Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: I think I've been hacked...please help!

Re: I think I've been hacked...please help!

From: Crist J. Clark <crist.clark_at_attbi.com>
Date: Mon, 1 Apr 2002 00:26:32 -0800

On Sat, Mar 30, 2002 at 08:51:27AM -0700, Joe Warner wrote:
> Hi,
>
> I'm running FreeBSD 4.5-STABLE and I recently noticed some
> unknown ARP activity on my Cable connection when I wasn't
> running any programs or even logged into X.

Hmmm... It wasn't April 1st when you sent this...

[snip]

> 03/30-07:43:32.868036 ARP who-has 12.254.196.198 tell 12.254.196.1
>
> 03/30-07:43:41.390466 ARP who-has 12.254.196.215 tell 12.254.196.1
>
> 03/30-07:43:44.665318 ARP who-has 12.254.196.215 tell 12.254.196.1

[snip a bunch more of these]

Routers sending out ARPs for people's machines. Nothing odd.

> 03/30-07:46:21.869285 0:30:80:6E:AC:8C -> FF:FF:FF:FF:FF:FF type:0x800 len:0x176
> 12.242.19.34:67 -> 255.255.255.255:68 UDP TTL:246 TOS:0x0 ID:15134 IpLen:20 DgmLen:360 DF
> Len: 340

And a DHCP server broadcasting a DHCPOFFER. Totally normal. 

-- 
Crist J. Clark                     |     cjclark_at_alum.mit.edu
                                   |     cjclark_at_jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Apr 02 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos