by filter
> 0 packets dropped by kernel
> 
> Doing the same ping from the 5.1 box (pretty sure it hasn't got to do with the OS versions),
> gives an echo reply immediately from the target address I pinged.
> 
> So why does there come an echo reply from machines on the net which seem to exist and
> even have names like pinger-j2.ant.isi.edu or pinger6.netsec.colostate.edu?
> 
> Does there some packet redirection take place?
> --
> Christoph Kukulies
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
> 


--
Bob Bishop          +44 (0)118 940 1243
rb at gid.co.uk    fax +44 (0)118 940 1295
             mobile +44 (0)783 626 4518

More information about the freebsd-hackers mailing list