Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network...

From: Michael Boman (michael.boman@securecirt.com)
Date: 11/26/02

  • Next message: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
    Date: Tue, 26 Nov 2002 15:41:28 +0800
    From: Michael Boman <michael.boman@securecirt.com>
    To: focus-sun@securityfocus.com
    
    
    

    Hi there,

    I have a Solaris 7 (sparc) installation, with the recomended patch-batch
    installed. This particular installation emits 127.0.0.x addresses on
    the ethernet, and I wonder if anyone has any pointers what could cause
    this. (ip addresses has changed to protect the guilty).

    # ifconfig -a
    lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
            inet 127.0.0.1 netmask ff000000
    hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
            inet 172.20.123.24 netmask ffffff00 broadcast 172.20.123.255
            ether 8:0:20:c4:ad:45

    # netstat -nr

    Routing Table:
      Destination Gateway Flags Ref Use Interface
    -------------------- -------------------- ----- ----- ------ ---------
    172.20.123.0 172.20.123.24 U 3 31742 hme0
    224.0.0.0 172.20.123.24 U 3 0 hme0
    default 172.20.123.1 UG 0 379177
    127.0.0.1 127.0.0.1 UH 0 84159 lo0

    Here is a text dump from Ethereal that displays the offensive packets:

    Frame 1 (60 on wire, 60 captured)
        Arrival Time: Nov 22, 2002 11:39:49.573028000
        Time delta from previous packet: 0.000000000 seconds
        Time relative to first packet: 0.000000000 seconds
        Frame Number: 1
        Packet Length: 60 bytes
        Capture Length: 60 bytes
    Ethernet II
        Destination: 00:00:0c:07:ac:02 (Cisco_07:ac:02)
        Source: 08:00:20:c4:ad:45 (Sun_c4:ad:45)
        Type: IP (0x0800)
        Trailer: 55555555555555555555555555555555...
    Internet Protocol, Src Addr: 127.0.0.75 (127.0.0.75), Dst Addr: 108.122.0.0 (108.122.0.0)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x07 (DSCP 0x01: Unknown DSCP; ECN: 0x03)
            0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
            .... ..1. = ECN-Capable Transport (ECT): 1
            .... ...1 = ECN-CE: 1
        Total Length: 20
        Identification: 0xe7c9
        Flags: 0x04
            .1.. = Don't fragment: Set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 255
        Protocol: IPv6 hop-by-hop option (0x00)
        Header checksum: 0xa853 (correct)
        Source: 127.0.0.75 (127.0.0.75)
        Destination: 108.122.0.0 (108.122.0.0)

    Please advice.

    Best regards
     Michael Boman

    -- 
    Michael Boman
    Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
    http://www.securecirt.com