OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Win2k Security Advice Archives: Re: ANOTHER DNS MAC ADDRESS Cha

Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File


Subject: Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File
From: Derek Shaw (DerekShawBIGFOOT.COM)
Date: Wed Jan 19 2000 - 13:46:40 CST


Is this your organization's NT 4.0 DNS server? I assume that it is not, since you speak of scanning for (one of? both
of?) these MAC addresses. How do you know the details of the DNS server?

unlikely you have a MAC address conflict - those are both ethernet addresses, and each ethernet card is unique. They
are from different manufacturers.

If it's your server, you need to verify the ethernet address of the card(s) in it. If not - then you'll need to find
the owner of the machine (how depends on what logging you do), and enlist them in your cause.

You may want to investigate the security options for your own DNS servers, too (e.g. restricting zone transfers, etc.),
if this anomalous activity is otherwise connected with that service.

Please, keep us posted!
d.

Michael Vaughan wrote:

> Hello all,
>
> Below is the log file from a Unix server that appears
> to have logged the fact that an NT 4.0 DNS servers MAC
> address decided to change.
> This is the second time this has happened within a
> month. The first involved a change for six minutes
> (around mid...no one on campus) This time...0-1 second.
> This is what I am initially recommending...
>
> 1) A scan of EVERY device connected to the network to
> determine MAC addresses. This would be done more than
> once of course.
> Compare to see if any match the detected address.
> 2) Use a 'sniffer' to monitor the network for this MAC
> address (if not initially found) henceforth...and to
> monitor for any 'suspicious' activity.
>
> What I am attempting to do is determine if this is
> simply a node MAC address conflict (possible) or a
> spoofing attack.
>
> This could be something innocuous or an attack....any
> suggestions for determining the cause?
>
> <log>
> Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved
> from 00:30:80:1f:60:5f to 00:50:04:6b:ff:bf on x10
> Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved
> from 00:50:04:6b:ff:bf to 00:30:80:1f:60:5f on x10
> </log>
>
> X10 is my nic for those newbies
>
> Thanks in advance for any suggestions!!!!
>
> Respectfully,
> -Michael Vaughan
> Microsoft Certified Systems Engineer
> ICQ: 20031116
>
> -"Sic pas pacem, para bellum"
> -If you desire peace, prepare for war
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

--
Derek Shaw
Business Information Systems
Victoria, BC.
voice: 250-885-2021   fax: 250-386-4060

_____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net



This archive was generated by hypermail 2b27 : Wed Jan 19 2000 - 13:58:27 CST