[X-Unix] MAC address swap conundrum

SeaSoft Systems seasoft at west.net
Sat Apr 9 11:35:57 PDT 2005 

I have really no clue here. Could anyone with some network expertise 
help me understand this situation or point me to a resource or more 
appropriate forum? I have Googled my brains out but have not found 
anything helpful.

My setup:

A small LAN (behind a linksys switch/router) comprising an OSX eMac 
(running 10.2.8), several older (OS 8.6) Macs, and a WIN NT box. One 
of the OS 8.6 macs runs a web server.

Early last week, the web server machine burped up several identical 
errors over a 10 minute interval; the error message:

"Another device on your TCP/IP Internet, which has the physical 
address 00:80:77:36:2e:a6 is currently using the same IP address 
(192.168.167.21). This may cause disruption of your Internet 
services."

I understand this message, which I have in the distant past elicited 
by inappropriate adjustments of local IP numbers on my machines. This 
time, however, I was not even in the room.

I couldn't match the displayed MAC # with any hardware on my LAN, and 
the problem did not persist, so I left it to lie in peace.

Fast forward to this AM; curious about the current "sudo 
vulnerability" issue, I started looking through my OSX system logs 
for the past week just to educate myself. I came across the following 
mach_kernel error entries; notice that the last dozen or so document 
some sort of "MAC# toggling" in progress:

>>>  Begin OSX System Log Snippet
Apr  5 18:53:47 eMac mach_kernel: USBF: 1843600.692 
IOUSBInterface[0x291e000]::handleOpen failing because 
super::handleOpen failed (someone already has it open)
Apr  5 18:53:47 eMac mach_kernel: USBF: 1843600.692 
IOUSBInterface[0x291e000]::open super::open failed (0x0)
Apr  5 18:53:48 eMac mach_kernel: USBF: 1843602.114 
IOUSBInterface[0x291e000]::handleOpen failing because 
super::handleOpen failed (someone already has it open)
Apr  5 18:53:48 eMac mach_kernel: USBF: 1843602.114 
IOUSBInterface[0x291e000]::open super::open failed (0x0)
Apr  5 19:05:34 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:05:42 eMac mach_kernel: ipv4_control: in_pcb_grab_port 
retval=48 so=2c7eb84
Apr  5 19:05:42 eMac mach_kernel: sip_control: ipv4_control returns 
error=30 for so=2c7eb84 kp=2ae6564
Apr  5 19:08:32 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
Apr  5 19:09:31 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:09:31 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
Apr  5 19:10:12 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:10:12 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
Apr  5 19:11:11 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:11:11 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
Apr  5 19:11:34 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:11:34 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
Apr  5 19:14:17 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:14:17 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
Apr  5 19:19:43 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:05:02:4b:39:12 to 00:80:77:36:2e:a6 on en0
Apr  5 19:19:43 eMac mach_kernel: arp: 192.168.167.21 moved from 
00:80:77:36:2e:a6 to 00:05:02:4b:39:12 on en0
>>>  End System Log Snippet

So the OSX system log captured the MAC address switching that got my 
attention last week. To a layman, this repeated "toggling" of a local 
IP (192.168.167.21) between the *correct* MAC addresses for the 
server machine (00:05:02:4b:39:12) and this bogus MAC address 
(00:80:77:36:2e:a6) is to say the least, bizarre.

My question: what the devil is going on here?

- Is the Linksys router willy-nilly re-assigning MAC addresses to my 
local IP numbers?

- Is the eMac OSX system involved somehow?

- Is this a symptom of a system compromise of some kind?

Richard

More information about the X-Unix mailing list