Martian Source

older
AW: [suse-security] SuSEFirewall 2...

Grosswiler Roger

23 Oct 2002 23 Oct '02

13:38

Oct 23 15:34:38 trinity kernel: martian source 255.255.255.255 from 10.225.80.1, on dev eth1 Oct 23 15:34:38 trinity kernel: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:0 8:00 --> as i heard, this problem is known and it is not an intrusion by another system - there is a malconfigured adress somewhere in the system oder in the kernel. But this message is filling my logs and my disks. So: - is it like i heard? (hopefully yes) - how can i solve this problem, so i will not get anymore message in my logs for that? Thx in advance! Roger

Show replies by date

Raymond Leach

23 Oct 23 Oct

13:44

New subject: [suse-security] Martian Source

On Wed, 2002-10-23 at 15:38, Grosswiler Roger wrote:

...

Oct 23 15:34:38 trinity kernel: martian source 255.255.255.255 from 10.225.80.1, on dev eth1 Oct 23 15:34:38 trinity kernel: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:0 8:00

Could be something like a smurf attack. A workstation pretending to be all the addresses on the network ....

...

--> as i heard, this problem is known and it is not an intrusion by another system - there is a malconfigured adress somewhere in the system oder in the kernel. But this message is filling my logs and my disks. So:

- is it like i heard? (hopefully yes) - how can i solve this problem, so i will not get anymore message in my logs for that?

Thx in advance!

Roger

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Joerg Henner

13:56

New subject: [suse-security] Martian Source

On Mit, 23 Okt 2002, Raymond Leach wrote:

...

Could be something like a smurf attack. A workstation pretending to be all the addresses on the network ....

Right, we have those "martian source" loggings on the external interface at our inner FW, too ;) But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) These times i cant see any security related problems at all - but any comments are welcome... Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de

Grosswiler Roger

14:11

New subject: [suse-security] Martian Source

...

On Mit, 23 Okt 2002, Raymond Leach wrote:

...
Could be something like a smurf attack. A workstation pretending to be all the addresses on the network ....

Right, we have those "martian source" loggings on the external interface at our inner FW, too ;)

But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) is there a possibility to find out? is there a small tool somewhere around?

These times i cant see any security related problems at all - but any comments are welcome... i found a lot of entries on google, unfortunately i am not a technician so it was not really helpful...see http://www.geocrawler.com/archives/3/287/2000/8/0/4275081/ http://boudicca.tux.org/mhonarc/ma-linux/2001-Jan/msg00370.html ..perhaps a little helper...thanx for ur help!

Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de

Joerg Henner

14:34

New subject: [suse-security] Martian Source

On Mit, 23 Okt 2002, Grosswiler Roger wrote:

...

...
But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) is there a possibility to find out? is there a small tool somewhere around?

etherreal, tcpdump .... try to find the MAC-Adress ;) An other workaround could be: - half your Network (plug-out 50% of all Network-Connectors to your hub/switch), and see about the problem is in the rest of the other 50% => do this as often as you need... (this was a helpfull idea/problem-solving from the older BNC-based Networks ;)

...

...
These times i cant see any security related problems at all - but any comments are welcome... i found a lot of entries on google, unfortunately i am not a technician so it was not really helpful...see http://www.geocrawler.com/archives/3/287/2000/8/0/4275081/ http://boudicca.tux.org/mhonarc/ma-linux/2001-Jan/msg00370.html ..perhaps a little helper...thanx for ur help!

Those articels listing the Kernel-Setup and/or stated to define it run-time within the /proc filesystem. Other articles related to the Kernel-Source ;) Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de ______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de

Olaf Kirch

14:48

New subject: [suse-security] Martian Source

On Wed, Oct 23, 2002 at 04:34:53PM +0200, Joerg Henner wrote:

...

etherreal, tcpdump .... try to find the MAC-Adress ;)

The MAC address was in the log message, FWIW: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann

Joerg Henner

15:03

New subject: [suse-security] Martian Source

On Mit, 23 Okt 2002, Olaf Kirch wrote:

...

...
etherreal, tcpdump .... try to find the MAC-Adress ;) The MAC address was in the log message, FWIW: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^

*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;)))) Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de ______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de

Christian Lox

15:12

New subject: [suse-security] Martian Source

Joerg Henner wrote: [...]

...

...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^

*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))

arp Or am I missing something here? Christian

Grosswiler Roger

24 Oct 24 Oct

05:48

New subject: [suse-security] Martian Source

...

Joerg Henner wrote: [...]

...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?

*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))

arp

Or am I missing something here?

Christian

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Olaf Kirch

06:39

New subject: [suse-security] Martian Source

On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:

...

...
...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress..

What makes you think so? The kernel logs the low-level header, which, in this case, is an Ethernet header. An Ethernet header looks like this: 6 bytes of destination MAC. A MAC of all ones is the Ethernet broadcast address. 6 bytes of source MAC. 00:09:7b:8d:08:54 in this case 2 bytes of either packet length for LLC and all thast garbage, or a packet type. 0x800 is the packet type for IP. All you need to do is find the host on your networks that has an Ethernet card with said MAC address. One possible explanation for this case of Martians may be that you have a machine with two network cards connected to the same physical network; either by design or accident. Which would explain why the kernel printk is only triggered by broadcasts. My guess is that this is more of a misconfiguration issue than a security related problem.

...

I found another link...how about this one?

Which one? :) Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann

Andreas Tirok

07:37

New subject: [suse-security] Martian Source

On Thu, 24 Oct 2002 08:39:17 +0200 Olaf Kirch wrote:

...

On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:

...
...
...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress..

What makes you think so? The kernel logs the low-level header, which, in this case, is an Ethernet header. An Ethernet header looks like this:

6 bytes of destination MAC. A MAC of all ones is the Ethernet broadcast address. 6 bytes of source MAC. 00:09:7b:8d:08:54 in this case 2 bytes of either packet length for LLC and all thast garbage, or a packet type. 0x800 is the packet type for IP.

All you need to do is find the host on your networks that has an Ethernet card with said MAC address.

One possible explanation for this case of Martians may be that you have a machine with two network cards connected to the same physical network; either by design or accident. Which would explain why the kernel printk is only triggered by broadcasts.

My guess is that this is more of a misconfiguration issue than a security related problem.

I get this logs from machines with virtual interfaces (eth0:1). The box uses often the eth0:0 address insteed of the address from eth0:1 -- andy

Achim Hoffmann

06:52

New subject: [suse-security] Martian Source

On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...

...
Joerg Henner wrote: [...]

...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?

*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))

arp

Or am I missing something here?

Christian

ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0). What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs. What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians Does this answer you question? Achim

Grosswiler Roger

07:07

New subject: [suse-security] Martian Source

...

On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...
...
Joerg Henner wrote: [...]

Once again, complete: Oct 24 00:00:23 trinity kernel: martian source 255.255.255.255 from 10.225.80.1, on dev eth1 Oct 24 00:00:23 trinity kernel: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00

...

...
...
...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?

*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))

arp arp - n was a good idea... Address HWtype HWaddress Flags Mask Iface 217.162.200.1 ether 00:09:7B:8D:08:54 C eth1

My Net is Class A 10.0.0.0 Subnet is 255.0.0.0 IP 217.162.200.80 -> one IP of my Cablemodem My Server really has 2 Network-Cards: eth0 -> LAN 10.0.0.0/8 eth1 -> WAN 217.162.200.80/Cablemodem eth0 Link encap:Ethernet HWaddr 00:04:5A:65:F8:B7 inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::204:5aff:fe65:f8b7/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29371 errors:0 dropped:0 overruns:0 frame:0 TX packets:27561 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4649259 (4.4 Mb) TX bytes:5552056 (5.2 Mb) Interrupt:5 Base address:0x7000 eth1 Link encap:Ethernet HWaddr 00:00:E8:56:EB:D7 inet addr:217.162.200.80 Bcast:255.255.255.255 Mask:255.255.248.0 inet6 addr: fe80::200:e8ff:fe56:ebd7/10 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2514331 errors:0 dropped:0 overruns:0 frame:0 TX packets:644829 errors:0 dropped:0 overruns:0 carrier:0 collisions:428 txqueuelen:100 RX bytes:181205855 (172.8 Mb) TX bytes:112859445 (107.6 Mb) Interrupt:11 Base address:0x220 2 interfaces are needed for the routing between internet/lan. see ifconfig below. i am nearly sure, that there is a misconfiguration error.

...

...
...
Or am I missing something here?

Christian

ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).

What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.

What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by

echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians i've done this as normally i trust my firewall....

Does this answer you question? Achim

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Grosswiler Roger

08:11

New subject: [suse-security] Martian Source

...

On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...
...
...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?

*giggl* - well, i meant that HE has to find the Network-Card with

Joerg Henner wrote: [...] the specified MAC-Adress ;))))

...
arp

Or am I missing something here?

Christian

ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).

What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.

What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by

echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians

By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...

...

Does this answer you question? Achim

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Achim Hoffmann

08:31

New subject: [suse-security] Martian Source

On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...

...
You simply may switch of the logging by

echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...

silly question: are you shure that you did it for the right interface: eth1 ? Achim

Grosswiler Roger

08:26

New subject: [suse-security] Martian Source

...

On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...
...
You simply may switch of the logging by

echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...

silly question: are you shure that you did it for the right interface: eth1 ? yes, this was copy-paste of what i was typing...

Achim

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Andreas Tirok

08:35

New subject: [suse-security] Martian Source

On Thu, 24 Oct 2002 10:11:57 +0200 (CEST) "Grosswiler Roger" wrote:

...

...
On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...
...
...
...
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?

*giggl* - well, i meant that HE has to find the Network-Card with

Joerg Henner wrote: [...] the specified MAC-Adress ;))))

...
arp

Or am I missing something here?

Christian

ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).

What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.

What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by

echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians

By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...

Please try echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians echo 0 >/proc/sys/net/ipv4/conf/all/log_martians echo 0 >/proc/sys/net/ipv4/conf/default/log_martians

...

...
Does this answer you question? Achim

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- ------------------------ /"\ Andreas.Tirok@beusen.de \ / ASCII Ribbon Campaign fon: +49 30 549932-0 X Against HTML Mail fax: +49 30 549932-21 / \

Grosswiler Roger

08:56

New subject: [suse-security] Martian Source

...

On Thu, 24 Oct 2002 10:11:57 +0200 (CEST) "Grosswiler Roger" wrote:

...
...
On Thu, 24 Oct 2002, Grosswiler Roger wrote:

...
...
Joerg Henner wrote: [...]

...
>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 > ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for

...
...
...
...
*giggl* - well, i meant that HE has to find the Network-Card

with

I found another link...how about this one? the specified MAC-Adress ;))))

...
...
arp

Or am I missing something here?

Christian

ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you

Martians... the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).

...
What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these

messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above).

...
If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.

What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by

echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...

Please try

echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians echo 0 >/proc/sys/net/ipv4/conf/all/log_martians echo 0 >/proc/sys/net/ipv4/conf/default/log_martians

...
...
Does this answer you question? Achim

Yop! Now i dont get them any longer! Thanks!

...
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- ------------------------ /"\ Andreas.Tirok@beusen.de \ / ASCII Ribbon Campaign fon: +49 30 549932-0 X Against HTML Mail fax: +49 30 549932-21 / \

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Comptek informatik AG - R. Klippel

23 Oct 23 Oct

14:50

New subject: [suse-security] Martian Source

Often this also happens, when the patch cables are plugged in the wrong way, the LAN side cable is then in the WAN side slot... Did you checked this out? Greetings Reinhardt Mit freundlichen Grüssen Comptek informatik AG Reinhardt Klippel ________________________________ Comptek informatik AG Poststrasse 9 CH-6300 Zug Tel. ++41 +41 720 20 90 Fax ++41 +41 720 20 99 http://www.comptek.ch ________________________________ At 16:34 23.10.2002 +0200, Joerg Henner wrote:

...

On Mit, 23 Okt 2002, Grosswiler Roger wrote:

...
...
But it also can come from the inner network, when you configure a machine on the same hub/switch with different Network-Adresses (eg: you have 192.168.0.0/24, but your normal network have 10.0.0.0/24) is there a possibility to find out? is there a small tool somewhere around?

etherreal, tcpdump .... try to find the MAC-Adress ;)

An other workaround could be:

- half your Network (plug-out 50% of all Network-Connectors to your hub/switch), and see about the problem is in the rest of the other 50%

=> do this as often as you need...

(this was a helpfull idea/problem-solving from the older BNC-based Networks ;)

...
...
These times i cant see any security related problems at all - but any comments are welcome... i found a lot of entries on google, unfortunately i am not a technician so it was not really helpful...see http://www.geocrawler.com/archives/3/287/2000/8/0/4275081/ http://boudicca.tux.org/mhonarc/ma-linux/2001-Jan/msg00370.html ..perhaps a little helper...thanx for ur help!

Those articels listing the Kernel-Setup and/or stated to define it run-time within the /proc filesystem. Other articles related to the Kernel-Source ;)

Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de

______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

7863

Age (days ago)

7864

Last active (days ago)

List overview

Download

18 comments

8 participants

participants (8)

Achim Hoffmann
Andreas Tirok
Christian Lox
Comptek informatik AG - R. Klippel
Grosswiler Roger
Joerg Henner
Olaf Kirch
Raymond Leach

Martian Source

Grosswiler Roger

Raymond Leach

Joerg Henner

Grosswiler Roger

Joerg Henner

Olaf Kirch

Joerg Henner

Christian Lox

Grosswiler Roger

Olaf Kirch

Andreas Tirok

Achim Hoffmann

Grosswiler Roger

Grosswiler Roger

Achim Hoffmann

Grosswiler Roger

Andreas Tirok

Grosswiler Roger

Comptek informatik AG - R. Klippel

tags

participants (8)