possible arpspoofing

• Previous message: Mark: "Re: Best AV prog for XP = KAV 5 right?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 25 Sep 2004 07:56:56 -0700

hi all

i wish to have a second opinion for the problem below. i have to
decide, what for further steps i will take (just have a talk to the
user, close the connection permanently and so on) and for this i
should be pretty sure about the problem.

so here comes what happened:
thursday night, about midnight the network behaves really strange.
from my laptop i cannot access the web (we are behind NAT). i can
access internal servers but not all. i cannot ping all servers and
switches. the servers behind a linux bridge are accessible (me --->
switch-stack --> linux-brigde --> servers / router). linux bridge
itself is accessible. so i was thinking, that the linux bridge has a
malfunction. i went down in the cellar, was rebooting the linux bridge
(the bridge was working properly for days) with no success. the
network was still not working. i couldn't access or ping the switch i
was connected to.
i checked my network configuration and i showed, that there was no
default gateway, so i added one manually, no success. i fully
disconnected the linux-bridge (just to be sure), no success.
i don't know why, but i checked my arp table and o wonder. every entry
leads to the same Mac-Adress. 00:00:AC:11:00:05. the linux bridge had
the same table. now i was pretty sure, that someone is manipulating
the network.
i start searching, where the client is located. i disconnected one
whole building and everything was fine. i reconnected the building and
nothing was working anymore. so i knew the building.
i went there (about 2 minutes) and accessed the switch via ethernet
(which was before not possible). i checked the database and i found
the port with the mac-adresse, which is another switch. i logged in in
this switch and checked again the database. one port had hunderds of
mac-entries. i know, that on this port there is only one room
connected, with at maximum 2 computers (maybe 3, but never more than
100).
i went to this switch. checked again the database and o wonder, the
port shows no entry, not a single one (for going there i only needed
one minute). the port showed still some traffic (the led was
blinking).
i disconnected this port.

so far now, the problem did not occur anymore.
i tracked it down, with the mac-adress and the switch-databases and
disconnectings, reconnnectings.
it seems to me, that this is arpspoofing. that someone was
manipulating the network and it was this port.
but how sure can i be?

maybe this is related to my prior posting (subject: connections...).

i will decide by myself, what i will do (so i don't need a legal
advice ;-) ). But a description of this problem with different eyes
would be useful.

thanks
moritz

• Previous message: Mark: "Re: Best AV prog for XP = KAV 5 right?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]