yikes! MAC address changed ??
up at 3.am
Thu Feb 11 11:00:28 UTC 2010
Sorry for replying to myself (AND top-posting!) twice in a row, but this
is become a huge concern. My first thought is that my provider changed
routers or router Ethernet ports, hence the MAC address change. They deny
this, plus I find the two MAC addresses:
00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
too close to each other for comfort. My obvious concern here is that the
recent php compromises somehow allowed an attacker to alter the ARP table
entry of the default gateway. Specific questions are as follows:
1) If this were done via a perl or php script, presumably executing
an 'arp -s' command, would it show up in the log like that? I've
never changed an ARP entry (except to delete it using 'arp -d'), so
I've only seen log entries like that due to external changes, like
somebody changing IPs on the LAN from one Ether to another.
2) Could an Ethernet card defect or re0 driver problem cause anything
like this? Other bug?
3) If this was an attacker using a local script, how the hell does he
get a php or perl script owned by UID 80 (or worst case, a user),
to do this?
Thanks again for any insight...appreciate a reply to both list and
On Wed, 10 Feb 2010, James Smallacombe wrote:
> Please disregard this...sleep deprication...the IP in questions (which I
> should have disfuised anyway) was not my server's IP, but that of the default
> gateway...the problem was external.
> On Wed, 10 Feb 2010, James Smallacombe wrote:
>> This freaked me out a bit, so I'm just running it past the list to make
>> sure this is just a hardware issue...I've never seen it before.
>> My dedicated server provider replaced my defective server that had been up
>> for 6 months after it had apparent failures of a NIC and hard drives. It
>> had also recently been the victim of the Zen Cart exploits (I posted about
>> this not long ago).
>> Tonight I lost connectivity to it, got in via KVM/IP and saw this in the
>> Feb 10 20:42:51 mail kernel: arp: 220.127.116.11 moved from 00:17:e0:4f:b9:c0
>> to 00:13:e0:4f:b9:c0 on re0
>> My first reaction was that somebody else on the LAN had used my IP address,
>> which would have explained the connectivity issues. However, the IP
>> couldn't be pinged and I also noticed that only one number in the address
>> had changed...the odds of somebody else having it were long. ifconfig
>> showed the I/F down, no carrier.
>> I rebooted and then it came up with yet a third MAC address,
>> 00:14:d1:3c:1e:31 Not really even close. Still no carrier. Provider
>> swaps out the Realtek NIC for a new one and it's working (for now).
>> Questions that come to mind: could their be a DoS perhaps from a bot or
>> c99shell I didn't find? Even if their was, would it be possible for the
>> "www" user, with no priveleges to even cause this kind of problem? I had
>> disabled suhosin after customers patched their Zen Carts, because it
>> interfered with it.
>> Or...could this be a bug in the re0 driver? It's just weird.
>> James Smallacombe PlantageNet, Inc. CEO and Janitor
>> up at 3.am
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up at 3.am http://3.am
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
More information about the freebsd-questions