Date: Sun, 15 Jan 2006 12:23:08 -0800 From: Graham North <northg@shaw.ca> To: freebsd-questions@freebsd.org Subject: Rootkit detection Message-ID: <43CAAF2C.4080005@shaw.ca>
next in thread | raw e-mail | index | archive | help
--=======AVGMAIL-43CAAF2C5134=======
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I would like to determine if my server has had rootkit installed by a
hacker.
FBSD 4.11. Main entrances are only http, ssh and also webmin.
My server went down sometime recently. When I went investigate there
was a somewhat nasty message saying:
"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
192.168.0.102"
The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware.
("server" is a pseudonymn for this email but is the machine name for the
server on my home network - 192.68.0.102 is the LAN addr on my router)
The auth log files have been rolled over several times in the last few
weeks and I have not unzipped them yet to see if any entries were
accepted but the most recent one is filled with unsuccessful attacks to
sshd on high port numbers, ie sshd[86417].
My biggest concern is the message at the top of this email "server
/kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102", it
sounds scary.
Can someone give please me some guidance as to how to determine whether
my machine is comprimised?
Thanks, Graham/
--
Kindness can be infectious - try it.
Graham North
Vancouver, BC
www.soleado.ca
--=======AVGMAIL-43CAAF2C5134=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
--=======AVGMAIL-43CAAF2C5134=======--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43CAAF2C.4080005>