At 1:38 AM -0500 2/21/00, L. Sassaman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi folks,
One of the members of our staff has a Redhat 6.0 box on our network for his personal use. (Yes, I am having him upgrade to SuSE ASAP...). Recently some people noticed IP conflicts on the subnet... and it turns out that his box had bound all available IPs in that subnet to itself. The owner of the box swears he didn't do any "root level" operations preceeding the event, and I believe him.
The questions I have are: could this possibly happen on its own?
And, baring that, what kind of exploit would utilize this? Is this evidence of a packet sniffer? Does anyone have any epxerience with this kind of thing?
I post this here, rather than the Redhat list, since the level of security awareness is far greater with the SuSE folk. I hope someone can clue me in on this issue.
FWIW, I have seen this behavior before with Red Hat (it was an older version). We narrowed it down to a really dorked box at the time, but I'm not certain that was really the cause (but it was a 486/33, so it was a good excuse to convince mgmt. to buy a replacement box). Basically what it mysteriously did is start ARP'ing for every damn thing that got asked about on the wire. Brought an entire NOC and an Enterprise AS/400 down in the process. Twas very uncool. :) I don't think any packet sniffer would behave this way (simply being in promiscuous mode isn't going to make your interface answer ARP requests), but it could either be a very effective DoS tool, or (more realistically) a cleverly hidden bug in the IP stack somewhere. I vote for the latter, but have nothing to back it up other than my belief that a box hidden behind a firewall and sitting on RFC1918 space doing almost but not quite entirely nothing was an unlikely target for a hack. ;-) D