yikes! MAC address changed ??

James Smallacombe up at 3.am
Thu Feb 11 11:00:28 UTC 2010 

Sorry for replying to myself (AND top-posting!) twice in a row, but this 
is become a huge concern.  My first thought is that my provider changed 
routers or router Ethernet ports, hence the MAC address change.  They deny 
this, plus I find the two MAC addresses:

00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0

too close to each other for comfort.  My obvious concern here is that the 
recent php compromises somehow allowed an attacker to alter the ARP table 
entry of the default gateway.  Specific questions are as follows:

1) If this were done via a perl or php script, presumably executing
    an 'arp -s' command, would it show up in the log like that?  I've
    never changed an ARP entry (except to delete it using 'arp -d'), so
    I've only seen log entries like that due to external changes, like
    somebody changing IPs on the LAN from one Ether to another.

2) Could an Ethernet card defect or re0 driver problem cause anything
    like this?  Other bug?

3) If this was an attacker using a local script, how the hell does he
    get a php or perl script owned by UID 80 (or worst case, a user),
    to do this?

Thanks again for any insight...appreciate a reply to both list and 
directly.

On Wed, 10 Feb 2010, James Smallacombe wrote:

>
> Please disregard this...sleep deprication...the IP in questions (which I 
> should have disfuised anyway) was not my server's IP, but that of the default 
> gateway...the problem was external.
>
> On Wed, 10 Feb 2010, James Smallacombe wrote:
>
>> 
>> This freaked me out a bit, so I'm just running it past the list to make 
>> sure this is just a hardware issue...I've never seen it before.
>> 
>> My dedicated server provider replaced my defective server that had been up 
>> for 6 months after it had apparent failures of a NIC and hard drives.  It 
>> had also recently been the victim of the Zen Cart exploits (I posted about 
>> this not long ago).
>> 
>> Tonight I lost connectivity to it, got in via KVM/IP and saw this in the 
>> syslog:
>> 
>> Feb 10 20:42:51 mail kernel: arp: 209.17.170.1 moved from 00:17:e0:4f:b9:c0 
>> to 00:13:e0:4f:b9:c0 on re0
>> 
>> My first reaction was that somebody else on the LAN had used my IP address, 
>> which would have explained the connectivity issues.  However, the IP 
>> couldn't be pinged and I also noticed that only one number in the address 
>> had changed...the odds of somebody else having it were long. ifconfig 
>> showed the I/F down, no carrier.
>> 
>> I rebooted and then it came up with yet a third MAC address, 
>> 00:14:d1:3c:1e:31  Not really even close.  Still no carrier.  Provider 
>> swaps out the Realtek NIC for a new one and it's working (for now).
>> 
>> Questions that come to mind: could their be a DoS perhaps from a bot or 
>> c99shell I didn't find?  Even if their was, would it be possible for the 
>> "www" user, with no priveleges to even cause this kind of problem?  I had 
>> disabled suhosin after customers patched their Zen Carts, because it 
>> interfered with it.
>> 
>> Or...could this be a bug in the re0 driver?  It's just weird.
>> 
>> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
>> up at 3.am 
>> http://3.am
>> =========================================================================
>> 
>
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up at 3.am							    http://3.am
> =========================================================================
>

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================

More information about the freebsd-questions mailing list