MI52 VME FE generated a cyber alert

[kengell]

We received an email alert from the cyber security team stating that the MI52 (VME) front-end added 1000 MAC addresses.

From: Chandler E. Lawrence [lawrence@fnal.gov](mailto:lawrence@fnal.gov) Date: Tuesday, February 13, 2024 at 3:03 PM To: Dennis J. Nicklaus [nicklaus@fnal.gov](mailto:nicklaus@fnal.gov) Cc: Jerry D Firebaugh [firebaugh@fnal.gov](mailto:firebaugh@fnal.gov), Timothy E Zingelman [zingelman@fnal.gov](mailto:zingelman@fnal.gov) Subject: MI52 Medium Level Cyber Alert

Good afternoon,

We are seeing in our cyber tool for AD that the mi52.fnal.gov system is reporting suspicious behavior on the controls network relating to hardware(See Attached). The tool detected the system to have had 1000 MAC addresses within 1 second. Please let us know what happened with the system if you can at your earliest convenience. Thanks!

According to D33 ACNET Node Poll, the mi52 front-end has been up 135 Days.

Examining active connections on MI52:

MI52->hostShow hostname inet address aliases

---

mi52_0xA38 131.225.117.54
localhost 127.0.0.1
fecode-bd 131.225.121.145
sixtrak01 131.225.16.32
sixtrak02 131.225.16.76
sixtrak04 131.225.117.76
sixtrak05 131.225.117.77
sixtrak06 131.225.117.78
sixtrak07 131.225.117.79
sixtrak08 131.225.117.80
sixtrak09 131.225.117.81
sixtrak10 131.225.117.82
sixtrak11 131.225.117.83
sixtrak12 131.225.117.84
sixtrak13 131.225.126.166
sixtrak14 131.225.125.192

[kengell]

Modified the Boot Script

Determined that only one sixtrak connection (sixtrak12) was required so removed the other 'hostAdd' commands from the boot script.

Rebooted the FE

Rebooted the FE

Verified ACNET Errors did not increase after modifications and reboot

Ran an ACL script to ensure that there were no ACNET devices in error.